################################################################
# ThreatFox IOCs: Suricata rules                               #
# Last updated: 2024-07-02 05:27:20 UTC                        #
#                                                              #
# Terms Of Use: https://threatfox.abuse.ch/faq/#tos            #
# For questions please contact threatfox [at] abuse.ch         #
################################################################
#
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm"; depth:10; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm5n"; depth:12; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.arm7"; depth:11; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.m68k"; depth:11; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mips"; depth:11; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.mpsl"; depth:11; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.ppc"; depth:10; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.sh4"; depth:10; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.spc"; depth:10; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mirai.x86"; depth:10; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.arm"; depth:12; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.arm5n"; depth:14; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.arm7"; depth:13; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.m68k"; depth:13; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.mips"; depth:13; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.mpsl"; depth:13; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.ppc"; depth:12; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.sh4"; depth:12; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.spc"; depth:12; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/miraint.x86"; depth:12; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bins.sh"; depth:8; nocase; http.host; content:"93.123.85.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm4"; depth:16; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm5"; depth:16; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm6"; depth:16; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mips"; depth:16; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mpsl"; depth:16; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.ppc"; depth:15; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sh"; depth:14; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sparc"; depth:17; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.x86"; depth:15; nocase; http.host; content:"45.93.200.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292297; rev:1;)
alert tcp $HOME_NET any -> [45.93.200.174] 4258  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.anordestdiche.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292076; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fortnite.cryptoinvest.black"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292018/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292018; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.163] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292017/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_02; classtype:trojan-activity; sid:91292017; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"mistasktrin.space"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292016/; target:src_ip; metadata: confidence_level 80, first_seen 2024_07_02; classtype:trojan-activity; sid:91292016; rev:1;)
alert tcp $HOME_NET any -> [38.6.221.41] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292313; rev:1;)
alert tcp $HOME_NET any -> [8.130.119.184] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292312; rev:1;)
alert tcp $HOME_NET any -> [152.136.109.213] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292311; rev:1;)
alert tcp $HOME_NET any -> [43.248.188.77] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292310; rev:1;)
alert tcp $HOME_NET any -> [43.198.87.72] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292309; rev:1;)
alert tcp $HOME_NET any -> [159.75.164.94] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292308; rev:1;)
alert tcp $HOME_NET any -> [39.100.132.142] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292307; rev:1;)
alert tcp $HOME_NET any -> [8.220.192.59] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292306; rev:1;)
alert tcp $HOME_NET any -> [112.74.95.85] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292305; rev:1;)
alert tcp $HOME_NET any -> [47.109.149.105] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292304; rev:1;)
alert tcp $HOME_NET any -> [101.43.68.65] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292303; rev:1;)
alert tcp $HOME_NET any -> [121.37.0.167] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292302; rev:1;)
alert tcp $HOME_NET any -> [60.205.144.130] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292301; rev:1;)
alert tcp $HOME_NET any -> [39.101.77.9] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292300; rev:1;)
alert tcp $HOME_NET any -> [116.204.42.20] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4a2f3b5b.php"; depth:13; nocase; http.host; content:"a0995213.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_02; classtype:trojan-activity; sid:91292078; rev:1;)
alert tcp $HOME_NET any -> [101.33.225.206] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292075; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ci-wiki.cn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/jquery-3.4.1.min.js"; depth:23; nocase; http.host; content:"ci-wiki.cn"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292073; rev:1;)
alert tcp $HOME_NET any -> [181.116.72.52] 5802  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292072/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292072; rev:1;)
alert tcp $HOME_NET any -> [195.174.240.3] 25  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292071/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292071; rev:1;)
alert tcp $HOME_NET any -> [137.184.90.144] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292070/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292070; rev:1;)
alert tcp $HOME_NET any -> [5.163.244.86] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292069/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292069; rev:1;)
alert tcp $HOME_NET any -> [185.236.78.56] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292068/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292068; rev:1;)
alert tcp $HOME_NET any -> [57.128.166.214] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292067; rev:1;)
alert tcp $HOME_NET any -> [57.128.166.214] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292066; rev:1;)
alert tcp $HOME_NET any -> [65.108.49.36] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292065; rev:1;)
alert tcp $HOME_NET any -> [65.108.49.36] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292064; rev:1;)
alert tcp $HOME_NET any -> [37.59.205.5] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292063; rev:1;)
alert tcp $HOME_NET any -> [37.59.205.5] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292062; rev:1;)
alert tcp $HOME_NET any -> [78.47.60.67] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292061; rev:1;)
alert tcp $HOME_NET any -> [78.47.60.67] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292060; rev:1;)
alert tcp $HOME_NET any -> [5.161.252.127] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292059; rev:1;)
alert tcp $HOME_NET any -> [5.161.252.127] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292058; rev:1;)
alert tcp $HOME_NET any -> [216.74.123.41] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292057; rev:1;)
alert tcp $HOME_NET any -> [216.74.123.41] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292056; rev:1;)
alert tcp $HOME_NET any -> [185.216.144.51] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292054; rev:1;)
alert tcp $HOME_NET any -> [185.216.144.51] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292055; rev:1;)
alert tcp $HOME_NET any -> [159.100.6.103] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292053; rev:1;)
alert tcp $HOME_NET any -> [159.100.6.103] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292052; rev:1;)
alert tcp $HOME_NET any -> [85.239.53.94] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292050; rev:1;)
alert tcp $HOME_NET any -> [85.239.53.94] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292051; rev:1;)
alert tcp $HOME_NET any -> [51.89.137.8] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292049; rev:1;)
alert tcp $HOME_NET any -> [51.89.137.8] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292048; rev:1;)
alert tcp $HOME_NET any -> [51.68.216.13] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292047; rev:1;)
alert tcp $HOME_NET any -> [51.68.216.13] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292046; rev:1;)
alert tcp $HOME_NET any -> [139.64.133.194] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292044; rev:1;)
alert tcp $HOME_NET any -> [139.64.133.194] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292045; rev:1;)
alert tcp $HOME_NET any -> [173.46.80.206] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292043; rev:1;)
alert tcp $HOME_NET any -> [173.46.80.206] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292042; rev:1;)
alert tcp $HOME_NET any -> [109.176.207.22] 443  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292040; rev:1;)
alert tcp $HOME_NET any -> [109.176.207.22] 80  (msg:"ThreatFox Rhysida botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292041; rev:1;)
alert tcp $HOME_NET any -> [139.59.86.97] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292039; rev:1;)
alert tcp $HOME_NET any -> [13.112.130.229] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292038; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 54251  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292037; rev:1;)
alert tcp $HOME_NET any -> [193.187.173.74] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"heart-direct.online"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292034; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heart-direct.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bally/fre.php"; depth:14; nocase; http.host; content:"dashboardproducts.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292032/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91292032; rev:1;)
alert tcp $HOME_NET any -> [62.119.81.101] 58573  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292031; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.188] 6006  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292030; rev:1;)
alert tcp $HOME_NET any -> [51.81.24.83] 3333  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292029; rev:1;)
alert tcp $HOME_NET any -> [54.255.147.4] 6000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linepython_processgamemultiwindowsgeneratordatalifedle.php"; depth:59; nocase; http.host; content:"offsetupdater.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292027; rev:1;)
alert tcp $HOME_NET any -> [147.124.209.128] 7847  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292026; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.81] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292025/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292025; rev:1;)
alert tcp $HOME_NET any -> [78.166.52.150] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292024; rev:1;)
alert tcp $HOME_NET any -> [74.214.59.50] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292023/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292023; rev:1;)
alert tcp $HOME_NET any -> [189.140.37.137] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292022/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292022; rev:1;)
alert tcp $HOME_NET any -> [18.163.129.171] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292021; rev:1;)
alert tcp $HOME_NET any -> [185.236.78.56] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292020; rev:1;)
alert tcp $HOME_NET any -> [128.14.237.188] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91292019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/private/asyncrequestprotect/apiuniversal/http1/datalife/linuxuploads/protect/datalifeupdatephplocal/base0/linuxbigload/python/basesqlline/update8/protectasyncprivatetemptemporary.php"; depth:183; nocase; http.host; content:"185.177.59.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292015; rev:1;)
alert tcp $HOME_NET any -> [103.144.139.160] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292014/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292014; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"brithcaymo.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292006/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292006; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"ernofilosta.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292007/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292007; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"lofirenqveg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292008/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292008; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"manclinoste.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292009/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292009; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"prodetanoes.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292010/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292010; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"prufkespotr.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292011/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292011; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"shopboksret.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292012/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292012; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"trymeakafr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292013/; target:src_ip; metadata: confidence_level 85, first_seen 2024_07_01; classtype:trojan-activity; sid:91292013; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.13] 47925  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91292005; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lmfaololxdlmfaolmfao.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1292004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292004; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"joeyrichl.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291992/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"beetrootculture.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291997; rev:1;)
alert tcp $HOME_NET any -> [80.85.154.121] 1980  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"propertyclosings.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"propertyclosings.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291788; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vegetachcnc.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291769; rev:1;)
alert tcp $HOME_NET any -> [107.173.4.18] 2556  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"webman.w3school.cloudns.nz"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1291751/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_01; classtype:trojan-activity; sid:91291751; rev:1;)
alert tcp $HOME_NET any -> [173.255.204.62] 2556  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291771; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"propertyclosings.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"propertyclosings.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vldqvwysjm0bkvt1dmtty9ne54urfdvg3s-h6mqd4xox"; depth:45; nocase; http.host; content:"speedchaoptimise.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291793; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"speedchaoptimise.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291794; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frontendcodingtips.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291795; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tppen-op.one"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291991/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291991; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 39182  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291994/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291994; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gard-ner-toyota.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291993; rev:1;)
alert tcp $HOME_NET any -> [185.68.93.221] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291995; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"daslkjfhi2.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291996; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"beetrootculture.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"beetrootculture.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"beetrootculture.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1292000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292000; rev:1;)
alert tcp $HOME_NET any -> [185.29.9.108] 15135  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292003; rev:1;)
alert tcp $HOME_NET any -> [196.65.173.92] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292002; rev:1;)
alert tcp $HOME_NET any -> [172.232.164.13] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1292001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91292001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tojavascriptpollcpupublicprivate.php"; depth:37; nocase; http.host; content:"054717cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291792; rev:1;)
alert tcp $HOME_NET any -> [77.221.153.197] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291787; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zug-login.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291785; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agovaccess-ch.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291775; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b2cidp-mobilier.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291776; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eportal-be.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291777; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eportal-bs.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291778; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"finanzportal-vermogenzsentrum.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291779; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"finanzportal-vermogenzsentrum.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291780; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"getgrammerly.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291781; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"loginzug.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291782; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"portals-swisslife.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291783; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sso-geneveid.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291784; rev:1;)
alert tcp $HOME_NET any -> [186.2.171.54] 443  (msg:"ThreatFox Poseidon payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291774/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d4065b26.php"; depth:13; nocase; http.host; content:"a1000048.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291773; rev:1;)
alert tcp $HOME_NET any -> [57.129.38.73] 41038  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291772; rev:1;)
alert tcp $HOME_NET any -> [206.238.43.211] 6666  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.seo7sry.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.showroomilgiornodopo.it"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.retromad1.ro"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.laofix.com.tr"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.nsaservices.com.br"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.eshaqlaw.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.japanbangladeshhospital.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.dipankardey.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.diasecampos.com.br"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.dilagosburguer.com.br"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.agauto.co.ke"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"pipp.debellis.com.br"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.superdreadi.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.tafca.cl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.lojaniq.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.sixfibras.com.br"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.laofix.com.tr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.dilagosburguer.com.br"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.japanbangladeshhospital.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.xpresscard.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"panda.creativeeventsbd.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.top2stay.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.tracymasonmedia.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.thirtyline.com.my"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.srprof.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.superanimalpet.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.sc3bhgr7781.universe.wf"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.slagveld.co.za"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.sc1dsnb7288.universe.wf"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.sc1tmtd4794.universe.wf"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.savannah.sd"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.sacs.ec"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.sagarsprings.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.roborave.mx"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.romalogistics.com.pe"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.posdata-si.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.ranasariagroup.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.officialrtv.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.myindiamall.in"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.nextsol.com.br"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.laboratoriomacruzfarma.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.machaquila.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.junoindia.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.kashier365.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.inncomex.com.mx"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.janeladedramaturgia.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.hotelultimafrontiera.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.hchemical.sd"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.hospitaldesanluis.com.co"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.geliankft.hu"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.grupomv.com.py"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.entreprisesdavenir.fr"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.geber.com.mx"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.dolphinmanagement.ro"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.ebitan.com.bd"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.debambu.es"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.colbiomor.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.contechprojects.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.bariel.co.id"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.cgsbim.cl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.area14st.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.atiliomarola.com.ar"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.arabic.du.ac.bd"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.academicindia.in"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.allkemie.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.urunstand.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newscp.aaptiroots.in"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.termomecconsultoria.com.br"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.thebestbodrumtemizlik.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.sosgestion.com.co"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.techcube.in"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.smartlabor.it"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.recubplast.com.co"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.seo7sry.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.wychelmconnect.com.ng"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.qadricaterers.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.wecarefamilydentistry.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.wpsuperlink.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.vanguardaamazonense.com.br"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.uns-kikaku.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.upvs.com.ng"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.themavvel.co.ke"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.tracymasonmedia.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.techtrust.pt"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.tecsoluciones.com.pe"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.tabledemassagepliante.fr"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.stayeasyplus.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.streakk.com.ng"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.smartzone.sa"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.spiegelenergy.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.scotiaperu.pe"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.seguroautoagora.com.br"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.saamtrek.co.za"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.sbtabriz.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.recettecuisinegastronomie.fr"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.quantum-ev.co"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.quasar.sa"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.princekushwaha.com.np"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.payall.com.ng"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.powerunits.ng"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.ontrace.id"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.park-systems.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.nonisec.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.nonisec.com.ar"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.pnmls.cd"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.natroglobal.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.news.co.tz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.musamwaky.co.tz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.nationaltemps.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.moralesalducin.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.movie.co.tz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.moimoveis.com.br"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.meadvilleorthodontics.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.medicalmedia.com.mx"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.mahtokitchencare.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.levinesolutions.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.ludotenis.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.lacitavilla.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.kgcdiary.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.ktktech.my.id"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.inversionesllort.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.isabelaayrosa.adv.br"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.imcbgten4.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.hotel.co.tz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.ilutex.com.br"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.gridedgenews.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.harmonyvillage.gr"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.fridaybd.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.gridedge.com.au"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.faybd.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.faforon.com.ng"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.fatp.co.tz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.faforlife.com.ng"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.faforon.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.dungnguyenarchi.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.embassydevelopments.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.dktravel.com.ec"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.dsts-immigration.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.dilagosburguer.com.br"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.damaskin.ro"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.danmartin.ro"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.confidable.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.credencewatches.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.casamagdalenapublicidad.com.co"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.cncmorelos.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.billionairesestate.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.bocadosdeamor.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.banjarkode.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.aurespa.ca"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.balebuku.my.id"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.altaymediaalbania.org"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.apa.ba"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.almoajel.sa"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.afrokulchagroup.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.afrokulchatravel.co.za"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.activelifemd.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.afrokulcha.co.za"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.3dsurf.ir"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.abrakadabra.com.pe"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.olivrodapatria.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcpp.1ihost.com.br"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.oiltanker.com.ng"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.liderford.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.lourencoviajante.pt"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.japeto.ro"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.jcgama.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.icredes.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.iluminate.com.mx"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.hypercctv.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.grid-edge.com.au"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.gridedgenews.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.gaziemircicekciler.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.ghdemo.com.tr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.frederic-monereau.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.dominantlegaltrans.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.essentemizlik.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.coliturcusco.com.pe"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.departamentosenpueblolibre.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.bitezeventwedding.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.atlasfizyoterapi.com.tr"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.aurejewelry.ca"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.ankarasevkattesisat.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.americansports.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"newcp.ankaracilingirci.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.sulmov.com.br"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.trujilloserrano.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.sscmcc.cl"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.promoveazaonline.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.smartfuture.co.za"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.proexcon.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.nextsol.com.br"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.planamoveis.com.br"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.myportfolio.com.co"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.institutointei.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.millennialstourandtravel.co.ke"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.geofieldp.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.dolphinmanagement.ro"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.evergraphics.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.ciptransfer.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.caelectrons.com.br"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.carboneralabanda.com.co"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.arkaconstructores.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.worldcup.co.tz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"dibbadu.absoluteitbd.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.wocrimestoppers.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.wheelsofwilliamsport.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.wheelsofwilliamsport.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.wegolions.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.watertownctlions.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.trueearthchanges.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.video.co.tz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.sygenpharma.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.tdsorsta.ro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.stasy-union.gr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.seo7sry.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.shivaagorealty.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.segurobligatorio.pro"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.saleseconomic.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.sc1jtfu9765.universe.wf"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.riscasvicosas.pt"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.rafikidodomahotel.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.richardobenton.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.petersparre.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.niceguyrebrands.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.paltouchsystems.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.news.co.tz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.natenrjs.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.nationalbeatpoetryfoundation.org"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.myindiamall.in"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.moimoveis.com.br"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.movie.co.tz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.mibenditoadolescente.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.marthareingold.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.mgcsw.gov.ss"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.littleleafstudio.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.lyctechnologies.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.linenessentials.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.kidsightusa.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.killerworkdev.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.kgcdiary.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.isap-union.gr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.jpxhelmet.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.innovatalks.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.fursforus.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.hotelultimafrontiera.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.fortclean.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.fatp.co.tz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.flyingdonvstg.franciaim.net"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.emporioecuador.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.easthartfordinterfaith.org"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.edgenetworks.rs"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.dumbeg.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.davidliving.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.dieterforjudge.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.ctvidamelhor.com.br"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.celebratebloomfield.org"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.celloxwatches.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.car.co.tz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.brankenattorneys.co.tz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.cairnhillwatches.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.blogcanadiense.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.appoemn.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.bernard-bourcy.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.aminadabelago.com.br"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.afrokulchagroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.americansports.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.absolutairarcondicionado.com.br"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.weltpropiedades.cl"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bp.4dpayme.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.tilakhighfiji.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.tami8849.odns.fr"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.tiedyeromania.ro"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.sviat21.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.siupk.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.smslogin.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.raagifts.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.quasar.sa"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.quick-eg.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.pouradhwani.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.phrapitta.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.pisuka.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.ontech.co.zm"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.nwg.com.pk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.olivrodapatria.online"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.navihost.in"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.idealindustryltd.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.kkenterprises.pk"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.htechs.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.heavenconstruction.pk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.heavenmarketing.pk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.hapa5387.odns.fr"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.fromagetambourin.fr"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.grantindonesia.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.ebibote.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.clementinasketchbook.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.dicoar.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.blueroselb.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.vendotuttonline.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.vissnatech.ir"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.toel4298.odns.fr"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.avansisgroup.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.tigercampcorbett.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.soltita.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.tatlibuketi.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.socialobserver.in"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.sarshipping.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.smsfi.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.remoteprints.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.professoranagida.online"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.pta-greece.gr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.planethair.gr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.owanbefood.com.ng"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.palms77hotel.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.newestrealty.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.nationaltemps.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.neebs.edu.np"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.mydreamsltd.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.miogatto.gr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.moralesalducin.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.mejoresconsejosvida.online"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.alkareemimport.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.mathinmaps.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.alan.my"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitp.alamri-ip.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.innovatalks.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.jcaisse-dev.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.hostpinas.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.elshamel.online"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.guptavedika.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.eamarseba.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.dogfestival.gr"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.drcaraccessories.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.dctcbd.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.desipolska.pl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.combienemetmonargent.info"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.bicoman.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.casamagdalenapublicidad.com.co"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.bghbd.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.beautifulbooze.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.bariel.co.id"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.athleticshub.co.uk"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.babajani.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.artemilenario.fr"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/"; depth:6; nocase; http.host; content:"bitpa.ananyajain.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291423; rev:1;)
alert tcp $HOME_NET any -> [195.50.242.110] 8080  (msg:"ThreatFox HOTCROISSANT botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291420/; target:src_ip; metadata: confidence_level 49, first_seen 2024_07_01; classtype:trojan-activity; sid:91291420; rev:1;)
alert tcp $HOME_NET any -> [147.45.44.12] 13830  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a17861b9cb6f1a53.php"; depth:21; nocase; http.host; content:"147.45.78.162"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291422; rev:1;)
alert tcp $HOME_NET any -> [93.188.122.139] 4433  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291419; rev:1;)
alert tcp $HOME_NET any -> [83.48.66.207] 3085  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291418; rev:1;)
alert tcp $HOME_NET any -> [198.244.197.118] 9443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291417; rev:1;)
alert tcp $HOME_NET any -> [2.139.253.110] 3085  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291416; rev:1;)
alert tcp $HOME_NET any -> [186.225.10.251] 3085  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291415; rev:1;)
alert tcp $HOME_NET any -> [206.210.123.104] 8888  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291414; rev:1;)
alert tcp $HOME_NET any -> [95.189.100.119] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291413; rev:1;)
alert tcp $HOME_NET any -> [179.159.167.251] 3085  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291412; rev:1;)
alert tcp $HOME_NET any -> [61.96.204.117] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291411; rev:1;)
alert tcp $HOME_NET any -> [185.23.192.33] 444  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291410; rev:1;)
alert tcp $HOME_NET any -> [2.136.235.200] 3085  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291409; rev:1;)
alert tcp $HOME_NET any -> [103.237.87.159] 9462  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291408; rev:1;)
alert tcp $HOME_NET any -> [200.152.101.176] 9090  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291407; rev:1;)
alert tcp $HOME_NET any -> [186.236.112.114] 3085  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291406; rev:1;)
alert tcp $HOME_NET any -> [93.232.107.227] 82  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291405; rev:1;)
alert tcp $HOME_NET any -> [93.232.107.227] 81  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291404/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291404; rev:1;)
alert tcp $HOME_NET any -> [200.243.0.50] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291403; rev:1;)
alert tcp $HOME_NET any -> [62.156.170.137] 1111  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291402; rev:1;)
alert tcp $HOME_NET any -> [212.170.14.98] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291401; rev:1;)
alert tcp $HOME_NET any -> [189.115.194.186] 9990  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291400; rev:1;)
alert tcp $HOME_NET any -> [101.108.13.204] 7443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291399; rev:1;)
alert tcp $HOME_NET any -> [200.180.67.154] 9444  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291398; rev:1;)
alert tcp $HOME_NET any -> [210.249.114.153] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291397; rev:1;)
alert tcp $HOME_NET any -> [178.188.188.212] 5500  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291396; rev:1;)
alert tcp $HOME_NET any -> [39.40.167.160] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291395; rev:1;)
alert tcp $HOME_NET any -> [85.215.215.94] 41057  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291394; rev:1;)
alert tcp $HOME_NET any -> [75.2.71.143] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291393; rev:1;)
alert tcp $HOME_NET any -> [35.220.201.119] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291392; rev:1;)
alert tcp $HOME_NET any -> [82.153.138.128] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291391; rev:1;)
alert tcp $HOME_NET any -> [94.237.59.129] 30570  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291390; rev:1;)
alert tcp $HOME_NET any -> [94.237.59.129] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"cx5519.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"office-techs.biz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"gebeus.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"evilos.cc"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291385; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cx5519.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291381; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evilos.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291382; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gebeus.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291383; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office-techs.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.clinicachirurgie3.ro"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291350; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asdaryder.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291353/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.colourful-decor.be"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mch.html"; depth:9; nocase; http.host; content:"anmon.name"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291356; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anmon.name"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291357; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"indepahote.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291376; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"movegomove.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291377; rev:1;)
alert tcp $HOME_NET any -> [62.173.141.99] 139  (msg:"ThreatFox QakBot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291378; rev:1;)
alert tcp $HOME_NET any -> [62.173.141.99] 445  (msg:"ThreatFox QakBot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291379; rev:1;)
alert tcp $HOME_NET any -> [103.237.87.40] 1993  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291380/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"49.235.118.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291374; rev:1;)
alert tcp $HOME_NET any -> [116.205.233.25] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291373; rev:1;)
alert tcp $HOME_NET any -> [159.75.110.16] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"service-d27o3nmv-1324720265.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.22.152.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"64.7.198.173"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"192.252.182.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.140.200.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.100.91.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"54.237.218.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"112.126.85.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"81.71.18.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"81.71.18.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"116.198.247.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291358; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pcvcf.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291351; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"padrf.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kdmapper.exe"; depth:13; nocase; http.host; content:"213.238.177.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log1.exe"; depth:9; nocase; http.host; content:"213.238.177.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291347/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/log2.exe"; depth:9; nocase; http.host; content:"213.238.177.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291348/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spoofer.sys"; depth:12; nocase; http.host; content:"213.238.177.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291349; rev:1;)
alert tcp $HOME_NET any -> [136.243.111.71] 20001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291345/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291345; rev:1;)
alert tcp $HOME_NET any -> [157.20.182.5] 9898  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291344; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.188] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291342/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291342; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.188] 8008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291343/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291343; rev:1;)
alert tcp $HOME_NET any -> [185.223.77.217] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291341/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291341; rev:1;)
alert tcp $HOME_NET any -> [47.98.177.117] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291340/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291340; rev:1;)
alert tcp $HOME_NET any -> [196.77.36.25] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291339/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291339; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.103] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291338; rev:1;)
alert tcp $HOME_NET any -> [83.220.172.119] 8843  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291337; rev:1;)
alert tcp $HOME_NET any -> [159.223.0.196] 8081  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291336; rev:1;)
alert tcp $HOME_NET any -> [107.172.78.188] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291335; rev:1;)
alert tcp $HOME_NET any -> [18.210.161.224] 3436  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291281; rev:1;)
alert tcp $HOME_NET any -> [104.243.242.166] 1620  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"googledocs.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291283/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291283; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 22517  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"provided-existence.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291285/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291285; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 37993  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291286; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"them-recommended.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291287/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291287; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 50199  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291288/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291288; rev:1;)
alert tcp $HOME_NET any -> [4.185.56.82] 42687  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291290; rev:1;)
alert tcp $HOME_NET any -> [144.172.122.232] 20131  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291291; rev:1;)
alert tcp $HOME_NET any -> [195.189.227.105] 48367  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291301; rev:1;)
alert tcp $HOME_NET any -> [15.204.88.244] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291305/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm4"; depth:16; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm5"; depth:16; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291311; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 19060  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291299/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291299; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 19060  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291300/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291300; rev:1;)
alert tcp $HOME_NET any -> [103.162.20.166] 3007  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291298/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291298; rev:1;)
alert tcp $HOME_NET any -> [39.99.34.125] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm6"; depth:16; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mips"; depth:16; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mpsl"; depth:16; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.ppc"; depth:15; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sh"; depth:14; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sparc"; depth:17; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.x86"; depth:15; nocase; http.host; content:"37.156.29.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291318; rev:1;)
alert tcp $HOME_NET any -> [37.156.29.141] 4258  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291319/; target:src_ip; metadata: confidence_level 50, first_seen 2024_07_01; classtype:trojan-activity; sid:91291319; rev:1;)
alert tcp $HOME_NET any -> [77.105.135.107] 3445  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot7095863454:aafghbqqjxy7rfzi0ct99qzpvrwqpki6r1a/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291324; rev:1;)
alert tcp $HOME_NET any -> [5.161.190.139] 8732  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291333; rev:1;)
alert tcp $HOME_NET any -> [154.211.98.3] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291332; rev:1;)
alert tcp $HOME_NET any -> [58.87.103.109] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291331; rev:1;)
alert tcp $HOME_NET any -> [141.98.10.72] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291330; rev:1;)
alert tcp $HOME_NET any -> [121.40.117.196] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291329; rev:1;)
alert tcp $HOME_NET any -> [159.75.169.189] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291328; rev:1;)
alert tcp $HOME_NET any -> [123.207.5.253] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291327; rev:1;)
alert tcp $HOME_NET any -> [45.148.120.161] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291326; rev:1;)
alert tcp $HOME_NET any -> [123.56.153.39] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291325; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.93] 2973  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cd40479.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux03/8/externaleternaltophpjsrequestservertrafficuniversaldatalife.php"; depth:74; nocase; http.host; content:"62.109.22.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpflowergenerator.php"; depth:23; nocase; http.host; content:"000366cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cskaocncansodf44s65d4f.jpg"; depth:27; nocase; http.host; content:"110.41.14.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291308/; target:src_ip; metadata: confidence_level 75, first_seen 2024_07_01; classtype:trojan-activity; sid:91291308; rev:1;)
alert tcp $HOME_NET any -> [110.41.14.58] 7931  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verchk/verchk_"; depth:15; nocase; http.host; content:"43.143.58.212"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291306; rev:1;)
alert tcp $HOME_NET any -> [79.110.62.113] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291304; rev:1;)
alert tcp $HOME_NET any -> [196.65.155.135] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_07_01; classtype:trojan-activity; sid:91291303; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.35] 5607  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291302; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"londopas.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291297/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291297; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"berjimek.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291296/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291296; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 19060  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291295; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 19060  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291294; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 19060  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291293; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 19060  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291292; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tydyjtdfjhtf.con-ip.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291289; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kaylen.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291277; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ymuren.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291278; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corysy.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291279; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soterios.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291280; rev:1;)
alert tcp $HOME_NET any -> [128.140.53.5] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291270; rev:1;)
alert tcp $HOME_NET any -> [128.140.53.5] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291271; rev:1;)
alert tcp $HOME_NET any -> [168.119.118.92] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291272; rev:1;)
alert tcp $HOME_NET any -> [168.119.118.92] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291273; rev:1;)
alert tcp $HOME_NET any -> [77.221.158.54] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291274; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kotawa.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291275; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliszon.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"soterios.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291266; rev:1;)
alert tcp $HOME_NET any -> [195.201.251.214] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291267; rev:1;)
alert tcp $HOME_NET any -> [195.201.251.214] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291268; rev:1;)
alert tcp $HOME_NET any -> [65.109.243.105] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"corysy.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ymuren.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kaylen.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.221.158.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aliszon.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kotawa.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.118.92"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.118.92"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.53.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.53.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.243.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.251.214"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291254; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.chinacec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin-apis/"; depth:12; nocase; http.host; content:"api.chinacec.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291252; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.27] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291250/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291250; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.27] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291251/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291251; rev:1;)
alert tcp $HOME_NET any -> [136.243.111.71] 20000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291249/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291249; rev:1;)
alert tcp $HOME_NET any -> [197.0.49.10] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291248/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291248; rev:1;)
alert tcp $HOME_NET any -> [91.151.89.25] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291247/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291247; rev:1;)
alert tcp $HOME_NET any -> [152.32.172.190] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291246/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291246; rev:1;)
alert tcp $HOME_NET any -> [124.220.222.35] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291245/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291245; rev:1;)
alert tcp $HOME_NET any -> [65.109.183.189] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291244/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291244; rev:1;)
alert tcp $HOME_NET any -> [36.131.128.111] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291243/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jspollcpuupdategamelongpollsqltestdletemporary.php"; depth:51; nocase; http.host; content:"89.23.97.228"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291242; rev:1;)
alert tcp $HOME_NET any -> [51.195.206.227] 38719  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291241; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poliyhedira.network"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291058; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nightciows.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291056; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nightcirows.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291057; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modoe.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291054; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"network.polyhedrao.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291055; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modeu.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291051; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modew.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291052; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modne.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291053; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m.chainlirst.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291050; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jitou.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291047; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jitoz.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291048; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kr.nightciows.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291049; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jitco.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291045; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jitot.network"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291046; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance.aerodirome.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291043; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"io.dedusit.io"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291044; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chainlirst.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291030; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chaimlstr.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291029; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chainlirstr.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291031; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chainlistr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291032; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chairnlirst.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291033; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chairnlist.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291034; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"co.kr.nightciows.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291035; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dediust.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291036; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedlust.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291037; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedrust.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291038; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedusit.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291039; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedusit.io"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291040; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dedust.io.dedusit.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291041; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ere.yesis-store.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291042; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodrome.finance.aerodirome.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291026; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodromr.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291027; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chaimlistr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291028; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodomc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291024; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodomr.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodirome.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291022; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodiromr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291023; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerodiomc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291021; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfyu.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291077; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfyr.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291076; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfyv.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291078; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfyn.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291075; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfyc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291072; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfyi.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291073; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seeditfym.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291074; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiuv.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291069; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiux.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291070; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiuz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291071; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiur.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291067; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiuu.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291068; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiue.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291064; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiui.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydiul.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291066; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raydima.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291063; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polyhedra.network.polyhedrao.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291059; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polyhedrao.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291060; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polyhedrao.network"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291061; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polyhiadira.network"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291062; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stream.pascalsoftware.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291081; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sitemaps.chainlistr.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291079; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"specialdrilling38.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291080; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"synflntues.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291082; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"synfntueis.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291083; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nsafabole.store"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291085/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291085; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"synfntuies.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291084; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sanchezandmore.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291086/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291086; rev:1;)
alert tcp $HOME_NET any -> [94.103.83.129] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291087/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291087; rev:1;)
alert tcp $HOME_NET any -> [77.238.242.152] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291088/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291088; rev:1;)
alert tcp $HOME_NET any -> [78.153.139.18] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291089/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77-220-212-71.netherlands-2.vps.ac"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291095; rev:1;)
alert tcp $HOME_NET any -> [176.57.212.127] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291096; rev:1;)
alert tcp $HOME_NET any -> [89.116.110.165] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291097; rev:1;)
alert tcp $HOME_NET any -> [94.158.244.72] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291138; rev:1;)
alert tcp $HOME_NET any -> [108.170.52.131] 13587  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-wave-contracts-legal-considerations-implications"; depth:63; nocase; http.host; content:"produtoresflorestais.pt"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291004; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"82-147-85-159.networktube.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291020; rev:1;)
alert tcp $HOME_NET any -> [198.7.114.191] 33966  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291015/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291015; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"boats.cloudboats.vip"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291016/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291016; rev:1;)
alert tcp $HOME_NET any -> [84.32.41.112] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291101/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_30; classtype:trojan-activity; sid:91291101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1000383.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalimagevmrequestlongpollsqldblocal.php"; depth:45; nocase; http.host; content:"228282cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providereternallinephprequestsecurepacketprocessauthwordpress.php"; depth:66; nocase; http.host; content:"445798cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"91.149.236.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.109.186.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bootstrap-5.3.1.min.js"; depth:23; nocase; http.host; content:"47.94.42.245"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291092; rev:1;)
alert tcp $HOME_NET any -> [124.222.91.4] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.nbch1na.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/74e37122.php"; depth:13; nocase; http.host; content:"a0999045.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291019; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.82] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291018/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91291018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"mortilove9.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291017; rev:1;)
alert tcp $HOME_NET any -> [107.148.146.30] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291014; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c2.yuyake.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"c2.yuyake.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291012; rev:1;)
alert tcp $HOME_NET any -> [162.251.94.192] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291011; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qianxinnbplus.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_cart.html"; depth:14; nocase; http.host; content:"www.qianxinnbplus.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0988906.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"1.92.91.192"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"yuanruicn.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1291005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291005; rev:1;)
alert tcp $HOME_NET any -> [47.109.51.223] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290998; rev:1;)
alert tcp $HOME_NET any -> [95.214.27.187] 443  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291001/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291001; rev:1;)
alert tcp $HOME_NET any -> [95.214.27.160] 443  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291002; rev:1;)
alert tcp $HOME_NET any -> [37.44.238.67] 443  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1291003/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91291003; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conn.masjesu.zip"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1291000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91291000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1000492.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290999; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.24] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290996; rev:1;)
alert tcp $HOME_NET any -> [4.213.168.254] 35456  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290995/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91290995; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.163] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290994; rev:1;)
alert tcp $HOME_NET any -> [103.234.72.208] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290993; rev:1;)
alert tcp $HOME_NET any -> [101.42.247.112] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290992; rev:1;)
alert tcp $HOME_NET any -> [23.95.65.198] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290991; rev:1;)
alert tcp $HOME_NET any -> [159.75.169.189] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290990; rev:1;)
alert tcp $HOME_NET any -> [47.109.186.179] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290989; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"connect.bolo-botnet.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290988; rev:1;)
alert tcp $HOME_NET any -> [47.95.31.143] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290987; rev:1;)
alert tcp $HOME_NET any -> [47.238.48.116] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290986; rev:1;)
alert tcp $HOME_NET any -> [172.245.110.33] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290985; rev:1;)
alert tcp $HOME_NET any -> [45.61.138.167] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290984; rev:1;)
alert tcp $HOME_NET any -> [39.106.83.74] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290983; rev:1;)
alert tcp $HOME_NET any -> [46.183.27.41] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290982; rev:1;)
alert tcp $HOME_NET any -> [43.207.204.175] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290981; rev:1;)
alert tcp $HOME_NET any -> [46.183.27.41] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290980; rev:1;)
alert tcp $HOME_NET any -> [134.122.75.115] 87  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290979; rev:1;)
alert tcp $HOME_NET any -> [106.14.69.133] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290978; rev:1;)
alert tcp $HOME_NET any -> [176.109.109.84] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290977; rev:1;)
alert tcp $HOME_NET any -> [134.122.75.115] 86  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290976; rev:1;)
alert tcp $HOME_NET any -> [18.183.19.253] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290975; rev:1;)
alert tcp $HOME_NET any -> [114.55.250.233] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290972; rev:1;)
alert tcp $HOME_NET any -> [34.132.104.7] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290973; rev:1;)
alert tcp $HOME_NET any -> [39.100.182.56] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290974; rev:1;)
alert tcp $HOME_NET any -> [112.126.85.180] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290970; rev:1;)
alert tcp $HOME_NET any -> [49.232.199.246] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290971; rev:1;)
alert tcp $HOME_NET any -> [110.40.138.5] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290968; rev:1;)
alert tcp $HOME_NET any -> [114.55.57.77] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290969; rev:1;)
alert tcp $HOME_NET any -> [49.232.227.129] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290965; rev:1;)
alert tcp $HOME_NET any -> [150.158.113.86] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290966; rev:1;)
alert tcp $HOME_NET any -> [199.195.252.200] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290967; rev:1;)
alert tcp $HOME_NET any -> [43.136.218.157] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290963; rev:1;)
alert tcp $HOME_NET any -> [47.76.67.52] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290964; rev:1;)
alert tcp $HOME_NET any -> [43.139.107.157] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290961; rev:1;)
alert tcp $HOME_NET any -> [117.50.196.200] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290962; rev:1;)
alert tcp $HOME_NET any -> [64.7.198.173] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290959; rev:1;)
alert tcp $HOME_NET any -> [123.58.220.97] 8087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290960; rev:1;)
alert tcp $HOME_NET any -> [47.121.123.96] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290958; rev:1;)
alert tcp $HOME_NET any -> [139.9.205.12] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290956; rev:1;)
alert tcp $HOME_NET any -> [43.153.222.28] 433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290957; rev:1;)
alert tcp $HOME_NET any -> [97.64.18.185] 3333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290955; rev:1;)
alert tcp $HOME_NET any -> [121.43.124.191] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290953; rev:1;)
alert tcp $HOME_NET any -> [120.53.236.103] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290954; rev:1;)
alert tcp $HOME_NET any -> [111.231.20.220] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290952; rev:1;)
alert tcp $HOME_NET any -> [64.7.198.173] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290951; rev:1;)
alert tcp $HOME_NET any -> [119.91.144.105] 2095  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290950; rev:1;)
alert tcp $HOME_NET any -> [134.175.229.118] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290949; rev:1;)
alert tcp $HOME_NET any -> [47.108.106.118] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290948; rev:1;)
alert tcp $HOME_NET any -> [8.219.146.174] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290947; rev:1;)
alert tcp $HOME_NET any -> [206.237.24.135] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290945; rev:1;)
alert tcp $HOME_NET any -> [43.139.107.157] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290946; rev:1;)
alert tcp $HOME_NET any -> [154.221.24.44] 8098  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290944; rev:1;)
alert tcp $HOME_NET any -> [8.217.137.245] 50000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290943; rev:1;)
alert tcp $HOME_NET any -> [8.219.146.174] 1337  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290942; rev:1;)
alert tcp $HOME_NET any -> [8.141.13.130] 8098  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290941; rev:1;)
alert tcp $HOME_NET any -> [47.121.112.235] 4567  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290940; rev:1;)
alert tcp $HOME_NET any -> [47.236.74.146] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290939; rev:1;)
alert tcp $HOME_NET any -> [47.113.107.52] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290938; rev:1;)
alert tcp $HOME_NET any -> [43.138.132.137] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290937; rev:1;)
alert tcp $HOME_NET any -> [39.108.220.93] 3333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290936; rev:1;)
alert tcp $HOME_NET any -> [185.117.0.43] 8887  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290935; rev:1;)
alert tcp $HOME_NET any -> [185.201.226.192] 4001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290934; rev:1;)
alert tcp $HOME_NET any -> [154.221.24.44] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290933; rev:1;)
alert tcp $HOME_NET any -> [123.58.220.97] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290932; rev:1;)
alert tcp $HOME_NET any -> [119.45.21.247] 9000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290931; rev:1;)
alert tcp $HOME_NET any -> [115.159.50.50] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290930; rev:1;)
alert tcp $HOME_NET any -> [112.124.6.100] 6789  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290929; rev:1;)
alert tcp $HOME_NET any -> [106.54.236.42] 3306  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290928; rev:1;)
alert tcp $HOME_NET any -> [106.75.249.81] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290927; rev:1;)
alert tcp $HOME_NET any -> [101.200.120.13] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290926; rev:1;)
alert tcp $HOME_NET any -> [124.222.37.211] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290925; rev:1;)
alert tcp $HOME_NET any -> [211.149.252.96] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290924; rev:1;)
alert tcp $HOME_NET any -> [124.222.72.51] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290923; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.235] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290922; rev:1;)
alert tcp $HOME_NET any -> [120.26.139.208] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290920; rev:1;)
alert tcp $HOME_NET any -> [103.146.159.3] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290921; rev:1;)
alert tcp $HOME_NET any -> [54.237.218.187] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290918; rev:1;)
alert tcp $HOME_NET any -> [120.79.8.117] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290919; rev:1;)
alert tcp $HOME_NET any -> [18.138.122.192] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290917; rev:1;)
alert tcp $HOME_NET any -> [185.77.226.142] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290916; rev:1;)
alert tcp $HOME_NET any -> [47.109.77.9] 9001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290915; rev:1;)
alert tcp $HOME_NET any -> [103.225.9.174] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290913; rev:1;)
alert tcp $HOME_NET any -> [39.100.91.89] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290914; rev:1;)
alert tcp $HOME_NET any -> [106.53.22.217] 1080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290912; rev:1;)
alert tcp $HOME_NET any -> [220.249.191.101] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290911; rev:1;)
alert tcp $HOME_NET any -> [116.204.75.247] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290910; rev:1;)
alert tcp $HOME_NET any -> [43.138.150.207] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290909; rev:1;)
alert tcp $HOME_NET any -> [154.44.10.182] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290908; rev:1;)
alert tcp $HOME_NET any -> [47.97.100.26] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290907; rev:1;)
alert tcp $HOME_NET any -> [121.37.226.97] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290906; rev:1;)
alert tcp $HOME_NET any -> [35.238.182.197] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290905; rev:1;)
alert tcp $HOME_NET any -> [124.223.101.175] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290903; rev:1;)
alert tcp $HOME_NET any -> [95.214.234.74] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290904; rev:1;)
alert tcp $HOME_NET any -> [111.231.74.72] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290901; rev:1;)
alert tcp $HOME_NET any -> [43.138.0.7] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290902; rev:1;)
alert tcp $HOME_NET any -> [124.221.22.144] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290900; rev:1;)
alert tcp $HOME_NET any -> [62.234.34.114] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290899; rev:1;)
alert tcp $HOME_NET any -> [43.138.0.7] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290897; rev:1;)
alert tcp $HOME_NET any -> [129.211.214.71] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290898; rev:1;)
alert tcp $HOME_NET any -> [103.225.196.210] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290895; rev:1;)
alert tcp $HOME_NET any -> [47.92.70.19] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290896; rev:1;)
alert tcp $HOME_NET any -> [85.209.153.114] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290894; rev:1;)
alert tcp $HOME_NET any -> [106.54.197.233] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290892; rev:1;)
alert tcp $HOME_NET any -> [8.134.163.72] 801  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290893; rev:1;)
alert tcp $HOME_NET any -> [107.172.34.126] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290890; rev:1;)
alert tcp $HOME_NET any -> [47.97.96.79] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290891; rev:1;)
alert tcp $HOME_NET any -> [8.137.87.159] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290888; rev:1;)
alert tcp $HOME_NET any -> [47.108.164.45] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290889; rev:1;)
alert tcp $HOME_NET any -> [47.97.22.116] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290887; rev:1;)
alert tcp $HOME_NET any -> [8.134.139.130] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290886; rev:1;)
alert tcp $HOME_NET any -> [47.92.30.116] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290885; rev:1;)
alert tcp $HOME_NET any -> [120.26.139.208] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290884; rev:1;)
alert tcp $HOME_NET any -> [155.94.204.114] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290883; rev:1;)
alert tcp $HOME_NET any -> [155.94.204.114] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290881; rev:1;)
alert tcp $HOME_NET any -> [106.75.15.3] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290882; rev:1;)
alert tcp $HOME_NET any -> [91.149.236.162] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290880; rev:1;)
alert tcp $HOME_NET any -> [107.189.13.28] 800  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290878; rev:1;)
alert tcp $HOME_NET any -> [154.9.253.110] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290879; rev:1;)
alert tcp $HOME_NET any -> [112.124.33.134] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290877; rev:1;)
alert tcp $HOME_NET any -> [8.134.137.100] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290876; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ellaboratepwsz.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"penetratedpoopp.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199724331900"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"swellfrrgwwos.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"towerxxuytwi.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ellaboratepwsz.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290803; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contintnetksows.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290800; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reinforcedirectorywd.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290801; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"potterryisiw.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290798; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foodypannyjsud.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"contintnetksows.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"reinforcedirectorywd.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290796; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piedsiggnycliquieaw.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"piedsiggnycliquieaw.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"potterryisiw.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"foodypannyjsud.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290794; rev:1;)
alert tcp $HOME_NET any -> [103.139.1.202] 3434  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290541; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"botnet.4gnekoland.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290511/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91290511; rev:1;)
alert tcp $HOME_NET any -> [15.235.209.194] 19990  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290510/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91290510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pedestriankodwu.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290804; rev:1;)
alert tcp $HOME_NET any -> [5.59.248.220] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290802/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91290802; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pedestriankodwu.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"penetratedpoopp.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290811; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swellfrrgwwos.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"towerxxuytwi.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.bunkomania.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providereternalgamewindowstest.php"; depth:35; nocase; http.host; content:"640740cm.nyashka.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290875; rev:1;)
alert tcp $HOME_NET any -> [213.195.117.131] 5000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290874; rev:1;)
alert tcp $HOME_NET any -> [185.241.208.181] 9090  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290873; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.14] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290872; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.70] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290871; rev:1;)
alert tcp $HOME_NET any -> [176.32.38.11] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290870; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.17] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290869; rev:1;)
alert tcp $HOME_NET any -> [79.107.142.212] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290868; rev:1;)
alert tcp $HOME_NET any -> [37.111.183.34] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290867; rev:1;)
alert tcp $HOME_NET any -> [52.183.57.173] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290866; rev:1;)
alert tcp $HOME_NET any -> [178.18.254.10] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290865; rev:1;)
alert tcp $HOME_NET any -> [52.196.181.68] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1000330.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c7cfea12.php"; depth:13; nocase; http.host; content:"cr94982.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290862; rev:1;)
alert tcp $HOME_NET any -> [4.185.58.68] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290861; rev:1;)
alert tcp $HOME_NET any -> [101.36.111.47] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"188.130.207.35"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1290835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"citizencenturygoodwk.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91290834; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 14348  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290832; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ghostghostcom.000webhostapp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_30; classtype:trojan-activity; sid:91290831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hzol"; depth:5; nocase; http.host; content:"117.50.177.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290830/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_30; classtype:trojan-activity; sid:91290830; rev:1;)
alert tcp $HOME_NET any -> [117.50.177.53] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290829; rev:1;)
alert tcp $HOME_NET any -> [120.78.7.92] 8443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_30; classtype:trojan-activity; sid:91290826; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.220] 81  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290825; rev:1;)
alert tcp $HOME_NET any -> [20.199.8.16] 1726  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290824/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_29; classtype:trojan-activity; sid:91290824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0999840.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0b92e7ab19e861f9.php"; depth:21; nocase; http.host; content:"188.130.207.35"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290822; rev:1;)
alert tcp $HOME_NET any -> [47.108.142.95] 64535  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290821; rev:1;)
alert tcp $HOME_NET any -> [202.95.15.212] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"202.95.15.212"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290819; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.93] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mk"; depth:3; nocase; http.host; content:"185.196.8.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290817; rev:1;)
alert tcp $HOME_NET any -> [116.198.247.52] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"116.198.247.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290815; rev:1;)
alert tcp $HOME_NET any -> [18.136.148.247] 16674  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290814; rev:1;)
alert tcp $HOME_NET any -> [185.91.69.98] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290791/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_29; classtype:trojan-activity; sid:91290791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"baidenyes.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290539; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baidenyes.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290540; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.27] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290538; rev:1;)
alert tcp $HOME_NET any -> [154.12.229.73] 1994  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290537/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290537; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.123] 8713  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290536/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290536; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.126] 8713  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290535/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290535; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.122] 8713  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290534/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290534; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.113] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290533/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290533; rev:1;)
alert tcp $HOME_NET any -> [195.133.201.106] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290532/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290532; rev:1;)
alert tcp $HOME_NET any -> [82.97.249.127] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290531; rev:1;)
alert tcp $HOME_NET any -> [154.12.60.78] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290530/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290530; rev:1;)
alert tcp $HOME_NET any -> [219.157.177.120] 8000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290529/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290529; rev:1;)
alert tcp $HOME_NET any -> [43.129.83.221] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290528/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290528; rev:1;)
alert tcp $HOME_NET any -> [111.229.193.40] 38888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290527/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290527; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.25] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290526/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290526; rev:1;)
alert tcp $HOME_NET any -> [23.93.90.25] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290525/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290525; rev:1;)
alert tcp $HOME_NET any -> [64.229.116.44] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290524; rev:1;)
alert tcp $HOME_NET any -> [78.166.52.204] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290523/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290523; rev:1;)
alert tcp $HOME_NET any -> [1.161.66.179] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290522/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290522; rev:1;)
alert tcp $HOME_NET any -> [43.198.114.188] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290521/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290521; rev:1;)
alert tcp $HOME_NET any -> [40.69.149.188] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290520/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290520; rev:1;)
alert tcp $HOME_NET any -> [174.138.125.95] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290519/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290519; rev:1;)
alert tcp $HOME_NET any -> [103.252.116.243] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290518; rev:1;)
alert tcp $HOME_NET any -> [38.147.162.174] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290517/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290517; rev:1;)
alert tcp $HOME_NET any -> [88.2.202.148] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290516; rev:1;)
alert tcp $HOME_NET any -> [92.38.160.73] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290515/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290515; rev:1;)
alert tcp $HOME_NET any -> [164.90.241.207] 2053  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290514; rev:1;)
alert tcp $HOME_NET any -> [66.78.40.31] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290513; rev:1;)
alert tcp $HOME_NET any -> [66.78.40.31] 31785  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290512; rev:1;)
alert tcp $HOME_NET any -> [172.232.164.13] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290509; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 1316  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xgfx"; depth:5; nocase; http.host; content:"8.130.111.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290507/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_29; classtype:trojan-activity; sid:91290507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"114.132.87.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"funny-sam.online"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290504; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"funny-sam.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"202.95.13.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot6110313252:aae6ffozbefhnbent-1dwxi9ebezqtxbygk/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290498; rev:1;)
alert tcp $HOME_NET any -> [185.243.181.82] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/26/pls-00208-identifier-is-not-a-legal-cursor-attribute"; depth:64; nocase; http.host; content:"trustadvisorygroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.bultecappelle.fr"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290495; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login-auth-office.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290489; rev:1;)
alert tcp $HOME_NET any -> [217.195.197.36] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"login-auth-office.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"login-auth-office.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/webhooks/1253689379948593173/lzph5ddd7etwylrpmt2m_ml82ys42yxolytwbwldi4nxulovpmphz7alftfln1rxcqac"; depth:102; nocase; http.host; content:"discord.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290497; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"football-emily.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290496; rev:1;)
alert tcp $HOME_NET any -> [47.121.123.96] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.121.123.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290490; rev:1;)
alert tcp $HOME_NET any -> [119.8.162.77] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290486; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.windowsuserapi.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/z"; depth:25; nocase; http.host; content:"www.windowsuserapi.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jqueryuiv12.js"; depth:15; nocase; http.host; content:"47.121.141.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290482; rev:1;)
alert tcp $HOME_NET any -> [54.165.22.205] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"54.165.22.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.121.123.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290478; rev:1;)
alert tcp $HOME_NET any -> [47.121.123.96] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290479; rev:1;)
alert tcp $HOME_NET any -> [47.109.51.223] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.109.51.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290476; rev:1;)
alert tcp $HOME_NET any -> [47.236.96.238] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.236.96.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0999337.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290473; rev:1;)
alert tcp $HOME_NET any -> [147.45.45.3] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290472; rev:1;)
alert tcp $HOME_NET any -> [209.90.234.57] 1913  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290471; rev:1;)
alert tcp $HOME_NET any -> [148.135.115.35] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290468; rev:1;)
alert tcp $HOME_NET any -> [211.95.133.87] 49084  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290467; rev:1;)
alert tcp $HOME_NET any -> [143.92.42.200] 8443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/lounge"; depth:12; nocase; http.host; content:"newcp.thebestbodrumtemizlik.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/apostolic"; depth:15; nocase; http.host; content:"newcpp.constructoraharr.cl"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290464; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"robsheraldry.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"osheafarm.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"lascolinasresortdalas.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"robsheraldry.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lascolinasresortdalas.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"poseidon.cool"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290446; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xortoprojectnew.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"robsheraldry.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"osheafarm.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"poseidon.cool"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290450; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poseidon.cool"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290451; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osheafarm.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290453; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lascolinasresortdalas.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290454; rev:1;)
alert tcp $HOME_NET any -> [91.206.178.85] 9000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290459; rev:1;)
alert tcp $HOME_NET any -> [160.19.78.131] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290460/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290460; rev:1;)
alert tcp $HOME_NET any -> [92.246.138.36] 41426  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/44e38142.php"; depth:13; nocase; http.host; content:"a0996046.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0999792.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_29; classtype:trojan-activity; sid:91290461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.208.220.244"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_29; classtype:trojan-activity; sid:91290458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"8.134.130.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-iktxibt6-1305682303.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290455; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-iktxibt6-1305682303.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"blacksys.deltadefenses.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.93.216.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.113.107.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"176.58.127.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/users.jsp"; depth:10; nocase; http.host; content:"121.37.206.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290435; rev:1;)
alert tcp $HOME_NET any -> [84.44.148.177] 4782  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290433/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290433; rev:1;)
alert tcp $HOME_NET any -> [176.174.54.18] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290432/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290432; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 36797  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290431; rev:1;)
alert tcp $HOME_NET any -> [5.59.248.206] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290430/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290430; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net.icdns.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290429; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.132] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290427; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.132] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290428; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.132] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290426; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.43] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290425; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.43] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290424; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.43] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290423; rev:1;)
alert tcp $HOME_NET any -> [77.105.161.171] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290422; rev:1;)
alert tcp $HOME_NET any -> [8.220.204.78] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290421; rev:1;)
alert tcp $HOME_NET any -> [164.92.158.48] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290420; rev:1;)
alert tcp $HOME_NET any -> [118.89.66.70] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290419; rev:1;)
alert tcp $HOME_NET any -> [175.24.198.41] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290418; rev:1;)
alert tcp $HOME_NET any -> [89.148.151.98] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290417; rev:1;)
alert tcp $HOME_NET any -> [85.107.13.76] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290416; rev:1;)
alert tcp $HOME_NET any -> [71.255.230.137] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290415; rev:1;)
alert tcp $HOME_NET any -> [52.88.83.125] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290414; rev:1;)
alert tcp $HOME_NET any -> [111.13.104.234] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290413; rev:1;)
alert tcp $HOME_NET any -> [183.220.149.148] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290412; rev:1;)
alert tcp $HOME_NET any -> [16.170.163.148] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290411; rev:1;)
alert tcp $HOME_NET any -> [82.153.138.168] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290410; rev:1;)
alert tcp $HOME_NET any -> [135.148.132.167] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"112.239.97.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290408; rev:1;)
alert tcp $HOME_NET any -> [176.97.114.45] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290402/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290402; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"botnetddos.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290404; rev:1;)
alert tcp $HOME_NET any -> [160.177.56.173] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0997235.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"an.cloudto.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a1000056.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290403; rev:1;)
alert tcp $HOME_NET any -> [107.173.62.181] 17120  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290401/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91290401; rev:1;)
alert tcp $HOME_NET any -> [114.116.244.244] 4495  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.95.31.143"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290399; rev:1;)
alert tcp $HOME_NET any -> [43.163.235.40] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release_notes"; depth:14; nocase; http.host; content:"43.163.235.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.76.67.52"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"186.2.171.60"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290123; rev:1;)
alert tcp $HOME_NET any -> [186.2.171.60] 443  (msg:"ThreatFox Poseidon payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290124; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.superdreadi.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290387; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.vifurni.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290388; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.viralhab.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.vuacanvas.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pipp.dilagosburguer.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290391; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pipp.japanbangladeshhospital.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290392; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pipp.laofix.com.tr"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290393; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pipp.pantallita.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290394; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pipp.sixfibras.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290395; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.sagarsprings.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290363; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.sc3bhgr7781.universe.wf"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290364; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.seotoronto.company"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290365; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.siarabd.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290366; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.soltani-shopping.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290367; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.superanimalpet.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290368; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.swammovers.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290369; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.tora-ks.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290370; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.tracymasonmedia.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290371; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.trimitrateknikmandiri.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.universalauto2000.it"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290373; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.usgonline.mx"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290374; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.valledelinka.com.pe"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290375; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.webhostingneo.co.id"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290376; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.xmartechpro.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290377; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.xpresscard.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290378; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.youthtuko.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290379; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.arcaem.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290380; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.ckinam.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290381; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.ffde.com.br"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290382; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.fxtransportation.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290383; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.grupoqueiroz.pt"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290384; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.levinesolutions.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290385; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"panda.lojaniq.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290386; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.exideinverterbattery.in"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290335; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.fatp.co.tz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290336; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.gclenterprises.in"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290337; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.geber.com.mx"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290338; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.grupoempresarialvasram.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290339; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.heefhotel.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290340; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.hydrosolutions.pe"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290341; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.ibis-inspection.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290342; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.internetareal.net.br"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290343; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.janeladedramaturgia.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290344; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.junoindia.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290345; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.khulumameals.co.za"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290346; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.lf21.my.id"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290347; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.mappingcanvasser.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290348; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.maridadymotors.co.ke"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290349; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.mexicodemaria.mx"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290350; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.mgglobalinvest.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290351; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.myportodigital.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290352; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.ndwc.com.py"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290353; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.nppp.pk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290354; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.nsaservices.com.br"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290355; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.oanachivu.ro"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290356; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.oiltanker.com.ng"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290357; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.ontrace.id"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290358; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.posdata-si.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290359; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.psiqo.com.pe"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290360; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.rafaelhsouza.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290361; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.sacs.ec"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290362; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.akia.com.mx"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290311; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.alauddinsweetmeat.com.bd"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290312; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.almastudio.pe"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290313; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.antaema.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290314; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.arabic.du.ac.bd"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290315; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.aromatherapyacademy.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290316; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.atiliomarola.com.ar"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290317; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.aunurrafiqofficial.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290318; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.bangfirmanofficial.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290319; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.blueheadfilms.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290320; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.botchats.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290321; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.carboneralabanda.com.co"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290322; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.carvalhocruz.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290323; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.chaucatotoursperu.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290324; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.clay.net.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290325; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.cncmorelos.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290326; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.colbachabierto.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290327; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.computertechsperts.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290328; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.danmartin.ro"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290329; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.darfurfm.sd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290330; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.debellis.com.br"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290331; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.digitalmaster.ro"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290332; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.dominioarquitectura.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290333; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.ebitan.com.bd"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290334; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.pkmkaranganyar.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290283; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.pmkt.ao"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.polomilano.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290285; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.polyvin.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290286; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.powerunits.com.ng"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290287; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.protrans.com.ph"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290288; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.quasarful.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290289; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.revenueacademy.it"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290290; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.sagarsprings.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290291; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.sandrasperling.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290292; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.sc1jtfu9765.universe.wf"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290293; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.seguroautoagora.com.br"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290294; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.seis.co.ke"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290295; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.sketchersdesign.co.ke"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290296; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.sscmcc.cl"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290297; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.stratwood-gs.ro"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290298; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.streakk.com.ng"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290299; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.tdsorsta.ro"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290300; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.techtrust.pt"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290301; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.tecsoluciones.com.pe"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290302; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.testabeko.mamaquette.fr"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290303; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.thehumanitarianfund.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290304; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.uptourismguide.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290305; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.urushomestay.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290306; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.xyfinity.co.za"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290307; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.aeni-script.my.id"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290308; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.agenciazurc.com.br"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290309; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newscp.ainirentcar.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290310; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.fundacionequiterra.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290261; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.gemsinnovation.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290262; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.h-bsofwares.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.huncanlit.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290264; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.husamekhrawesh.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290265; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.ibis-inspection.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290266; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.institutoiba.org.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290267; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.johnballis.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290268; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.khabarworld.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290269; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.killerworkdev.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290270; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.kotok.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290271; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.ktktech.my.id"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290272; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.kystibbi.com.tr"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290273; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.lacitavilla.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290274; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.lakcards.lk"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290275; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.lenterdit.com.ar"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290276; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.lindaballis.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290277; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.logdist.ma"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290278; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.luicreativestudio.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290279; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.magyarkoltok.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290280; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.meiya.co.ke"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290281; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.ontrace.id"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.aceleraventas.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290234; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.addisbasketball.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290235; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.adrenalinanet.com.br"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290236; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.afrokulchatravel.co.za"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290237; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.aminadabelago.com.br"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290238; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.aurejewelry.ca"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290239; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.averynigeria.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290240; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.balebuku.my.id"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290241; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.bandamuveegroov.com.br"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290242; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.better-gpt.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290243; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.build-2-suit.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290244; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.casadefriossaobenedito.com.br"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290245; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.confidable.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290246; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.conquermark.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290247; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.damaskin.ro"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290248; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.ditsaambiental.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290249; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.doncellafem.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290250; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.dungnguyenarchi.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290251; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.durumdelight.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290252; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.easthartfordinterfaith.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290253; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.education21kulimpku.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290254; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.espace-food.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290255; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.espinhoserosas.com.br"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.exactcolor.co.ke"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290257; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.falahatishop.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290258; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.fitnessupbeat.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290259; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.fridaybd.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290260; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.recubplast.com.co"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290202; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.royalcontingencia.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.rsquad.co.ke"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290204; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.safipompe.ma"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290205; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.sagarsprings.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290206; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.sbaqala.pk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290207; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.sc3bhgr7781.universe.wf"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290208; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.seo7sry.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290209; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.skinorra.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290210; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.smartlabor.it"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290211; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.solarib.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290212; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.sosgestion.com.co"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290213; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.spiegelenergy.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290214; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.spiegelenergy.com.au"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290215; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.stargazemining.co.za"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290216; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.superanimalpet.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290217; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.tamilankadai.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290218; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.tamminguyen.co.uk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290219; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.tammisnaps.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290220; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.thebestbodrumtemizlik.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290221; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.thisisafricas.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290222; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.tuintiadmin.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290223; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.ultisol.co.za"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290224; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.universal-kikaku.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290225; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.uns-kikaku.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290226; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.urunstand.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290227; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.visualmakers.com.pk"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290228; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.vozminera.mx"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290229; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.wine-ar.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290230; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.youknowpeople.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290231; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.4182-0006ac95072f.wptiger.fr"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290232; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcpp.abarclinic.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290233; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.induslab.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290172; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.inkopau-rentcar.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290173; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.ithalatcimiz.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290174; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.japeto.ro"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290175; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.johnballis.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290176; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.karyacorp.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290177; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.libuinsi.my.id"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290178; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.liderford.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290179; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.lindaballis.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290180; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.lojaflordocerrado.com.br"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290181; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.lourencoviajante.pt"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290182; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.maeslanden.nl"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290183; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.maskinsoftware.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290184; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.maxxcontrol.com.tr"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290185; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.medyapm.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290186; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.meiya.co.ke"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290187; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.metse.co.bw"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290188; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.mexicodemaria.mx"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290189; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.multipolarsolution.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290190; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.naseemtravels.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290191; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.neutown.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290192; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.ngopicoding.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290193; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.niceguyrebrands.xyz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290194; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.nirmalexpertsolutions.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290195; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.perapeyzaj.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290196; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.piolinspa.cl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290197; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.plastikiniai-langai.eu"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290198; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.pnmls.cd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290199; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.posdata-si.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290200; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.ram-service.cl"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290201; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.frederic-monereau.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290159; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.freud.radi0.im"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290160; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.fxtransportation.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290161; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.gaziemircicekciler.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290162; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.generation-green.ma"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290163; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.geofieldp.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290164; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.ghdemo.com.tr"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290165; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.gridedgenews.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290166; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.gssgroup.co.ke"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290167; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.h-bsofwares.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290168; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.harasselection.com.br"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290169; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.hiraotomatikkapi.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290170; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.hypercctv.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290171; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.aurejewelry.ca"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290137; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.avalanche-store.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290138; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.balcovacicekciler.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290139; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bayraklicicekciler.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290140; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bazis-t.uz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290141; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.beyondxgroup.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290142; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bitezeventwedding.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290143; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bizaccord.com.pk"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290144; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bnkilaclama.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290145; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bonggayon.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290146; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.bornovacicekciler.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290147; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.boscosoft.ae"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290148; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.botchats.in"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290149; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.brntemizlik.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290150; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.clay.net.in"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290151; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.colegioburiti.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290152; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.departamentosenpueblolibre.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290153; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.dihucar.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290154; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.dominantlegaltrans.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290155; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.essasattire.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290156; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.fahadengineerings.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290157; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.franciaim.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290158; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.abagenciamarketingdigital.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290128; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.adrenalinanet.com.br"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290129; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.afrikwebacademy.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290130; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.americansports.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290131; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.amtech.sd"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290132; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.andersonconstantino.com.br"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290133; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.ankaradatemizliksirketi.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290134; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.arteimparables.online"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290135; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newcp.aurcleaning.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/wittily"; depth:13; nocase; http.host; content:"newcpp.powerunits.com.ng"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov/effectual"; depth:15; nocase; http.host; content:"bitpa.miogatto.gr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"79.137.192.4"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"zestyahhdog.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"zestyahhdog.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"37.27.82.196"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"37.27.82.196"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290107; rev:1;)
alert tcp $HOME_NET any -> [37.27.82.196] 80  (msg:"ThreatFox Poseidon payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290109; rev:1;)
alert tcp $HOME_NET any -> [37.27.82.196] 443  (msg:"ThreatFox Poseidon payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290110; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zestyahhdog.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"jaipurstylo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290112; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jaipurstylo.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"jaipurstylo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"jaipurstylo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.php"; depth:9; nocase; http.host; content:"helpcenter.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290116; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.zestyahhdog.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"www.zestyahhdog.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"www.zestyahhdog.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"static.196.82.27.37.clients.your-server.de"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290120; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"static.196.82.27.37.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arc12645413.dmg"; depth:16; nocase; http.host; content:"static.196.82.27.37.clients.your-server.de"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"ip.tvguzel.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290098; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ip.tvguzel.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"agov-access.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290100; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-access.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"agov-ch.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"agov-ch.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"extraiptv.giize.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"hd.hdweb2.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"register-agov.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"tv.surebettr.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"tv.yayins.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"www.agov-access.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"www.agov-access.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"www.agov-ch.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"www.extraiptv.giize.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"www.agov-ch.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290079; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hd.hdweb2.pw"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"www.register-agov.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290081; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-ch.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290082; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"extraiptv.giize.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290083; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"register-agov.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290085; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tv.surebettr.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290086; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tv.yayins.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290087; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.agov-access.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290088; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.agov-ch.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290090; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.agov-access.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.agov-ch.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290091; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.extraiptv.giize.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290092; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.register-agov.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290093; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-access.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agov-access.dmg"; depth:16; nocase; http.host; content:"agov-access.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290095; rev:1;)
alert tcp $HOME_NET any -> [5.188.88.218] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1290096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"175.107.3.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1290097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91290097; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"288583cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290064; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"392065cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"466037cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290066; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"918938cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290067; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"n9shteam2.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290068; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"415566cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290050; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"297037cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290051; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"113304cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290052; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"421820cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290053; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"356137cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290054; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"445443cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290055; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"791660cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290056; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"474452cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290057; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"115583cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290058; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"042506cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290059; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"234540cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290060; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"815156cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290061; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"272450cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290062; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"810755cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290063; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"502647cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290036; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"560216cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290037; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"784334cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290038; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"800453cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290039; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"351866cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290040; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"545735cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290041; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"024460cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290042; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"256435cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290043; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"113313cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290044; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"476258cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290045; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"452132cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290046; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"112880cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290047; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"478925cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290048; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"739668cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290049; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"318907cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290022; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"218629cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290023; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"378418cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290024; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"796367cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"373430cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290026; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"055442cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290027; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"901329cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290028; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"550515cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290029; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"044913cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290030; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"994609cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290031; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"677846cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290032; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"842614cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290033; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"130727cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290034; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"741211cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290035; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"505732cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290007; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"462708cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290008; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"797441cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290009; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"080864cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290010; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"865461cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290011; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"751120cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290012; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"463281cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290013; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"596048cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290014; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"466329cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290015; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"041018cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290016; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"956330cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290017; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"034928cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290018; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"913987cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290019; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"587986cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290020; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"946663cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290021; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"040943cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289992; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"931740cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289993; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"656709cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289994; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"096241cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289995; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"851594cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289996; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"314172cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289997; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"118621cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289998; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"338453cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289999; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"621287cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290000; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"826969cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290001; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"226037cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290002; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"382119cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290003; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"173920cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290004; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"625492cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290005; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"367191cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1290006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91290006; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"047138cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289986; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"473366cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289987; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"235566cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289988; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"206481cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289989; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"424673cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289990; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"306003cm.n9shteam2.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"120.46.204.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289984; rev:1;)
alert tcp $HOME_NET any -> [120.46.204.11] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289985; rev:1;)
alert tcp $HOME_NET any -> [45.40.96.164] 3232  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289983/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289983; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.83] 7622  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmrequestupdateapibigloaddblinuxtest.php"; depth:41; nocase; http.host; content:"040943cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0999929.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"176.58.127.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"202.95.13.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289977; rev:1;)
alert tcp $HOME_NET any -> [107.173.140.2] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/develop/messaging/w5jk7inlq"; depth:28; nocase; http.host; content:"cscs.beauty"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"104.243.27.95"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289974; rev:1;)
alert tcp $HOME_NET any -> [104.243.27.95] 8889  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"121.40.63.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289972; rev:1;)
alert tcp $HOME_NET any -> [39.99.34.125] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"122.51.216.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"184.73.109.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289968; rev:1;)
alert tcp $HOME_NET any -> [184.73.109.149] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.micorosoft-ai.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289966; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.micorosoft-ai.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"39.99.34.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289965; rev:1;)
alert tcp $HOME_NET any -> [101.201.178.197] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.201.178.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289963; rev:1;)
alert tcp $HOME_NET any -> [39.103.236.200] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.103.236.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.94.13.86"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289960; rev:1;)
alert tcp $HOME_NET any -> [5.59.248.211] 1302  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289952/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289952; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-access.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289954; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-access.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289955; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-ch.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289956; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"agov-ch.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289957; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"register-agov.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289958; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"register-agov.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p2p"; depth:4; nocase; http.host; content:"79.137.192.4"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a066a53ea1064ac7.php"; depth:21; nocase; http.host; content:"94.156.68.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289951; rev:1;)
alert tcp $HOME_NET any -> [94.232.249.111] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289947/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289947; rev:1;)
alert tcp $HOME_NET any -> [94.232.249.111] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289946/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289946; rev:1;)
alert tcp $HOME_NET any -> [94.232.249.111] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289945/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289945; rev:1;)
alert tcp $HOME_NET any -> [185.104.195.215] 2003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289936; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.226] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289935; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.226] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289934; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.226] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289933; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.252] 1339  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289932; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.125] 8713  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289931; rev:1;)
alert tcp $HOME_NET any -> [128.90.128.201] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289930; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.158] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289929; rev:1;)
alert tcp $HOME_NET any -> [18.166.31.133] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289928; rev:1;)
alert tcp $HOME_NET any -> [150.129.82.129] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"122.3.195.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"122.52.177.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"122.52.177.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"122.52.233.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"124.105.81.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"14.142.209.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"170.210.81.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"170.210.81.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"182.72.167.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"185.224.107.4"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"190.108.63.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"200.123.251.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.39.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.44.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.39.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.50.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.50.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.51.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.57.55.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"202.93.228.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"211.192.113.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"211.192.113.232"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"211.40.16.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"223.25.14.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"223.25.14.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"223.25.21.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"45.118.79.103"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"103.134.214.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"12.196.184.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289766; rev:1;)
alert tcp $HOME_NET any -> [79.107.150.48] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiolok.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289763; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.221] 2424  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"82.77.65.195"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tftp"; depth:5; nocase; http.host; content:"89.184.185.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289795; rev:1;)
alert tcp $HOME_NET any -> [202.57.55.10] 19001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289817; rev:1;)
alert tcp $HOME_NET any -> [202.57.50.194] 19001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289814; rev:1;)
alert tcp $HOME_NET any -> [202.57.50.194] 19002  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289815; rev:1;)
alert tcp $HOME_NET any -> [202.57.51.34] 19001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289816; rev:1;)
alert tcp $HOME_NET any -> [202.57.39.2] 19001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289812; rev:1;)
alert tcp $HOME_NET any -> [202.57.44.122] 19001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289813; rev:1;)
alert tcp $HOME_NET any -> [70.27.138.141] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289925; rev:1;)
alert tcp $HOME_NET any -> [190.108.63.242] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289809; rev:1;)
alert tcp $HOME_NET any -> [200.123.251.66] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289810; rev:1;)
alert tcp $HOME_NET any -> [202.57.39.194] 19001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289811; rev:1;)
alert tcp $HOME_NET any -> [185.224.107.4] 8580  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289808; rev:1;)
alert tcp $HOME_NET any -> [170.210.81.104] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289806; rev:1;)
alert tcp $HOME_NET any -> [182.72.167.124] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289807; rev:1;)
alert tcp $HOME_NET any -> [187.170.246.38] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289924; rev:1;)
alert tcp $HOME_NET any -> [170.210.81.101] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289805; rev:1;)
alert tcp $HOME_NET any -> [14.142.209.198] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289804; rev:1;)
alert tcp $HOME_NET any -> [124.105.81.130] 19001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289803; rev:1;)
alert tcp $HOME_NET any -> [122.52.177.244] 19002  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289801; rev:1;)
alert tcp $HOME_NET any -> [122.52.233.104] 19001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289802; rev:1;)
alert tcp $HOME_NET any -> [122.3.195.178] 19001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289799; rev:1;)
alert tcp $HOME_NET any -> [122.52.177.244] 19001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289800; rev:1;)
alert tcp $HOME_NET any -> [12.196.184.34] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289798; rev:1;)
alert tcp $HOME_NET any -> [103.134.214.139] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289797; rev:1;)
alert tcp $HOME_NET any -> [202.93.228.170] 8877  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289818; rev:1;)
alert tcp $HOME_NET any -> [211.192.113.231] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289819; rev:1;)
alert tcp $HOME_NET any -> [211.192.113.232] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289820; rev:1;)
alert tcp $HOME_NET any -> [211.40.16.243] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289821; rev:1;)
alert tcp $HOME_NET any -> [223.25.14.122] 19001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289822; rev:1;)
alert tcp $HOME_NET any -> [223.25.14.122] 19002  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289823; rev:1;)
alert tcp $HOME_NET any -> [223.25.21.62] 19002  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289824; rev:1;)
alert tcp $HOME_NET any -> [45.118.79.103] 8892  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289825; rev:1;)
alert tcp $HOME_NET any -> [82.77.65.195] 830  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289826; rev:1;)
alert tcp $HOME_NET any -> [77.221.154.30] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289923; rev:1;)
alert tcp $HOME_NET any -> [5.42.221.151] 60606  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289922; rev:1;)
alert tcp $HOME_NET any -> [204.13.232.251] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289921; rev:1;)
alert tcp $HOME_NET any -> [81.169.158.60] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289920/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289920; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.13] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289919; rev:1;)
alert tcp $HOME_NET any -> [92.118.112.10] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289918; rev:1;)
alert tcp $HOME_NET any -> [92.118.112.10] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289917; rev:1;)
alert tcp $HOME_NET any -> [163.172.136.161] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289916/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289916; rev:1;)
alert tcp $HOME_NET any -> [185.229.9.27] 21  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289915/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289915; rev:1;)
alert tcp $HOME_NET any -> [120.26.192.87] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289914; rev:1;)
alert tcp $HOME_NET any -> [121.91.37.98] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289913; rev:1;)
alert tcp $HOME_NET any -> [182.91.252.41] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289912; rev:1;)
alert tcp $HOME_NET any -> [119.96.62.178] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289911; rev:1;)
alert tcp $HOME_NET any -> [144.86.159.57] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289910; rev:1;)
alert tcp $HOME_NET any -> [195.10.205.102] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dfddc22e.php"; depth:13; nocase; http.host; content:"a0998701.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"ci15096.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289907; rev:1;)
alert tcp $HOME_NET any -> [51.15.254.78] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289906; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.92] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289828/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289828; rev:1;)
alert tcp $HOME_NET any -> [45.74.8.236] 5355  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"harmfullyelobardek.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289830; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xortoproject1.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289831; rev:1;)
alert tcp $HOME_NET any -> [45.90.13.207] 59666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289761/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289761; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clients.kaitenc2.de"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289762/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_28; classtype:trojan-activity; sid:91289762; rev:1;)
alert tcp $HOME_NET any -> [185.200.221.15] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289902; rev:1;)
alert tcp $HOME_NET any -> [47.76.140.7] 33337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289903; rev:1;)
alert tcp $HOME_NET any -> [200.58.103.229] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289904; rev:1;)
alert tcp $HOME_NET any -> [180.184.69.31] 8080  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289905; rev:1;)
alert tcp $HOME_NET any -> [18.191.57.224] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289900; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 9443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289901; rev:1;)
alert tcp $HOME_NET any -> [134.209.191.240] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289898; rev:1;)
alert tcp $HOME_NET any -> [213.183.73.220] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289899; rev:1;)
alert tcp $HOME_NET any -> [13.112.55.132] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289896; rev:1;)
alert tcp $HOME_NET any -> [157.230.15.195] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289897; rev:1;)
alert tcp $HOME_NET any -> [38.150.34.181] 2000  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289893; rev:1;)
alert tcp $HOME_NET any -> [45.63.26.220] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289894; rev:1;)
alert tcp $HOME_NET any -> [202.182.106.2] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289895; rev:1;)
alert tcp $HOME_NET any -> [148.113.5.49] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289892; rev:1;)
alert tcp $HOME_NET any -> [3.235.7.20] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289889; rev:1;)
alert tcp $HOME_NET any -> [20.212.244.216] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289890; rev:1;)
alert tcp $HOME_NET any -> [23.22.218.218] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289891; rev:1;)
alert tcp $HOME_NET any -> [140.99.164.226] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289888; rev:1;)
alert tcp $HOME_NET any -> [151.236.216.235] 8080  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289885; rev:1;)
alert tcp $HOME_NET any -> [4.185.109.49] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289886; rev:1;)
alert tcp $HOME_NET any -> [118.25.103.251] 60000  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289887; rev:1;)
alert tcp $HOME_NET any -> [147.45.251.185] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289884; rev:1;)
alert tcp $HOME_NET any -> [35.188.65.13] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289882; rev:1;)
alert tcp $HOME_NET any -> [94.198.54.98] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289883; rev:1;)
alert tcp $HOME_NET any -> [194.113.75.209] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289880; rev:1;)
alert tcp $HOME_NET any -> [194.113.75.242] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289881; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.252] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289875; rev:1;)
alert tcp $HOME_NET any -> [194.113.75.97] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289876; rev:1;)
alert tcp $HOME_NET any -> [194.113.75.152] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289877; rev:1;)
alert tcp $HOME_NET any -> [194.113.75.179] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289878; rev:1;)
alert tcp $HOME_NET any -> [194.113.75.194] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289879; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.140] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289870; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.150] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289871; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.185] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289872; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.248] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289873; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.250] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289874; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.82] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289865; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.102] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289866; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.107] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289867; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.121] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289868; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.138] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289869; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.3] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289858; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.11] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289859; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.32] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289860; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.48] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289861; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.49] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289862; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.55] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289863; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.65] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289864; rev:1;)
alert tcp $HOME_NET any -> [194.113.73.209] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289854; rev:1;)
alert tcp $HOME_NET any -> [194.113.73.226] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289855; rev:1;)
alert tcp $HOME_NET any -> [194.113.73.249] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289856; rev:1;)
alert tcp $HOME_NET any -> [194.113.74.0] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289857; rev:1;)
alert tcp $HOME_NET any -> [194.113.73.23] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289849; rev:1;)
alert tcp $HOME_NET any -> [194.113.73.40] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289850; rev:1;)
alert tcp $HOME_NET any -> [194.113.73.101] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289851; rev:1;)
alert tcp $HOME_NET any -> [194.113.73.117] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289852; rev:1;)
alert tcp $HOME_NET any -> [194.113.73.179] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289853; rev:1;)
alert tcp $HOME_NET any -> [194.113.72.29] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289845; rev:1;)
alert tcp $HOME_NET any -> [194.113.72.34] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289846; rev:1;)
alert tcp $HOME_NET any -> [194.113.72.136] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289847; rev:1;)
alert tcp $HOME_NET any -> [194.113.72.191] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289848; rev:1;)
alert tcp $HOME_NET any -> [194.113.72.24] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289844; rev:1;)
alert tcp $HOME_NET any -> [104.248.176.230] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289843; rev:1;)
alert tcp $HOME_NET any -> [45.156.26.36] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289839; rev:1;)
alert tcp $HOME_NET any -> [50.116.32.159] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289840; rev:1;)
alert tcp $HOME_NET any -> [51.15.254.78] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289841; rev:1;)
alert tcp $HOME_NET any -> [52.196.181.68] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289842; rev:1;)
alert tcp $HOME_NET any -> [43.154.18.143] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289836; rev:1;)
alert tcp $HOME_NET any -> [45.154.14.228] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289837; rev:1;)
alert tcp $HOME_NET any -> [45.154.14.249] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289838; rev:1;)
alert tcp $HOME_NET any -> [23.95.48.151] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"162.244.82.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289834; rev:1;)
alert tcp $HOME_NET any -> [202.95.13.230] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_28; classtype:trojan-activity; sid:91289833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.97.114.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_28; classtype:trojan-activity; sid:91289832; rev:1;)
alert tcp $HOME_NET any -> [87.121.61.91] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289796/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee2a3208.php"; depth:13; nocase; http.host; content:"a0998932.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2cfc1dec.php"; depth:13; nocase; http.host; content:"a0998535.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289759; rev:1;)
alert tcp $HOME_NET any -> [95.214.27.183] 15096  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"andrebadi.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289712; rev:1;)
alert tcp $HOME_NET any -> [172.93.111.165] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289713; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backwork07.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289714; rev:1;)
alert tcp $HOME_NET any -> [13.60.33.38] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289716; rev:1;)
alert tcp $HOME_NET any -> [3.68.171.119] 11492  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289717; rev:1;)
alert tcp $HOME_NET any -> [35.157.111.131] 11619  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289724/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289724; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"monimaturast.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289739; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"operaconuka.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289740; rev:1;)
alert tcp $HOME_NET any -> [185.104.195.215] 7070  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289758/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289758; rev:1;)
alert tcp $HOME_NET any -> [128.90.129.74] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289757/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289757; rev:1;)
alert tcp $HOME_NET any -> [35.194.215.14] 111  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289756; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.6] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289755; rev:1;)
alert tcp $HOME_NET any -> [212.113.100.91] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289754; rev:1;)
alert tcp $HOME_NET any -> [40.76.5.235] 8443  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289753; rev:1;)
alert tcp $HOME_NET any -> [222.112.248.181] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289752; rev:1;)
alert tcp $HOME_NET any -> [89.148.149.203] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289751; rev:1;)
alert tcp $HOME_NET any -> [217.165.15.9] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289750; rev:1;)
alert tcp $HOME_NET any -> [5.181.47.175] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289749; rev:1;)
alert tcp $HOME_NET any -> [81.169.158.60] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289748; rev:1;)
alert tcp $HOME_NET any -> [91.245.253.10] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289747; rev:1;)
alert tcp $HOME_NET any -> [185.238.250.143] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289746; rev:1;)
alert tcp $HOME_NET any -> [109.123.231.134] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289745; rev:1;)
alert tcp $HOME_NET any -> [194.163.168.80] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289744; rev:1;)
alert tcp $HOME_NET any -> [84.21.171.55] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289743; rev:1;)
alert tcp $HOME_NET any -> [52.87.231.174] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289742; rev:1;)
alert tcp $HOME_NET any -> [163.69.88.244] 10002  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"74.91.27.202"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"114.115.174.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/woodpecker.js"; depth:21; nocase; http.host; content:"8.134.249.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"150.158.41.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"139.198.187.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"180.76.99.119"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"43.136.40.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289723; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"about.swemei.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"about.swemei.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0999352.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289719; rev:1;)
alert tcp $HOME_NET any -> [13.60.33.38] 60120  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289718/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0990027.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289715; rev:1;)
alert tcp $HOME_NET any -> [160.177.73.220] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugopounds/five/fre.php"; depth:23; nocase; http.host; content:"andrebadi.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289709; rev:1;)
alert tcp $HOME_NET any -> [5.78.82.186] 2405  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289708; rev:1;)
alert tcp $HOME_NET any -> [193.111.249.133] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289699; rev:1;)
alert tcp $HOME_NET any -> [193.142.146.101] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289700; rev:1;)
alert tcp $HOME_NET any -> [194.59.30.46] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289701; rev:1;)
alert tcp $HOME_NET any -> [195.201.87.182] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289702; rev:1;)
alert tcp $HOME_NET any -> [198.23.227.212] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289703; rev:1;)
alert tcp $HOME_NET any -> [204.9.187.48] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289704; rev:1;)
alert tcp $HOME_NET any -> [213.238.177.144] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289705; rev:1;)
alert tcp $HOME_NET any -> [213.252.247.119] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289706; rev:1;)
alert tcp $HOME_NET any -> [217.76.56.205] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289707; rev:1;)
alert tcp $HOME_NET any -> [185.174.101.15] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289692; rev:1;)
alert tcp $HOME_NET any -> [185.214.10.55] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289693; rev:1;)
alert tcp $HOME_NET any -> [185.241.208.66] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289694; rev:1;)
alert tcp $HOME_NET any -> [185.255.114.122] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289695; rev:1;)
alert tcp $HOME_NET any -> [191.252.153.239] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289696; rev:1;)
alert tcp $HOME_NET any -> [192.3.101.18] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289697; rev:1;)
alert tcp $HOME_NET any -> [192.210.214.9] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289698; rev:1;)
alert tcp $HOME_NET any -> [172.111.139.125] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289685; rev:1;)
alert tcp $HOME_NET any -> [172.111.186.144] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289686; rev:1;)
alert tcp $HOME_NET any -> [177.255.84.124] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289687; rev:1;)
alert tcp $HOME_NET any -> [181.41.200.209] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289688; rev:1;)
alert tcp $HOME_NET any -> [181.141.41.63] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289689; rev:1;)
alert tcp $HOME_NET any -> [185.157.162.103] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289690; rev:1;)
alert tcp $HOME_NET any -> [185.157.162.126] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289691; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.216] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289675; rev:1;)
alert tcp $HOME_NET any -> [103.77.243.159] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289676; rev:1;)
alert tcp $HOME_NET any -> [104.243.32.42] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289677; rev:1;)
alert tcp $HOME_NET any -> [107.173.4.16] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289678; rev:1;)
alert tcp $HOME_NET any -> [109.248.151.170] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289679; rev:1;)
alert tcp $HOME_NET any -> [118.31.63.89] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289680; rev:1;)
alert tcp $HOME_NET any -> [145.239.230.233] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289681; rev:1;)
alert tcp $HOME_NET any -> [147.124.210.13] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289682; rev:1;)
alert tcp $HOME_NET any -> [158.220.98.130] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289683; rev:1;)
alert tcp $HOME_NET any -> [167.88.166.237] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289684; rev:1;)
alert tcp $HOME_NET any -> [78.142.18.111] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289663; rev:1;)
alert tcp $HOME_NET any -> [78.142.18.221] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289664; rev:1;)
alert tcp $HOME_NET any -> [83.147.37.144] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289665; rev:1;)
alert tcp $HOME_NET any -> [86.104.73.215] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289666; rev:1;)
alert tcp $HOME_NET any -> [88.119.170.153] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289667; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.170] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289668; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.174] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289669; rev:1;)
alert tcp $HOME_NET any -> [92.53.65.66] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289670; rev:1;)
alert tcp $HOME_NET any -> [92.204.171.198] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289671; rev:1;)
alert tcp $HOME_NET any -> [94.130.249.123] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289672; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.171] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289673; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.174] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289674; rev:1;)
alert tcp $HOME_NET any -> [20.161.82.217] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289649; rev:1;)
alert tcp $HOME_NET any -> [23.227.183.122] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289650; rev:1;)
alert tcp $HOME_NET any -> [24.152.36.221] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289651; rev:1;)
alert tcp $HOME_NET any -> [45.40.96.164] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289652; rev:1;)
alert tcp $HOME_NET any -> [45.74.37.70] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289653; rev:1;)
alert tcp $HOME_NET any -> [45.74.37.97] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289654; rev:1;)
alert tcp $HOME_NET any -> [45.77.115.93] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289655; rev:1;)
alert tcp $HOME_NET any -> [45.133.174.54] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289656; rev:1;)
alert tcp $HOME_NET any -> [45.156.86.26] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289657; rev:1;)
alert tcp $HOME_NET any -> [45.156.86.27] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289658; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.212] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289659; rev:1;)
alert tcp $HOME_NET any -> [65.21.134.79] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289660; rev:1;)
alert tcp $HOME_NET any -> [78.142.18.109] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289661; rev:1;)
alert tcp $HOME_NET any -> [78.142.18.110] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289662; rev:1;)
alert tcp $HOME_NET any -> [5.34.182.173] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289645; rev:1;)
alert tcp $HOME_NET any -> [5.206.224.223] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289646; rev:1;)
alert tcp $HOME_NET any -> [5.230.75.50] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289647; rev:1;)
alert tcp $HOME_NET any -> [8.213.216.15] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289648; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.105] 7256  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289644; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"interactiveuidevelopment.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289640; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.nicrosoft.fr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"data.nicrosoft.fr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"58.220.52.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289639/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"36.158.224.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289638/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"36.102.212.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289637/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"182.40.78.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289636/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"122.228.223.248"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289635/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"121.207.229.248"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289634/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"113.200.137.226"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unionpay/index"; depth:15; nocase; http.host; content:"111.170.24.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289632; rev:1;)
alert tcp $HOME_NET any -> [91.222.173.170] 80  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289631; rev:1;)
alert tcp $HOME_NET any -> [91.246.41.200] 5554  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/108e010e8f91c38c.php"; depth:21; nocase; http.host; content:"65.21.175.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289629; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 48615  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289627; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"photos-money.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289628; rev:1;)
alert tcp $HOME_NET any -> [184.73.109.149] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"184.73.109.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.101.147.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289623; rev:1;)
alert tcp $HOME_NET any -> [47.101.147.34] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.221.24.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"112.124.33.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"154.9.253.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"160.1.47.82"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289618; rev:1;)
alert tcp $HOME_NET any -> [3.31.238.78] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"176.58.127.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.103.236.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"81.70.93.58"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/heatmaps/fleshlights/6407/2467/4437aa96434ade021bef08371cf2ea22"; depth:64; nocase; http.host; content:"lifebalancemissouri.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289613; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lifebalancemissouri.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"91.92.245.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.134.137.100"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289611; rev:1;)
alert tcp $HOME_NET any -> [107.173.140.2] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/develop/messaging/w5jk7inlq"; depth:28; nocase; http.host; content:"cscs.beauty"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289608; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscs.beauty"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289609; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasprod.biz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289606; rev:1;)
alert tcp $HOME_NET any -> [162.33.178.207] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/communicate/v10.26/icmp6dyxap5"; depth:31; nocase; http.host; content:"rasprod.biz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289605; rev:1;)
alert tcp $HOME_NET any -> [123.207.55.181] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"123.207.55.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289603; rev:1;)
alert tcp $HOME_NET any -> [43.163.235.40] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release_notes"; depth:14; nocase; http.host; content:"api.frameeservicere.live"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289600; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.frameeservicere.live"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.95.31.143"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289599; rev:1;)
alert tcp $HOME_NET any -> [45.88.79.124] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forums"; depth:7; nocase; http.host; content:"45.88.79.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-wave-contracts-legal-considerations-implications/"; depth:64; nocase; http.host; content:"produtoresflorestais.pt"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.e-add.pl"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289596; rev:1;)
alert tcp $HOME_NET any -> [194.55.186.155] 2424  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289592/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289592; rev:1;)
alert tcp $HOME_NET any -> [120.46.69.195] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.46.69.195"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289590; rev:1;)
alert tcp $HOME_NET any -> [162.244.82.35] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"162.244.82.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289588; rev:1;)
alert tcp $HOME_NET any -> [47.108.143.71] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.108.143.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6259fdc16222e061.php"; depth:21; nocase; http.host; content:"68.183.108.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289585; rev:1;)
alert tcp $HOME_NET any -> [45.66.231.69] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289584/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289584; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.124] 8713  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289583/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289583; rev:1;)
alert tcp $HOME_NET any -> [139.196.199.232] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289582/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289582; rev:1;)
alert tcp $HOME_NET any -> [39.98.201.125] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289581/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289581; rev:1;)
alert tcp $HOME_NET any -> [36.212.144.244] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289580/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289580; rev:1;)
alert tcp $HOME_NET any -> [39.97.52.57] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289579/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289579; rev:1;)
alert tcp $HOME_NET any -> [154.247.152.21] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289578/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289578; rev:1;)
alert tcp $HOME_NET any -> [142.154.206.58] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289577/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289577; rev:1;)
alert tcp $HOME_NET any -> [38.180.7.161] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289576/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289576; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.252] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289575/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289575; rev:1;)
alert tcp $HOME_NET any -> [164.90.128.199] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289574/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289574; rev:1;)
alert tcp $HOME_NET any -> [164.90.128.199] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289573; rev:1;)
alert tcp $HOME_NET any -> [185.229.9.27] 8888  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289572/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289572; rev:1;)
alert tcp $HOME_NET any -> [216.238.73.7] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289571/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289571; rev:1;)
alert tcp $HOME_NET any -> [159.65.174.201] 1433  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289570; rev:1;)
alert tcp $HOME_NET any -> [159.65.174.201] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289569/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289569; rev:1;)
alert tcp $HOME_NET any -> [146.70.80.94] 20013  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289568/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289568; rev:1;)
alert tcp $HOME_NET any -> [78.111.2.53] 10022  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289567/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289567; rev:1;)
alert tcp $HOME_NET any -> [185.245.182.209] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289566/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289566; rev:1;)
alert tcp $HOME_NET any -> [45.156.24.8] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289565/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289565; rev:1;)
alert tcp $HOME_NET any -> [52.3.251.97] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289564; rev:1;)
alert tcp $HOME_NET any -> [67.217.62.106] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_27; classtype:trojan-activity; sid:91289563; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gloomopiniosnforuw.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289512; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"compilecoppydkewsw.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289513; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exertcreatedadnndjw.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289514; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"depositybounceddwk.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289515; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slammyslideplanntywks.xyz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289516; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manufactiredowreachhd.xyz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289517; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aplointexhausdh.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289518; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proffyrobharborye.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gloomopiniosnforuw.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289521; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panameradovkews.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"compilecoppydkewsw.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"depositybounceddwk.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"exertcreatedadnndjw.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"slammyslideplanntywks.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"manufactiredowreachhd.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"aplointexhausdh.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"proffyrobharborye.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"panameradovkews.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289529; rev:1;)
alert tcp $HOME_NET any -> [138.201.150.244] 3984  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289530; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 16163  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289551/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_27; classtype:trojan-activity; sid:91289551; rev:1;)
alert tcp $HOME_NET any -> [45.154.99.245] 13799  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289553; rev:1;)
alert tcp $HOME_NET any -> [74.137.248.199] 4338  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289506; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"senaclient.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289507; rev:1;)
alert tcp $HOME_NET any -> [5.53.125.205] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/65228853.php"; depth:13; nocase; http.host; content:"a0999396.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonlowupdatebigloadbasewppublic.php"; depth:39; nocase; http.host; content:"182785cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0999297.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289560; rev:1;)
alert tcp $HOME_NET any -> [101.33.225.206] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289559; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.1234wu.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/jquery-3.4.1.min.js"; depth:23; nocase; http.host; content:"www.1234wu.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"mnbgba.ac.ug"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8770cce4.php"; depth:13; nocase; http.host; content:"a0999252.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ed9df87b.php"; depth:13; nocase; http.host; content:"unsight-pistons.000webhostapp.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0996805.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_27; classtype:trojan-activity; sid:91289552; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 16163  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289550; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 16163  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289549; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 16163  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289548; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 16163  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289547; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 16163  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerlowauthapibigloadprotectflower.php"; depth:43; nocase; http.host; content:"yenot.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/695c2999.php"; depth:13; nocase; http.host; content:"a0999075.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289544; rev:1;)
alert tcp $HOME_NET any -> [47.116.166.81] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.116.166.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289542; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s3dpsid.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289540; rev:1;)
alert tcp $HOME_NET any -> [23.95.216.234] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.1.min.js"; depth:20; nocase; http.host; content:"s3dpsid.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289539; rev:1;)
alert tcp $HOME_NET any -> [58.87.78.60] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"58.87.78.60"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289537; rev:1;)
alert tcp $HOME_NET any -> [8.138.8.240] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.138.8.240"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289535; rev:1;)
alert tcp $HOME_NET any -> [101.33.225.206] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289534; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"google-logs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/jquery-3.4.1.min.js"; depth:23; nocase; http.host; content:"google-logs.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ab36374.php"; depth:13; nocase; http.host; content:"a0994587.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289531; rev:1;)
alert tcp $HOME_NET any -> [41.249.242.121] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289511; rev:1;)
alert tcp $HOME_NET any -> [204.10.160.132] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289510/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289510; rev:1;)
alert tcp $HOME_NET any -> [194.55.186.87] 4483  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289508; rev:1;)
alert tcp $HOME_NET any -> [216.225.202.59] 2005  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289505; rev:1;)
alert tcp $HOME_NET any -> [141.8.198.131] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289504; rev:1;)
alert tcp $HOME_NET any -> [152.32.213.110] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289503; rev:1;)
alert tcp $HOME_NET any -> [154.88.26.223] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289502; rev:1;)
alert tcp $HOME_NET any -> [20.19.36.45] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289501; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.9] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289500; rev:1;)
alert tcp $HOME_NET any -> [70.27.138.141] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289499; rev:1;)
alert tcp $HOME_NET any -> [34.30.185.227] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289498; rev:1;)
alert tcp $HOME_NET any -> [194.87.79.109] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289497; rev:1;)
alert tcp $HOME_NET any -> [34.155.186.128] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289496; rev:1;)
alert tcp $HOME_NET any -> [91.236.230.33] 4511  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289495; rev:1;)
alert tcp $HOME_NET any -> [159.65.174.201] 5060  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289494; rev:1;)
alert tcp $HOME_NET any -> [111.13.104.234] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289493; rev:1;)
alert tcp $HOME_NET any -> [120.220.47.242] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289492; rev:1;)
alert tcp $HOME_NET any -> [99.112.198.250] 8080  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289491; rev:1;)
alert tcp $HOME_NET any -> [119.76.173.60] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289490; rev:1;)
alert tcp $HOME_NET any -> [195.154.43.21] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289489; rev:1;)
alert tcp $HOME_NET any -> [8.220.197.83] 60001  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289488; rev:1;)
alert tcp $HOME_NET any -> [67.217.62.106] 41337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91289487; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cejecuu4.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289484; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 12493  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289485/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289485; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 12493  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/33963b08.php"; depth:13; nocase; http.host; content:"loxlas.000webhostapp.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289483; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 12493  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289482; rev:1;)
alert tcp $HOME_NET any -> [109.196.166.188] 4482  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289481; rev:1;)
alert tcp $HOME_NET any -> [115.77.241.73] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289480; rev:1;)
alert tcp $HOME_NET any -> [89.116.48.173] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289478; rev:1;)
alert tcp $HOME_NET any -> [172.84.93.210] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289479; rev:1;)
alert tcp $HOME_NET any -> [54.157.34.54] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289477; rev:1;)
alert tcp $HOME_NET any -> [206.119.167.114] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289476; rev:1;)
alert tcp $HOME_NET any -> [216.245.184.159] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289473; rev:1;)
alert tcp $HOME_NET any -> [38.147.171.35] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289474; rev:1;)
alert tcp $HOME_NET any -> [154.64.231.108] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289475; rev:1;)
alert tcp $HOME_NET any -> [38.147.171.208] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289471; rev:1;)
alert tcp $HOME_NET any -> [107.173.203.208] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289472; rev:1;)
alert tcp $HOME_NET any -> [192.3.86.166] 2087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289469; rev:1;)
alert tcp $HOME_NET any -> [104.238.183.19] 800  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289470; rev:1;)
alert tcp $HOME_NET any -> [142.171.214.90] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289468; rev:1;)
alert tcp $HOME_NET any -> [154.9.253.57] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289466; rev:1;)
alert tcp $HOME_NET any -> [38.147.170.143] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289467; rev:1;)
alert tcp $HOME_NET any -> [165.154.135.78] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289465; rev:1;)
alert tcp $HOME_NET any -> [206.233.133.151] 8989  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289463; rev:1;)
alert tcp $HOME_NET any -> [50.116.12.237] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289464; rev:1;)
alert tcp $HOME_NET any -> [137.184.97.84] 8989  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289461; rev:1;)
alert tcp $HOME_NET any -> [142.171.200.25] 25565  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289462; rev:1;)
alert tcp $HOME_NET any -> [154.12.19.142] 8123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289460; rev:1;)
alert tcp $HOME_NET any -> [74.48.147.144] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289459; rev:1;)
alert tcp $HOME_NET any -> [192.3.55.45] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289457; rev:1;)
alert tcp $HOME_NET any -> [198.46.233.11] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289458; rev:1;)
alert tcp $HOME_NET any -> [154.12.29.28] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289456; rev:1;)
alert tcp $HOME_NET any -> [104.245.34.247] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289455; rev:1;)
alert tcp $HOME_NET any -> [23.95.193.152] 9001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289454; rev:1;)
alert tcp $HOME_NET any -> [107.172.32.178] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289453; rev:1;)
alert tcp $HOME_NET any -> [23.95.44.80] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289451; rev:1;)
alert tcp $HOME_NET any -> [74.91.17.194] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289452; rev:1;)
alert tcp $HOME_NET any -> [46.21.153.155] 5443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289450; rev:1;)
alert tcp $HOME_NET any -> [18.219.156.119] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289449; rev:1;)
alert tcp $HOME_NET any -> [176.58.127.16] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289448; rev:1;)
alert tcp $HOME_NET any -> [45.152.64.245] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289446; rev:1;)
alert tcp $HOME_NET any -> [45.152.64.167] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289447; rev:1;)
alert tcp $HOME_NET any -> [77.238.227.125] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289444; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.127] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289445; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.107] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289443; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.60] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289442; rev:1;)
alert tcp $HOME_NET any -> [51.12.249.109] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289441; rev:1;)
alert tcp $HOME_NET any -> [144.24.89.162] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289439; rev:1;)
alert tcp $HOME_NET any -> [152.67.221.25] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289440; rev:1;)
alert tcp $HOME_NET any -> [104.194.153.54] 3555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289438; rev:1;)
alert tcp $HOME_NET any -> [167.71.215.63] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289437; rev:1;)
alert tcp $HOME_NET any -> [128.1.40.125] 50000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289435; rev:1;)
alert tcp $HOME_NET any -> [8.219.204.94] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289436; rev:1;)
alert tcp $HOME_NET any -> [207.148.125.4] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289434; rev:1;)
alert tcp $HOME_NET any -> [8.219.228.10] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289432; rev:1;)
alert tcp $HOME_NET any -> [18.143.88.183] 86  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289433; rev:1;)
alert tcp $HOME_NET any -> [206.238.115.243] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289431; rev:1;)
alert tcp $HOME_NET any -> [80.85.155.18] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289430; rev:1;)
alert tcp $HOME_NET any -> [185.241.194.184] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289428; rev:1;)
alert tcp $HOME_NET any -> [185.22.152.167] 8868  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289429; rev:1;)
alert tcp $HOME_NET any -> [64.7.199.88] 10443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289427; rev:1;)
alert tcp $HOME_NET any -> [109.107.140.195] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289426; rev:1;)
alert tcp $HOME_NET any -> [34.146.210.28] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289425; rev:1;)
alert tcp $HOME_NET any -> [152.32.202.240] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289423; rev:1;)
alert tcp $HOME_NET any -> [202.144.194.110] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289424; rev:1;)
alert tcp $HOME_NET any -> [36.89.252.50] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289421; rev:1;)
alert tcp $HOME_NET any -> [124.156.213.14] 801  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289422; rev:1;)
alert tcp $HOME_NET any -> [154.86.116.17] 84  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289419; rev:1;)
alert tcp $HOME_NET any -> [20.244.96.7] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289420; rev:1;)
alert tcp $HOME_NET any -> [38.181.78.45] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289418; rev:1;)
alert tcp $HOME_NET any -> [47.76.111.10] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289417; rev:1;)
alert tcp $HOME_NET any -> [156.238.235.164] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289416; rev:1;)
alert tcp $HOME_NET any -> [47.243.26.247] 5001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289415; rev:1;)
alert tcp $HOME_NET any -> [34.92.139.96] 2095  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289413; rev:1;)
alert tcp $HOME_NET any -> [156.224.20.147] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289414; rev:1;)
alert tcp $HOME_NET any -> [103.146.140.99] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289412; rev:1;)
alert tcp $HOME_NET any -> [34.92.25.154] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289411; rev:1;)
alert tcp $HOME_NET any -> [154.12.88.29] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289410; rev:1;)
alert tcp $HOME_NET any -> [202.95.19.243] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289409; rev:1;)
alert tcp $HOME_NET any -> [47.242.22.64] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289407; rev:1;)
alert tcp $HOME_NET any -> [123.58.220.97] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289408; rev:1;)
alert tcp $HOME_NET any -> [193.134.210.189] 801  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289406; rev:1;)
alert tcp $HOME_NET any -> [149.104.31.36] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289405; rev:1;)
alert tcp $HOME_NET any -> [34.92.137.73] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289404; rev:1;)
alert tcp $HOME_NET any -> [206.237.23.119] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289403; rev:1;)
alert tcp $HOME_NET any -> [154.201.83.170] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289402; rev:1;)
alert tcp $HOME_NET any -> [206.237.24.135] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289401; rev:1;)
alert tcp $HOME_NET any -> [134.122.75.115] 89  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289400; rev:1;)
alert tcp $HOME_NET any -> [91.238.181.230] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289399; rev:1;)
alert tcp $HOME_NET any -> [124.223.9.21] 8086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289397; rev:1;)
alert tcp $HOME_NET any -> [185.255.178.186] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289398; rev:1;)
alert tcp $HOME_NET any -> [62.234.171.193] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289395; rev:1;)
alert tcp $HOME_NET any -> [124.223.33.83] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289396; rev:1;)
alert tcp $HOME_NET any -> [81.70.93.58] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289393; rev:1;)
alert tcp $HOME_NET any -> [82.156.218.23] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289394; rev:1;)
alert tcp $HOME_NET any -> [62.234.18.252] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289392; rev:1;)
alert tcp $HOME_NET any -> [124.223.29.131] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289391; rev:1;)
alert tcp $HOME_NET any -> [43.138.246.207] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289389; rev:1;)
alert tcp $HOME_NET any -> [175.178.179.183] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289390; rev:1;)
alert tcp $HOME_NET any -> [47.120.31.73] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289388; rev:1;)
alert tcp $HOME_NET any -> [182.43.247.172] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289386; rev:1;)
alert tcp $HOME_NET any -> [116.62.17.187] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289387; rev:1;)
alert tcp $HOME_NET any -> [122.152.209.229] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289384; rev:1;)
alert tcp $HOME_NET any -> [8.130.170.47] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289385; rev:1;)
alert tcp $HOME_NET any -> [39.105.197.88] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289383; rev:1;)
alert tcp $HOME_NET any -> [47.94.224.55] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289381; rev:1;)
alert tcp $HOME_NET any -> [110.41.53.51] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289382; rev:1;)
alert tcp $HOME_NET any -> [146.56.228.191] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289379; rev:1;)
alert tcp $HOME_NET any -> [101.43.201.136] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289380; rev:1;)
alert tcp $HOME_NET any -> [118.178.92.87] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289378; rev:1;)
alert tcp $HOME_NET any -> [47.98.195.217] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289376; rev:1;)
alert tcp $HOME_NET any -> [140.246.254.45] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289377; rev:1;)
alert tcp $HOME_NET any -> [120.24.90.39] 7474  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289374; rev:1;)
alert tcp $HOME_NET any -> [8.138.150.209] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289375; rev:1;)
alert tcp $HOME_NET any -> [106.75.191.162] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289372; rev:1;)
alert tcp $HOME_NET any -> [47.92.98.169] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289373; rev:1;)
alert tcp $HOME_NET any -> [8.149.135.10] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289370; rev:1;)
alert tcp $HOME_NET any -> [47.121.133.136] 9876  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289371; rev:1;)
alert tcp $HOME_NET any -> [113.125.179.13] 8111  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289368; rev:1;)
alert tcp $HOME_NET any -> [114.115.130.34] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289369; rev:1;)
alert tcp $HOME_NET any -> [60.204.224.105] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289367; rev:1;)
alert tcp $HOME_NET any -> [47.120.73.216] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289365; rev:1;)
alert tcp $HOME_NET any -> [139.159.143.40] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289366; rev:1;)
alert tcp $HOME_NET any -> [47.92.194.21] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289363; rev:1;)
alert tcp $HOME_NET any -> [106.53.64.229] 90  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289364; rev:1;)
alert tcp $HOME_NET any -> [62.234.27.146] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289362; rev:1;)
alert tcp $HOME_NET any -> [39.104.230.184] 6668  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289361; rev:1;)
alert tcp $HOME_NET any -> [43.140.214.44] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289359; rev:1;)
alert tcp $HOME_NET any -> [8.141.93.66] 9001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289360; rev:1;)
alert tcp $HOME_NET any -> [62.234.36.48] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289357; rev:1;)
alert tcp $HOME_NET any -> [150.158.137.47] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289358; rev:1;)
alert tcp $HOME_NET any -> [112.124.5.135] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289356; rev:1;)
alert tcp $HOME_NET any -> [114.55.100.165] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289355; rev:1;)
alert tcp $HOME_NET any -> [47.120.18.197] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289353; rev:1;)
alert tcp $HOME_NET any -> [159.75.104.157] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289354; rev:1;)
alert tcp $HOME_NET any -> [112.126.73.241] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289352; rev:1;)
alert tcp $HOME_NET any -> [118.31.0.110] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289350; rev:1;)
alert tcp $HOME_NET any -> [47.94.157.42] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289351; rev:1;)
alert tcp $HOME_NET any -> [47.120.40.27] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289349; rev:1;)
alert tcp $HOME_NET any -> [47.102.106.155] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289348; rev:1;)
alert tcp $HOME_NET any -> [152.136.11.91] 83  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289346; rev:1;)
alert tcp $HOME_NET any -> [110.41.1.216] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289347; rev:1;)
alert tcp $HOME_NET any -> [124.220.148.63] 9001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289344; rev:1;)
alert tcp $HOME_NET any -> [1.116.78.105] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289345; rev:1;)
alert tcp $HOME_NET any -> [124.223.166.66] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289343; rev:1;)
alert tcp $HOME_NET any -> [43.139.120.180] 90  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289341; rev:1;)
alert tcp $HOME_NET any -> [39.105.113.249] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289342; rev:1;)
alert tcp $HOME_NET any -> [43.140.37.228] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289339; rev:1;)
alert tcp $HOME_NET any -> [106.54.201.63] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289340; rev:1;)
alert tcp $HOME_NET any -> [121.43.113.38] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289337; rev:1;)
alert tcp $HOME_NET any -> [121.40.127.134] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289338; rev:1;)
alert tcp $HOME_NET any -> [103.97.58.105] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289336; rev:1;)
alert tcp $HOME_NET any -> [111.231.51.250] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289334; rev:1;)
alert tcp $HOME_NET any -> [134.175.107.219] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289335; rev:1;)
alert tcp $HOME_NET any -> [39.100.106.193] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289333; rev:1;)
alert tcp $HOME_NET any -> [43.138.101.9] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289332; rev:1;)
alert tcp $HOME_NET any -> [175.27.132.251] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289331; rev:1;)
alert tcp $HOME_NET any -> [49.232.129.71] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289330; rev:1;)
alert tcp $HOME_NET any -> [1.94.9.76] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289329; rev:1;)
alert tcp $HOME_NET any -> [106.55.181.108] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289328; rev:1;)
alert tcp $HOME_NET any -> [82.156.206.157] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289326; rev:1;)
alert tcp $HOME_NET any -> [120.48.124.220] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289327; rev:1;)
alert tcp $HOME_NET any -> [123.57.85.206] 50000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289325; rev:1;)
alert tcp $HOME_NET any -> [139.155.134.117] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289324; rev:1;)
alert tcp $HOME_NET any -> [124.222.129.148] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289323; rev:1;)
alert tcp $HOME_NET any -> [123.57.192.94] 99  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289322; rev:1;)
alert tcp $HOME_NET any -> [1.12.69.169] 801  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289321; rev:1;)
alert tcp $HOME_NET any -> [116.204.107.116] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289319; rev:1;)
alert tcp $HOME_NET any -> [106.52.130.164] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289320; rev:1;)
alert tcp $HOME_NET any -> [139.224.188.165] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289317; rev:1;)
alert tcp $HOME_NET any -> [42.193.53.72] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289318; rev:1;)
alert tcp $HOME_NET any -> [121.40.137.139] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289316; rev:1;)
alert tcp $HOME_NET any -> [47.108.77.135] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289314; rev:1;)
alert tcp $HOME_NET any -> [59.110.140.224] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289315; rev:1;)
alert tcp $HOME_NET any -> [42.194.129.182] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289312; rev:1;)
alert tcp $HOME_NET any -> [120.26.128.96] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289313; rev:1;)
alert tcp $HOME_NET any -> [1.92.156.179] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289311; rev:1;)
alert tcp $HOME_NET any -> [47.120.49.109] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289309; rev:1;)
alert tcp $HOME_NET any -> [101.33.198.179] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289310; rev:1;)
alert tcp $HOME_NET any -> [118.195.216.54] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289308; rev:1;)
alert tcp $HOME_NET any -> [47.113.223.135] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289307; rev:1;)
alert tcp $HOME_NET any -> [47.103.155.164] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289306; rev:1;)
alert tcp $HOME_NET any -> [152.136.99.26] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289305; rev:1;)
alert tcp $HOME_NET any -> [123.56.152.207] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289304; rev:1;)
alert tcp $HOME_NET any -> [47.120.63.120] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289302; rev:1;)
alert tcp $HOME_NET any -> [8.130.210.138] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289303; rev:1;)
alert tcp $HOME_NET any -> [106.15.184.255] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289301; rev:1;)
alert tcp $HOME_NET any -> [121.36.95.33] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289299; rev:1;)
alert tcp $HOME_NET any -> [120.24.179.84] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289300; rev:1;)
alert tcp $HOME_NET any -> [112.126.80.83] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289298; rev:1;)
alert tcp $HOME_NET any -> [124.71.177.31] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289297; rev:1;)
alert tcp $HOME_NET any -> [106.14.254.135] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289296; rev:1;)
alert tcp $HOME_NET any -> [1.92.96.35] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289295; rev:1;)
alert tcp $HOME_NET any -> [120.46.202.105] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289294; rev:1;)
alert tcp $HOME_NET any -> [47.96.183.241] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289293; rev:1;)
alert tcp $HOME_NET any -> [121.196.196.236] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289292; rev:1;)
alert tcp $HOME_NET any -> [39.100.103.175] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289291; rev:1;)
alert tcp $HOME_NET any -> [49.232.249.109] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289290; rev:1;)
alert tcp $HOME_NET any -> [101.43.202.135] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289289; rev:1;)
alert tcp $HOME_NET any -> [47.113.150.236] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289287; rev:1;)
alert tcp $HOME_NET any -> [47.103.218.35] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289288; rev:1;)
alert tcp $HOME_NET any -> [42.51.38.108] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289286; rev:1;)
alert tcp $HOME_NET any -> [106.75.75.24] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289285; rev:1;)
alert tcp $HOME_NET any -> [121.40.196.250] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289284; rev:1;)
alert tcp $HOME_NET any -> [221.234.36.116] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289283; rev:1;)
alert tcp $HOME_NET any -> [1.94.29.182] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289282; rev:1;)
alert tcp $HOME_NET any -> [121.40.19.66] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289280; rev:1;)
alert tcp $HOME_NET any -> [39.99.136.38] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289281; rev:1;)
alert tcp $HOME_NET any -> [8.134.163.72] 800  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289278; rev:1;)
alert tcp $HOME_NET any -> [111.231.140.197] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289279; rev:1;)
alert tcp $HOME_NET any -> [106.53.193.159] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289277; rev:1;)
alert tcp $HOME_NET any -> [106.54.18.174] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289275; rev:1;)
alert tcp $HOME_NET any -> [58.53.128.67] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289276; rev:1;)
alert tcp $HOME_NET any -> [47.96.174.24] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289274; rev:1;)
alert tcp $HOME_NET any -> [47.97.191.156] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289273; rev:1;)
alert tcp $HOME_NET any -> [8.142.5.148] 801  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289272; rev:1;)
alert tcp $HOME_NET any -> [124.221.76.197] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289270; rev:1;)
alert tcp $HOME_NET any -> [117.72.36.227] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289271; rev:1;)
alert tcp $HOME_NET any -> [150.158.113.86] 89  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289269; rev:1;)
alert tcp $HOME_NET any -> [139.129.26.51] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289268; rev:1;)
alert tcp $HOME_NET any -> [119.3.82.4] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289267; rev:1;)
alert tcp $HOME_NET any -> [119.3.157.129] 9001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289266; rev:1;)
alert tcp $HOME_NET any -> [139.198.30.159] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289264; rev:1;)
alert tcp $HOME_NET any -> [47.115.230.159] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289265; rev:1;)
alert tcp $HOME_NET any -> [119.45.158.137] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289262; rev:1;)
alert tcp $HOME_NET any -> [43.136.177.143] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289263; rev:1;)
alert tcp $HOME_NET any -> [8.134.160.8] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289261; rev:1;)
alert tcp $HOME_NET any -> [124.221.113.199] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289260; rev:1;)
alert tcp $HOME_NET any -> [124.70.99.224] 800  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289259; rev:1;)
alert tcp $HOME_NET any -> [104.129.20.76] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289257/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289257; rev:1;)
alert tcp $HOME_NET any -> [193.200.16.134] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289258/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289258; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"duplevo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289254/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289254; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"restolazo.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289255/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289255; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"somedax.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289256/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289256; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 17341  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289031/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289031; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"press-higher.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289032/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~eric/wp/masterddl/2023/07/23/paypal-billing-agreement-cancelled-facebook/"; depth:75; nocase; http.host; content:"experimentation.univ-littoral.fr"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.duendealhambra.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"trollsburninginhell.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289237; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"trollsburninginhell.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"trollsburninginhell.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289239; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elastsolek1.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289241; rev:1;)
alert tcp $HOME_NET any -> [154.13.163.54] 4787  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289242; rev:1;)
alert tcp $HOME_NET any -> [37.120.199.54] 4787  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289243; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jbfrost.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289244; rev:1;)
alert tcp $HOME_NET any -> [5.253.84.218] 8787  (msg:"ThreatFox DynamicStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289249; rev:1;)
alert tcp $HOME_NET any -> [31.192.239.29] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289250; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vauxhall.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289251/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ozi2/five/fre.php"; depth:18; nocase; http.host; content:"31.192.239.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289252; rev:1;)
alert tcp $HOME_NET any -> [154.91.90.216] 6666  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289253; rev:1;)
alert tcp $HOME_NET any -> [206.123.148.196] 3980  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289248; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.114] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289247/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_26; classtype:trojan-activity; sid:91289247; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.113] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289245/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_26; classtype:trojan-activity; sid:91289245; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.112] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289246/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_26; classtype:trojan-activity; sid:91289246; rev:1;)
alert tcp $HOME_NET any -> [206.123.148.194] 3980  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289240; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.12] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/395ca7fb.php"; depth:13; nocase; http.host; content:"a0998834.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"performanscore.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289026; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"performanscore.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"performanscore.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"performanscore.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289029; rev:1;)
alert tcp $HOME_NET any -> [91.222.173.89] 80  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289025/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91289025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"applylawofattraction.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"applylawofattraction.com"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1289023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289023; rev:1;)
alert tcp $HOME_NET any -> [79.132.135.153] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html.css"; depth:9; nocase; http.host; content:"79.132.135.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"141.98.10.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289019; rev:1;)
alert tcp $HOME_NET any -> [141.98.10.70] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289020; rev:1;)
alert tcp $HOME_NET any -> [103.207.68.65] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"103.207.68.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289017; rev:1;)
alert tcp $HOME_NET any -> [159.75.177.85] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"159.75.177.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"91.92.248.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289014; rev:1;)
alert tcp $HOME_NET any -> [8.130.111.241] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.130.111.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.219.146.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289011; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amateur-locket-gw.aws-use1.cloud-ara.tyk.io"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1289009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289009; rev:1;)
alert tcp $HOME_NET any -> [147.45.178.94] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"amateur-locket-gw.aws-use1.cloud-ara.tyk.io"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"114.55.100.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"111.229.217.32"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/jquery/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"47.98.154.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.219.146.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.219.146.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.43.201.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"74.91.27.202"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1289000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289000; rev:1;)
alert tcp $HOME_NET any -> [74.91.27.202] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1289001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91289001; rev:1;)
alert tcp $HOME_NET any -> [64.23.246.134] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/git.asp"; depth:8; nocase; http.host; content:"networkhealth.azureedge.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288997; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"networkhealth.azureedge.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288998; rev:1;)
alert tcp $HOME_NET any -> [47.242.58.27] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.242.58.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"106.75.249.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288994; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bookings.catomeister.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288992; rev:1;)
alert tcp $HOME_NET any -> [218.101.19.50] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"bookings.catomeister.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288991; rev:1;)
alert tcp $HOME_NET any -> [60.205.115.67] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"60.205.115.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.diavolino.ch"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288986; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 24735  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288987; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t-protecting.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"192.144.219.118"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"123.57.59.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.70.180.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"110.40.184.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"175.178.99.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.139.107.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288978; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.22] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288977; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.22] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288976; rev:1;)
alert tcp $HOME_NET any -> [197.0.103.174] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288975; rev:1;)
alert tcp $HOME_NET any -> [108.174.200.80] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288974; rev:1;)
alert tcp $HOME_NET any -> [108.174.200.80] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288973; rev:1;)
alert tcp $HOME_NET any -> [147.135.165.29] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288972; rev:1;)
alert tcp $HOME_NET any -> [45.66.231.69] 8008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288971; rev:1;)
alert tcp $HOME_NET any -> [45.66.231.69] 6006  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288970; rev:1;)
alert tcp $HOME_NET any -> [194.62.157.160] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288969; rev:1;)
alert tcp $HOME_NET any -> [89.39.106.35] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288968; rev:1;)
alert tcp $HOME_NET any -> [82.165.74.190] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288967; rev:1;)
alert tcp $HOME_NET any -> [82.165.74.190] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288966; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.166] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288965; rev:1;)
alert tcp $HOME_NET any -> [64.23.136.10] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288964; rev:1;)
alert tcp $HOME_NET any -> [68.183.126.146] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288963; rev:1;)
alert tcp $HOME_NET any -> [67.207.88.196] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288962; rev:1;)
alert tcp $HOME_NET any -> [8.137.114.224] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288961; rev:1;)
alert tcp $HOME_NET any -> [121.196.221.251] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288960; rev:1;)
alert tcp $HOME_NET any -> [43.242.202.189] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288959; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.26] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288958; rev:1;)
alert tcp $HOME_NET any -> [81.69.247.188] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288957; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.29] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288956; rev:1;)
alert tcp $HOME_NET any -> [189.175.197.252] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288955; rev:1;)
alert tcp $HOME_NET any -> [104.168.146.71] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288954; rev:1;)
alert tcp $HOME_NET any -> [52.59.102.101] 23175  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288953; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20082  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288952; rev:1;)
alert tcp $HOME_NET any -> [210.76.62.50] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288951; rev:1;)
alert tcp $HOME_NET any -> [13.49.76.223] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_26; classtype:trojan-activity; sid:91288950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload"; depth:7; nocase; http.host; content:"93.190.8.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inject"; depth:7; nocase; http.host; content:"93.190.8.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/autofill"; depth:9; nocase; http.host; content:"93.190.8.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/passwords"; depth:10; nocase; http.host; content:"93.190.8.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/upload"; depth:7; nocase; http.host; content:"xortoproject.duckdns.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/autofill"; depth:9; nocase; http.host; content:"xortoproject.duckdns.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/inject"; depth:7; nocase; http.host; content:"xortoproject.duckdns.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/passwords"; depth:10; nocase; http.host; content:"xortoproject.duckdns.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288924; rev:1;)
alert tcp $HOME_NET any -> [160.179.71.4] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91288925; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boats.dogmuncher.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dogmuncher.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288927; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.145] 7733  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288928; rev:1;)
alert tcp $HOME_NET any -> [5.42.64.56] 80  (msg:"ThreatFox GCleaner botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288929; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.69] 80  (msg:"ThreatFox GCleaner botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.crappel.co"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288941; rev:1;)
alert tcp $HOME_NET any -> [117.18.7.76] 3782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0998491.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"93.123.39.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288947; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.104] 28744  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288946; rev:1;)
alert tcp $HOME_NET any -> [193.109.120.223] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288945/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_26; classtype:trojan-activity; sid:91288945; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.252] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"4628eea2b0b6.ngrok.app"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288942; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4628eea2b0b6.ngrok.app"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_26; classtype:trojan-activity; sid:91288943; rev:1;)
alert tcp $HOME_NET any -> [154.26.192.57] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"154.26.192.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288937; rev:1;)
alert tcp $HOME_NET any -> [78.24.217.218] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288936; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swemei.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"swemei.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288934; rev:1;)
alert tcp $HOME_NET any -> [43.136.96.90] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288933; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-c394iukq-1327454768.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.jsp"; depth:10; nocase; http.host; content:"service-c394iukq-1327454768.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288931; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spitechallengddwlsv.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288915; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voyagedprivillywk.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288913; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fiondationkvowos.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288914; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"surprisedscaledowp.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288910; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xortoproject.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288887; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 42975  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288908; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"singerreasonnbasldd.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288909; rev:1;)
alert tcp $HOME_NET any -> [46.0.47.77] 25565  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288890/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288890; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"voper.onthewifi.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288891/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288891; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"varitycookypowerw.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288916; rev:1;)
alert tcp $HOME_NET any -> [128.90.128.88] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288907; rev:1;)
alert tcp $HOME_NET any -> [108.174.200.80] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288906; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.8] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288905; rev:1;)
alert tcp $HOME_NET any -> [45.66.231.69] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288904; rev:1;)
alert tcp $HOME_NET any -> [159.223.31.192] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288903; rev:1;)
alert tcp $HOME_NET any -> [62.72.57.7] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288902; rev:1;)
alert tcp $HOME_NET any -> [91.202.233.138] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288901; rev:1;)
alert tcp $HOME_NET any -> [139.159.144.245] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288900; rev:1;)
alert tcp $HOME_NET any -> [206.238.42.216] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288899; rev:1;)
alert tcp $HOME_NET any -> [171.80.249.15] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288898; rev:1;)
alert tcp $HOME_NET any -> [39.40.129.100] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288897; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.13] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288895; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.13] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288896; rev:1;)
alert tcp $HOME_NET any -> [3.104.43.231] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288894; rev:1;)
alert tcp $HOME_NET any -> [34.163.119.131] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288893; rev:1;)
alert tcp $HOME_NET any -> [92.116.88.156] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288892; rev:1;)
alert tcp $HOME_NET any -> [46.226.167.14] 10859  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linephpgeoupdateprocessgeneratoruniversaldleprivate.php"; depth:56; nocase; http.host; content:"abort.top"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288888; rev:1;)
alert tcp $HOME_NET any -> [196.217.71.18] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288634; rev:1;)
alert tcp $HOME_NET any -> [93.190.8.37] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288633; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bheuiyo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288631; rev:1;)
alert tcp $HOME_NET any -> [177.255.84.124] 4041  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"89.117.59.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288630; rev:1;)
alert tcp $HOME_NET any -> [85.28.47.7] 17210  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"jonmesserartwork.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288625; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jonmesserartwork.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"jonmesserartwork.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"jonmesserartwork.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288628; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 42900  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288624; rev:1;)
alert tcp $HOME_NET any -> [194.55.186.121] 1313  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288620; rev:1;)
alert tcp $HOME_NET any -> [45.143.94.2] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288621; rev:1;)
alert tcp $HOME_NET any -> [204.10.160.230] 7983  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288623; rev:1;)
alert tcp $HOME_NET any -> [213.227.129.32] 4483  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"divyjai2.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288607; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sssteell-com.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288615/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"divyjai2.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288608; rev:1;)
alert tcp $HOME_NET any -> [31.192.235.101] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288614/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288614; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 29565  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288616/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288616; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"known-girls.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288617; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 38826  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"park-curve.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288619/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_25; classtype:trojan-activity; sid:91288619; rev:1;)
alert tcp $HOME_NET any -> [82.157.137.77] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"82.157.137.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288612; rev:1;)
alert tcp $HOME_NET any -> [209.97.145.9] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288611; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securenetwork.azureedge.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gopher.xml"; depth:11; nocase; http.host; content:"securenetwork.azureedge.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kedu/fre.php"; depth:13; nocase; http.host; content:"sssteell-com.pro"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"39.107.242.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"110.41.134.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"192.227.234.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-4iisjdnk-1314135568.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.139.107.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"114.115.174.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.238.48.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"97.64.18.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s"; depth:2; nocase; http.host; content:"194.233.88.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/lang/en-us/lang.js"; depth:26; nocase; http.host; content:"8.137.121.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288592; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"filomeranta.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288589; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"divyjai2.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288590; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"loskawist.pics"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288587/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288587; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"tristgodfert.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288588/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288588; rev:1;)
alert tcp $HOME_NET any -> [203.161.50.120] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"203.161.50.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288585; rev:1;)
alert tcp $HOME_NET any -> [116.114.20.180] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"116.114.20.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288583; rev:1;)
alert tcp $HOME_NET any -> [47.108.136.59] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.108.136.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"117.50.179.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288580; rev:1;)
alert tcp $HOME_NET any -> [136.244.76.249] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"136.244.76.249"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288578; rev:1;)
alert tcp $HOME_NET any -> [47.108.136.59] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.108.136.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"81.70.190.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288575; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d1m4ettuq4ezj0.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d1m4ettuq4ezj0.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288573; rev:1;)
alert tcp $HOME_NET any -> [116.114.20.180] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"116.114.20.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288571; rev:1;)
alert tcp $HOME_NET any -> [47.120.61.164] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.120.61.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"apistudio.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288567; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apistudio.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288568; rev:1;)
alert tcp $HOME_NET any -> [203.161.50.120] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"203.161.50.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"220.249.191.101"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.97.96.79"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288562; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.252] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288561; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.80] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.colorinkbook.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288536; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.81] 80  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288556; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.116] 80  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.crappel.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.33.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199707802586"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g067n"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288552; rev:1;)
alert tcp $HOME_NET any -> [49.13.33.235] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288550; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.170] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288551; rev:1;)
alert tcp $HOME_NET any -> [104.238.179.144] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288549/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288549; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.22] 8088  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288548; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.22] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288547; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.63] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288546; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.54] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288545; rev:1;)
alert tcp $HOME_NET any -> [5.42.105.59] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288544; rev:1;)
alert tcp $HOME_NET any -> [194.62.157.160] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288543; rev:1;)
alert tcp $HOME_NET any -> [198.50.167.20] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288542; rev:1;)
alert tcp $HOME_NET any -> [139.162.46.102] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288541; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.6] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288540/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288540; rev:1;)
alert tcp $HOME_NET any -> [20.19.32.238] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288539/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288539; rev:1;)
alert tcp $HOME_NET any -> [189.140.26.77] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288538; rev:1;)
alert tcp $HOME_NET any -> [85.215.215.94] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288537/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_25; classtype:trojan-activity; sid:91288537; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.139] 56400  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/traffic4uploads/basetestto/protonpoll/externaltojavascriptflowerasynctraffic.php"; depth:81; nocase; http.host; content:"94.228.166.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288534; rev:1;)
alert tcp $HOME_NET any -> [60.205.132.75] 13155  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/subject-verb-agreement-example-sentences/"; depth:42; nocase; http.host; content:"safarcranes.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288525; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gg.jjkk567.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288523; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gg.nnmm234.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288524; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gg.aass654.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288520; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gg.vvbb321.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288522; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gg.xxcc789.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288521; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xortoproject.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"upwork999.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.cichaz.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288511; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rightwaycleaninginc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288507; rev:1;)
alert tcp $HOME_NET any -> [4.184.236.127] 1110  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288510; rev:1;)
alert tcp $HOME_NET any -> [195.2.75.12] 7000  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/engr/mail.php"; depth:14; nocase; http.host; content:"velocityfundpartners.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p1dd/"; depth:6; nocase; http.host; content:"www.778981.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288291; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.778981.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288292; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"778981.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288293; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"finjuiceer.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288294/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288294; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"jucemaster.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288295/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288295; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"meakdgahup.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288296/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288296; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"moprewaldon.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288297/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288297; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"oswalfeen.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288298/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288298; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"speedohasti.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288299/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_25; classtype:trojan-activity; sid:91288299; rev:1;)
alert tcp $HOME_NET any -> [79.110.49.209] 37552  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288532; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.234] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288531; rev:1;)
alert tcp $HOME_NET any -> [78.47.64.127] 3306  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288530; rev:1;)
alert tcp $HOME_NET any -> [35.205.161.130] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288529; rev:1;)
alert tcp $HOME_NET any -> [34.125.60.23] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288528; rev:1;)
alert tcp $HOME_NET any -> [35.240.15.226] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288527; rev:1;)
alert tcp $HOME_NET any -> [34.83.149.74] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288526; rev:1;)
alert tcp $HOME_NET any -> [105.156.33.223] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/58fade9f.php"; depth:13; nocase; http.host; content:"a0997287.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d0fcab2e.php"; depth:13; nocase; http.host; content:"a0998803.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_25; classtype:trojan-activity; sid:91288516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/920475a59bac849d.php"; depth:21; nocase; http.host; content:"85.28.47.4"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/91d0d159.php"; depth:13; nocase; http.host; content:"a0997235.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288513; rev:1;)
alert tcp $HOME_NET any -> [104.243.242.163] 1620  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faefed89.php"; depth:13; nocase; http.host; content:"a0997718.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/912f0a1e.php"; depth:13; nocase; http.host; content:"a0996277.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288508; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.79] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288506; rev:1;)
alert tcp $HOME_NET any -> [123.57.143.169] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"mcrkqm.cn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288503; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcrkqm.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288504; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clever-steadily-duckling.ngrok-free.app"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288501; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.3] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"clever-steadily-duckling.ngrok-free.app"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288500; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.63] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288498; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.63] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288497; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.22] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288495; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.22] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288496; rev:1;)
alert tcp $HOME_NET any -> [104.41.153.168] 8443  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288494; rev:1;)
alert tcp $HOME_NET any -> [47.243.38.68] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288493; rev:1;)
alert tcp $HOME_NET any -> [219.157.181.89] 8000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288492; rev:1;)
alert tcp $HOME_NET any -> [122.51.52.109] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288491; rev:1;)
alert tcp $HOME_NET any -> [47.237.10.128] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288490; rev:1;)
alert tcp $HOME_NET any -> [94.49.199.199] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288489; rev:1;)
alert tcp $HOME_NET any -> [154.247.10.179] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288488; rev:1;)
alert tcp $HOME_NET any -> [172.104.79.95] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288487; rev:1;)
alert tcp $HOME_NET any -> [47.94.110.53] 9999  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288486; rev:1;)
alert tcp $HOME_NET any -> [5.252.176.46] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288485; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20078  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288484; rev:1;)
alert tcp $HOME_NET any -> [111.12.212.218] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0997452.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"qeqei.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288303/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"movlat.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288302/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"llcbc.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288301/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"lindex24.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288300/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288300; rev:1;)
alert tcp $HOME_NET any -> [4.233.218.3] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5a549f96.php"; depth:13; nocase; http.host; content:"a0990904.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288290; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.97] 3000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288286; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.97] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288287; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieatpoop.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"intensedefense300.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288251; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"intensedefense300.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"intensedefense300.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"intensedefense300.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.php"; depth:9; nocase; http.host; content:"bynx.store"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"myoptimasunlab.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288260; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"myoptimasunlab.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"myoptimasunlab.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"myoptimasunlab.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swiftandfast.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288264; rev:1;)
alert tcp $HOME_NET any -> [202.61.136.158] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288273; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redroseproject.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288274; rev:1;)
alert tcp $HOME_NET any -> [160.20.109.168] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288275; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 17906  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"filomeranta.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"kalopvard.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdasidy72.pics"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdasidy72.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288283; rev:1;)
alert tcp $HOME_NET any -> [18.156.13.209] 17906  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288277; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.5] 17906  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288278; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"test-1627838.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288281; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 17906  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288279; rev:1;)
alert tcp $HOME_NET any -> [18.157.68.73] 17906  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0997464.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288272; rev:1;)
alert tcp $HOME_NET any -> [52.144.47.245] 27667  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288271; rev:1;)
alert tcp $HOME_NET any -> [49.235.118.195] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"49.235.118.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288269; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.biliblli.team"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288267; rev:1;)
alert tcp $HOME_NET any -> [47.122.5.2] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.biliblli.team"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0996803.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288265; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.127] 32372  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vkdnawxjs"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.72.36"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288257; rev:1;)
alert tcp $HOME_NET any -> [5.42.72.36] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"89.116.128.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googleapis/33"; depth:14; nocase; http.host; content:"8.222.156.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/endpoint"; depth:9; nocase; http.host; content:"mdasidy72.lol"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288244; rev:1;)
alert tcp $HOME_NET any -> [5.59.248.211] 2700  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288237/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"192.227.234.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"188.166.210.23"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googleapis/33"; depth:14; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googleapis/33"; depth:14; nocase; http.host; content:"8.222.156.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"185.243.242.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288240; rev:1;)
alert tcp $HOME_NET any -> [84.38.135.9] 64468  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288239/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288239; rev:1;)
alert tcp $HOME_NET any -> [185.29.9.102] 7711  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288238/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288238; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdasidy72.lol"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cea9a149.php"; depth:13; nocase; http.host; content:"a0997564.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pl341/index.php"; depth:16; nocase; http.host; content:"hqt3.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288234/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.122.5.2"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288233; rev:1;)
alert tcp $HOME_NET any -> [192.3.243.155] 7643  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/53c8478e.php"; depth:13; nocase; http.host; content:"a0997029.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288231; rev:1;)
alert tcp $HOME_NET any -> [88.168.211.65] 6522  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288213/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.chunjack.nl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288218; rev:1;)
alert tcp $HOME_NET any -> [23.94.203.70] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-q3mcrtfk-1321877838.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288229; rev:1;)
alert tcp $HOME_NET any -> [8.137.121.171] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/font/font-awesome.font"; depth:30; nocase; http.host; content:"8.137.121.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288227; rev:1;)
alert tcp $HOME_NET any -> [8.137.121.171] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/js/jsencrypt.min.js"; depth:27; nocase; http.host; content:"8.137.121.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.130.32.36"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.130.32.36"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288222; rev:1;)
alert tcp $HOME_NET any -> [101.33.227.96] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.33.227.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.200.120.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"124.223.9.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288214; rev:1;)
alert tcp $HOME_NET any -> [116.203.14.27] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288208; rev:1;)
alert tcp $HOME_NET any -> [116.203.14.27] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288209; rev:1;)
alert tcp $HOME_NET any -> [65.109.241.229] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288210; rev:1;)
alert tcp $HOME_NET any -> [65.109.241.229] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288211; rev:1;)
alert tcp $HOME_NET any -> [49.13.227.249] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288212; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guillerme.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288201; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sosimo.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288202; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antiochus.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aibek.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288204; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paulu.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288205; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aramazd.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288206; rev:1;)
alert tcp $HOME_NET any -> [116.203.13.231] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.227.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.14.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.14.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.13.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.13.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aramazd.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"paulu.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aibek.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"antiochus.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sosimo.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"guillerme.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288188; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"downloaddining.rest"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288017; rev:1;)
alert tcp $HOME_NET any -> [150.158.13.117] 22222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288142/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/enc"; depth:7; nocase; http.host; content:"downloaddining.rest"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288016; rev:1;)
alert tcp $HOME_NET any -> [35.204.170.221] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288143/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288143; rev:1;)
alert tcp $HOME_NET any -> [96.126.96.104] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288144/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288144; rev:1;)
alert tcp $HOME_NET any -> [201.68.131.71] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288145/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288145; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 19145  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288149/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/blue"; depth:8; nocase; http.host; content:"downloaddining.rest"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288153; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 38311  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"78.47.205.62"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1288159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.216.142.162"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1288160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288160; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 11457  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288161/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_24; classtype:trojan-activity; sid:91288161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.ccga.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288167; rev:1;)
alert tcp $HOME_NET any -> [85.28.47.7] 1757  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288187; rev:1;)
alert tcp $HOME_NET any -> [209.145.56.0] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288186; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.22] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288185/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288185; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.22] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288184; rev:1;)
alert tcp $HOME_NET any -> [194.62.157.160] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288183; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.54] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288182; rev:1;)
alert tcp $HOME_NET any -> [138.201.113.11] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288181; rev:1;)
alert tcp $HOME_NET any -> [49.113.77.227] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288180; rev:1;)
alert tcp $HOME_NET any -> [103.116.245.65] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288179; rev:1;)
alert tcp $HOME_NET any -> [49.113.72.239] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288178; rev:1;)
alert tcp $HOME_NET any -> [101.43.23.71] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288177; rev:1;)
alert tcp $HOME_NET any -> [119.152.6.82] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288176; rev:1;)
alert tcp $HOME_NET any -> [125.74.19.26] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288175; rev:1;)
alert tcp $HOME_NET any -> [16.16.66.176] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288174; rev:1;)
alert tcp $HOME_NET any -> [162.55.189.20] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288173; rev:1;)
alert tcp $HOME_NET any -> [4.145.106.87] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288172; rev:1;)
alert tcp $HOME_NET any -> [4.145.106.87] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_24; classtype:trojan-activity; sid:91288171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/083b111c.php"; depth:13; nocase; http.host; content:"cl14041.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4474e3be.php"; depth:13; nocase; http.host; content:"a0997621.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288169; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.70] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288168; rev:1;)
alert tcp $HOME_NET any -> [41.249.244.52] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_24; classtype:trojan-activity; sid:91288165; rev:1;)
alert tcp $HOME_NET any -> [39.100.74.192] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_24; classtype:trojan-activity; sid:91288164; rev:1;)
alert tcp $HOME_NET any -> [47.116.216.157] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288163/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_24; classtype:trojan-activity; sid:91288163; rev:1;)
alert tcp $HOME_NET any -> [43.138.23.98] 7443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_24; classtype:trojan-activity; sid:91288162; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 11457  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288157; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 11457  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288156; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 11457  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288155; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 11457  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288154; rev:1;)
alert tcp $HOME_NET any -> [195.54.160.237] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91288151; rev:1;)
alert tcp $HOME_NET any -> [104.129.20.229] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288152/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91288152; rev:1;)
alert tcp $HOME_NET any -> [87.121.61.197] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288150/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91288150; rev:1;)
alert tcp $HOME_NET any -> [34.83.210.13] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288148/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91288148; rev:1;)
alert tcp $HOME_NET any -> [31.128.42.2] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288147/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91288147; rev:1;)
alert tcp $HOME_NET any -> [51.211.209.1] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288146/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91288146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6f9d90a8.php"; depth:13; nocase; http.host; content:"a0995880.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288141; rev:1;)
alert tcp $HOME_NET any -> [2.58.56.168] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288140/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91288140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.71.18.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288139; rev:1;)
alert tcp $HOME_NET any -> [124.223.15.17] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.223.15.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"485006.prohoster.biz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"111.67.195.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288132; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.2] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288015/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91288015; rev:1;)
alert tcp $HOME_NET any -> [47.96.174.24] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288014/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91288014; rev:1;)
alert tcp $HOME_NET any -> [119.29.227.204] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288013/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91288013; rev:1;)
alert tcp $HOME_NET any -> [207.246.79.58] 4443  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288012/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91288012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0996330.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288011; rev:1;)
alert tcp $HOME_NET any -> [212.73.150.194] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288010/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_23; classtype:trojan-activity; sid:91288010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"113.125.179.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288009; rev:1;)
alert tcp $HOME_NET any -> [172.93.189.41] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.93.189.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.jsp"; depth:10; nocase; http.host; content:"121.37.206.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288006; rev:1;)
alert tcp $HOME_NET any -> [193.149.176.121] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288005; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atlasanimationstudios.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1288004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/list/v5.29/a1jx1z0kt4"; depth:22; nocase; http.host; content:"atlasanimationstudios.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"188.166.210.23"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288002; rev:1;)
alert tcp $HOME_NET any -> [128.140.1.57] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1288001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"128.140.1.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1288000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91288000; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.e-enroll-benefits.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287998; rev:1;)
alert tcp $HOME_NET any -> [3.85.36.113] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.e-enroll-benefits.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.217.137.245"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287996; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 38177  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287960; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"care-somewhere.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287961; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 38713  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287988; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"delivery-cookie.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287989; rev:1;)
alert tcp $HOME_NET any -> [101.33.197.178] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287995; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.norincogroup.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287994; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.norincogroup.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287993; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.norincogroup.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287992; rev:1;)
alert tcp $HOME_NET any -> [185.243.242.44] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"185.243.242.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287990; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llcbc.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287977; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"movlat.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287978; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qeqei.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287979; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facilitycoursedw.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287980; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doughtdrillyksow.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287981; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"disappointcredisotw.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287982; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bargainnygroandjwk.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287983; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"injurypiggyoewirog.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287984; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leafcalfconflcitw.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287985; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"computerexcudesp.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287986; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"publicitycharetew.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287987; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lindex24.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"jkbs168.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.138.150.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"service-2rawgstq-1306320113.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287971; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2rawgstq-1306320113.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287972; rev:1;)
alert tcp $HOME_NET any -> [120.25.190.37] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.25.190.37"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"8.137.76.34"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287968; rev:1;)
alert tcp $HOME_NET any -> [121.37.156.225] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.37.156.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287966; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pty.su"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287964; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bins.pty.su"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"152.89.244.142"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1287963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pty.su"; depth:6; nocase; reference:url, threatfox.abuse.ch/ioc/1287962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287962; rev:1;)
alert tcp $HOME_NET any -> [88.119.175.231] 333  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287959; rev:1;)
alert tcp $HOME_NET any -> [154.12.229.73] 1995  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287958; rev:1;)
alert tcp $HOME_NET any -> [47.129.39.120] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287957; rev:1;)
alert tcp $HOME_NET any -> [172.99.189.221] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287956; rev:1;)
alert tcp $HOME_NET any -> [124.223.15.41] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287955; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.4] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287954; rev:1;)
alert tcp $HOME_NET any -> [50.35.129.110] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287953; rev:1;)
alert tcp $HOME_NET any -> [69.115.197.2] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287952; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20076  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287951; rev:1;)
alert tcp $HOME_NET any -> [217.79.255.137] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287950; rev:1;)
alert tcp $HOME_NET any -> [80.78.25.152] 42753  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fc575d96.php"; depth:13; nocase; http.host; content:"a0997172.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"aglayancivciv3.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"benyemekyememihtiyar2.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"aciktimlanb3en51.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"kebapyokmulaaan51.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"sinirlicivciv.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"sirma5sodaas.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287874/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"bardaktakolakeyf34.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287875/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"cehennemiyasiyoz251.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287876/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"gurcistanlicruel331144.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"benkolaicmemihtiyar51.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"mutlucivciv25.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"basgaan24.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"hayatsuic24.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"sirmasokahojdurloo34.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"sirmaicinmutluolun.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"bibertursusu3424.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytkzzjfhnde3ymrm/"; depth:18; nocase; http.host; content:"selambasgann2.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287889; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"deadsec69-52782.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287906/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287906; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 21472  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287918; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 14500  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287841/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287841; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 14500  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287840/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287840; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 11166  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287842/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287842; rev:1;)
alert tcp $HOME_NET any -> [3.126.37.18] 11166  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287843/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287843; rev:1;)
alert tcp $HOME_NET any -> [199.59.243.226] 8888  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287851; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hz.instapoller.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/endpoint"; depth:9; nocase; http.host; content:"mdasidy72.mom"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chao/baby/cow.html"; depth:19; nocase; http.host; content:"weoleycastletaxis.co.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287869; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"weoleycastletaxis.co.uk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chao/baby/omgsoft.zip"; depth:22; nocase; http.host; content:"weoleycastletaxis.co.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287871; rev:1;)
alert tcp $HOME_NET any -> [41.47.231.58] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287872/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"chemsentinel.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287890; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chemsentinel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"chemsentinel.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287892; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 25730  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287905/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287905; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"christian-printed.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ck66916.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287947; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antfly50.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/41539eaa.php"; depth:13; nocase; http.host; content:"a0996585.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cj01132.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_23; classtype:trojan-activity; sid:91287917; rev:1;)
alert tcp $HOME_NET any -> [23.94.197.108] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287916; rev:1;)
alert tcp $HOME_NET any -> [23.94.197.108] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287915; rev:1;)
alert tcp $HOME_NET any -> [23.94.197.108] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_23; classtype:trojan-activity; sid:91287914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.89.2.40"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_23; classtype:trojan-activity; sid:91287913; rev:1;)
alert tcp $HOME_NET any -> [139.198.30.159] 9991  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287912/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287912; rev:1;)
alert tcp $HOME_NET any -> [43.139.52.213] 1200  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287911/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287911; rev:1;)
alert tcp $HOME_NET any -> [114.55.119.159] 51234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287910/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287910; rev:1;)
alert tcp $HOME_NET any -> [85.215.215.94] 41056  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287909/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287909; rev:1;)
alert tcp $HOME_NET any -> [45.58.184.140] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287908/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287908; rev:1;)
alert tcp $HOME_NET any -> [23.96.242.60] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287907/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_23; classtype:trojan-activity; sid:91287907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/asynccentral/pythonprocesseternal/542/generator/jssql.php"; depth:58; nocase; http.host; content:"82.146.46.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"106.54.236.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287903; rev:1;)
alert tcp $HOME_NET any -> [185.87.51.126] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/config"; depth:7; nocase; http.host; content:"asevn.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287900; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asevn.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287901; rev:1;)
alert tcp $HOME_NET any -> [103.122.164.98] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/divide/mail/suvvjrqo8qrc"; depth:25; nocase; http.host; content:"103.122.164.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f429cba3.php"; depth:13; nocase; http.host; content:"a0948642.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287897; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.topinvestmentusa.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287895; rev:1;)
alert tcp $HOME_NET any -> [45.77.197.103] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287896; rev:1;)
alert tcp $HOME_NET any -> [103.144.139.152] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287894; rev:1;)
alert tcp $HOME_NET any -> [141.95.84.40] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287893; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.118] 8008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287867; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.34] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287866; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.15] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287865; rev:1;)
alert tcp $HOME_NET any -> [206.238.199.17] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287864; rev:1;)
alert tcp $HOME_NET any -> [45.79.219.111] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287863; rev:1;)
alert tcp $HOME_NET any -> [4.233.217.53] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287862; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.12] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287861; rev:1;)
alert tcp $HOME_NET any -> [216.83.46.43] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287860; rev:1;)
alert tcp $HOME_NET any -> [1.161.70.149] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287859; rev:1;)
alert tcp $HOME_NET any -> [39.40.164.86] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287858; rev:1;)
alert tcp $HOME_NET any -> [188.49.80.240] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287857; rev:1;)
alert tcp $HOME_NET any -> [201.124.19.156] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287856; rev:1;)
alert tcp $HOME_NET any -> [167.71.47.133] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287855; rev:1;)
alert tcp $HOME_NET any -> [185.229.9.27] 445  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287854; rev:1;)
alert tcp $HOME_NET any -> [54.230.60.211] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287853; rev:1;)
alert tcp $HOME_NET any -> [66.165.246.70] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287850; rev:1;)
alert tcp $HOME_NET any -> [168.100.10.40] 443  (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287849/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287849; rev:1;)
alert tcp $HOME_NET any -> [106.54.198.187] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287848; rev:1;)
alert tcp $HOME_NET any -> [142.171.67.205] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287847; rev:1;)
alert tcp $HOME_NET any -> [101.42.139.171] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287846; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.55] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287845/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_22; classtype:trojan-activity; sid:91287845; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.56] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287844/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_22; classtype:trojan-activity; sid:91287844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.celinecuypers.be"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287716; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 36706  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287697/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287697; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bar-fri.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287698/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287698; rev:1;)
alert tcp $HOME_NET any -> [8.222.156.244] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287714; rev:1;)
alert tcp $HOME_NET any -> [43.143.58.212] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/verchk/verchk_"; depth:15; nocase; http.host; content:"43.143.58.212"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"185.201.226.192"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287711; rev:1;)
alert tcp $HOME_NET any -> [175.178.88.48] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"185.117.0.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"175.178.88.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287708; rev:1;)
alert tcp $HOME_NET any -> [132.232.109.225] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"service-1w88bdif-1300276284.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287705; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-1w88bdif-1300276284.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287706; rev:1;)
alert tcp $HOME_NET any -> [106.54.198.187] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"106.54.198.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287703; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-nsxtuf5s-1252551592.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287701; rev:1;)
alert tcp $HOME_NET any -> [175.178.88.48] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-nsxtuf5s-1252551592.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/search/goods/details.html"; depth:28; nocase; http.host; content:"103.36.196.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzblnzk4nmvlzda0/"; depth:18; nocase; http.host; content:"mamudoilekeyfyap.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287684/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287684; rev:1;)
alert tcp $HOME_NET any -> [148.163.56.241] 19081  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzblnzk4nmvlzda0/"; depth:18; nocase; http.host; content:"mamudoiledostadogru.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287685/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzblnzk4nmvlzda0/"; depth:18; nocase; http.host; content:"sigaracokhojdur1.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287686/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzblnzk4nmvlzda0/"; depth:18; nocase; http.host; content:"dertlikaygisiz04.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287687/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzblnzk4nmvlzda0/"; depth:18; nocase; http.host; content:"kaygisizamamutlu04.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287688; rev:1;)
alert tcp $HOME_NET any -> [147.45.45.219] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"104.214.168.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"89.116.128.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.78.155.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"101.35.141.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"blacksys.deltadefenses.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/link/shit/clyx4hg2zi"; depth:21; nocase; http.host; content:"cs1.dbgblack.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aapk"; depth:5; nocase; http.host; content:"116.114.20.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287683/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287683; rev:1;)
alert tcp $HOME_NET any -> [157.90.5.250] 18637  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/enc"; depth:7; nocase; http.host; content:"execresource.ltd"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287633; rev:1;)
alert tcp $HOME_NET any -> [109.187.163.140] 12550  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287648/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287648; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"execresource.ltd"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"ryruhuu3.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"ryruhuu3.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/blue"; depth:8; nocase; http.host; content:"execresource.ltd"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287631; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 10148  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287624; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 18942  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287621/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287621; rev:1;)
alert tcp $HOME_NET any -> [52.28.247.255] 17524  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287622/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287622; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 18942  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287617; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 18942  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287618; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 18942  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287619/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287619; rev:1;)
alert tcp $HOME_NET any -> [3.68.171.119] 18942  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287620/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287620; rev:1;)
alert tcp $HOME_NET any -> [94.228.166.68] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rblxshaders1.0.2.rar"; depth:21; nocase; http.host; content:"files.rblxshaders.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287612; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 14452  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287623; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 10148  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_22; classtype:trojan-activity; sid:91287625; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.143] 45786  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287626; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mdasidy72.mom"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0995598.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287681; rev:1;)
alert tcp $HOME_NET any -> [128.90.129.79] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287680; rev:1;)
alert tcp $HOME_NET any -> [149.102.147.106] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287679/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287679; rev:1;)
alert tcp $HOME_NET any -> [154.12.229.73] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287678/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287678; rev:1;)
alert tcp $HOME_NET any -> [35.172.35.42] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287677; rev:1;)
alert tcp $HOME_NET any -> [67.0.227.25] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287676; rev:1;)
alert tcp $HOME_NET any -> [64.229.116.2] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287675; rev:1;)
alert tcp $HOME_NET any -> [2.50.37.55] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287674/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287674; rev:1;)
alert tcp $HOME_NET any -> [23.27.52.110] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287673; rev:1;)
alert tcp $HOME_NET any -> [64.7.199.244] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287672; rev:1;)
alert tcp $HOME_NET any -> [118.107.7.146] 443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287671; rev:1;)
alert tcp $HOME_NET any -> [91.199.154.103] 34211  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_22; classtype:trojan-activity; sid:91287670; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"janbours92harbu02.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287659; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"janbours92harbu03.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"facilitycoursedw.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"doughtdrillyksow.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"disappointcredisotw.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bargainnygroandjwk.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"injurypiggyoewirog.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"leafcalfconflcitw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"computerexcudesp.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"publicitycharetew.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"backcreammykiel.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows/tempdle/php/bigloadhttpauth/cpuserver/secureexternal18/temp/datalifevm/0/datalifetemporaryjavascript3/6dump/phpdownloadsmariadbgeo/temporary3/packet/8/default5proton/linejslongpolluniversalcentraluploadstemporary.php"; depth:225; nocase; http.host; content:"212.57.118.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_22; classtype:trojan-activity; sid:91287649; rev:1;)
alert tcp $HOME_NET any -> [47.112.227.200] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287647/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287647; rev:1;)
alert tcp $HOME_NET any -> [85.208.108.12] 34568  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287646/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287646; rev:1;)
alert tcp $HOME_NET any -> [85.31.239.93] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287645/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287645; rev:1;)
alert tcp $HOME_NET any -> [94.228.168.216] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287644/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287644; rev:1;)
alert tcp $HOME_NET any -> [31.220.17.227] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287643; rev:1;)
alert tcp $HOME_NET any -> [136.244.76.249] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287642/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287642; rev:1;)
alert tcp $HOME_NET any -> [139.196.226.108] 44  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287641/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287641; rev:1;)
alert tcp $HOME_NET any -> [212.23.222.48] 8888  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287640/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_22; classtype:trojan-activity; sid:91287640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"122.51.68.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0eternalrequest/httpwptemp/bossesgeneratesbmw.php"; depth:50; nocase; http.host; content:"195.3.223.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287638; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.116] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287637; rev:1;)
alert tcp $HOME_NET any -> [95.142.46.3] 7000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287636/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287636; rev:1;)
alert tcp $HOME_NET any -> [95.142.46.3] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287635/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7cd7172a.php"; depth:13; nocase; http.host; content:"a0995830.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mb3gvqs8/index.php"; depth:19; nocase; http.host; content:"185.172.128.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287628; rev:1;)
alert tcp $HOME_NET any -> [5.255.117.46] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287616/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287616; rev:1;)
alert tcp $HOME_NET any -> [162.19.135.156] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287615/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287615; rev:1;)
alert tcp $HOME_NET any -> [181.131.217.255] 1524  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"134.122.130.181"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287611/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287611; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.118] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287609; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.118] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287608/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287608; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.118] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287607/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287607; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.118] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287606/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287606; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.118] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287605; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.85] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287604; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.85] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287603; rev:1;)
alert tcp $HOME_NET any -> [207.174.26.115] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287602; rev:1;)
alert tcp $HOME_NET any -> [23.94.197.108] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287601; rev:1;)
alert tcp $HOME_NET any -> [23.94.197.108] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287600; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.139] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287599; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.24] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287598; rev:1;)
alert tcp $HOME_NET any -> [39.40.212.144] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287597; rev:1;)
alert tcp $HOME_NET any -> [16.163.52.26] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287596; rev:1;)
alert tcp $HOME_NET any -> [20.51.213.216] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287595; rev:1;)
alert tcp $HOME_NET any -> [98.66.154.97] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287594; rev:1;)
alert tcp $HOME_NET any -> [207.154.199.92] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287593; rev:1;)
alert tcp $HOME_NET any -> [144.34.163.218] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287592; rev:1;)
alert tcp $HOME_NET any -> [176.97.124.217] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287591; rev:1;)
alert tcp $HOME_NET any -> [106.225.243.115] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287590; rev:1;)
alert tcp $HOME_NET any -> [172.104.153.104] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287589; rev:1;)
alert tcp $HOME_NET any -> [43.135.3.17] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287588; rev:1;)
alert tcp $HOME_NET any -> [51.222.30.120] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/webhooks"; depth:9; nocase; http.host; content:"bettershaders.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287583; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bettershaders.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.cap-berriat.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287577; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"file.rblxshaders.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287580; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rblxshaders.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rblxshaders1.0.2.rar"; depth:21; nocase; http.host; content:"file.rblxshaders.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/creditcards"; depth:12; nocase; http.host; content:"bettershaders.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/autofill"; depth:9; nocase; http.host; content:"bettershaders.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/passwords"; depth:10; nocase; http.host; content:"bettershaders.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287585; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 14127  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287578; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 15809  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287280/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287280; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 15809  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287281/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287281; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 15809  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287282; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 33823  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287283/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287283; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"remember-sail.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287284; rev:1;)
alert tcp $HOME_NET any -> [185.68.93.9] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287288; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 33475  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287285/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287285; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"minutes-nirvana.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287286; rev:1;)
alert tcp $HOME_NET any -> [45.159.210.127] 47925  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287576/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287576; rev:1;)
alert tcp $HOME_NET any -> [147.45.124.206] 47925  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287575/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287575; rev:1;)
alert tcp $HOME_NET any -> [45.155.76.231] 47925  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287574/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287574; rev:1;)
alert tcp $HOME_NET any -> [107.173.203.208] 111  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287573/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287573; rev:1;)
alert tcp $HOME_NET any -> [47.120.45.94] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287572/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287572; rev:1;)
alert tcp $HOME_NET any -> [82.157.183.183] 3389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287571/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287571; rev:1;)
alert tcp $HOME_NET any -> [185.243.240.45] 9876  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287570/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287570; rev:1;)
alert tcp $HOME_NET any -> [146.190.149.217] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287569/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287569; rev:1;)
alert tcp $HOME_NET any -> [118.107.244.100] 50555  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287568/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287568; rev:1;)
alert tcp $HOME_NET any -> [176.32.33.229] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287547/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287547; rev:1;)
alert tcp $HOME_NET any -> [143.198.73.116] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287543/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287543; rev:1;)
alert tcp $HOME_NET any -> [47.113.199.110] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287534/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287534; rev:1;)
alert tcp $HOME_NET any -> [120.27.143.174] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287531/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287531; rev:1;)
alert tcp $HOME_NET any -> [103.36.196.60] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287528; rev:1;)
alert tcp $HOME_NET any -> [185.208.158.154] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287523/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287523; rev:1;)
alert tcp $HOME_NET any -> [162.14.105.213] 46151  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287517/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287517; rev:1;)
alert tcp $HOME_NET any -> [44.217.219.58] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287515/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287515; rev:1;)
alert tcp $HOME_NET any -> [111.90.158.59] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287509/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287509; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.176] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287493; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.134] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287486/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287486; rev:1;)
alert tcp $HOME_NET any -> [147.45.44.48] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287473/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287473; rev:1;)
alert tcp $HOME_NET any -> [188.25.167.44] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287460/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287460; rev:1;)
alert tcp $HOME_NET any -> [94.228.166.19] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287408/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287408; rev:1;)
alert tcp $HOME_NET any -> [116.203.13.254] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287311/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287311; rev:1;)
alert tcp $HOME_NET any -> [116.203.13.254] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287308/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287308; rev:1;)
alert tcp $HOME_NET any -> [2.58.84.229] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287296/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287296; rev:1;)
alert tcp $HOME_NET any -> [146.19.213.22] 9090  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287295/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287295; rev:1;)
alert tcp $HOME_NET any -> [128.90.108.187] 4433  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287294/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287294; rev:1;)
alert tcp $HOME_NET any -> [148.113.165.11] 82  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_21; classtype:trojan-activity; sid:91287293; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.44] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287292/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_21; classtype:trojan-activity; sid:91287292; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.42] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287290/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_21; classtype:trojan-activity; sid:91287290; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.43] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287291/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_21; classtype:trojan-activity; sid:91287291; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.33] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287289/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_21; classtype:trojan-activity; sid:91287289; rev:1;)
alert tcp $HOME_NET any -> [185.38.142.10] 7474  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287287; rev:1;)
alert tcp $HOME_NET any -> [52.169.196.156] 7766  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287279; rev:1;)
alert tcp $HOME_NET any -> [120.78.155.42] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"120.78.155.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"ongmanibeimeihong.cdnaliyun.top"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287276; rev:1;)
alert tcp $HOME_NET any -> [111.230.28.217] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"123.207.66.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287274; rev:1;)
alert tcp $HOME_NET any -> [47.108.142.204] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.108.142.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"1.14.18.173"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287271; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gsearch.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"175.107.3.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287269; rev:1;)
alert tcp $HOME_NET any -> [104.21.8.118] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287268/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287268; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"comarmo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287264; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"monesam.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287265; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"seburax.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287266; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"yerifest.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287267; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"dolipox.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287260; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"fedelize.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287261; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"maduroma.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287262; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ardoelur.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"duigore.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287259/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287259; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.6] 24186  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"gotsuspended.000webhostapp.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"8.222.156.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.138.150.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"106.55.102.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"101.35.141.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/icon/iconfont/kuaishou.js"; depth:33; nocase; http.host; content:"vip.zto.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"ms-update-cs1.azureedge.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287249; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ms-update-cs1.azureedge.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"49.232.129.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"104.214.168.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.92.205.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.138.218.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safebrowsing/fp/gu4wkyzltjvwetfp-njnw"; depth:38; nocase; http.host; content:"8.138.23.74"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/kuztarmhqb9clzlpfu1kzg2-fzaot"; depth:47; nocase; http.host; content:"sydnc.net"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287239; rev:1;)
alert tcp $HOME_NET any -> [124.70.77.173] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maps/overlaybfpr"; depth:17; nocase; http.host; content:"124.70.77.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.113.107.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"185.196.8.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287234; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.107] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287235; rev:1;)
alert tcp $HOME_NET any -> [194.156.99.171] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaaaaaaaa"; depth:10; nocase; http.host; content:"194.156.99.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287232; rev:1;)
alert tcp $HOME_NET any -> [38.147.186.101] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"38.147.186.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287230; rev:1;)
alert tcp $HOME_NET any -> [101.132.192.106] 2082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"admin.eneroco.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287227; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admin.eneroco.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"101.35.173.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287226; rev:1;)
alert tcp $HOME_NET any -> [39.108.94.252] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287225; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtp2.servicebio.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/ui/js/base.js"; depth:18; nocase; http.host; content:"smtp2.servicebio.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/ui/js/base.js"; depth:18; nocase; http.host; content:"mailgate.servicebio.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287221; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailgate.servicebio.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287222; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"authsmtp.servicebio.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/ui/js/base.js"; depth:18; nocase; http.host; content:"authsmtp.servicebio.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/ui/js/base.js"; depth:18; nocase; http.host; content:"www2.servicebio.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287217; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.servicebio.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287218; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kuromipg.im"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/ui/js/base.js"; depth:18; nocase; http.host; content:"www.kuromipg.im"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287215; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"china-yqs.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/ui/js/base.js"; depth:18; nocase; http.host; content:"china-yqs.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.117.79.251"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287212; rev:1;)
alert tcp $HOME_NET any -> [62.133.60.12] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287211; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"past-dryer-gw.aws-apse2.cloud-ara.tyk.io"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"past-dryer-gw.aws-apse2.cloud-ara.tyk.io"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287209; rev:1;)
alert tcp $HOME_NET any -> [38.207.176.115] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"38.207.176.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287206; rev:1;)
alert tcp $HOME_NET any -> [47.108.142.204] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"47.108.142.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287204; rev:1;)
alert tcp $HOME_NET any -> [85.215.213.71] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scam.cuntcloud.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"scam.cuntcloud.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"154.31.25.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/endpoint"; depth:9; nocase; http.host; content:"ndas8m92.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287198; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndas8m92.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287199; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.78] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287197/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287197; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.78] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287196/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287196; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.10] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287195; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.10] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287194/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287194; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.10] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287193/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287193; rev:1;)
alert tcp $HOME_NET any -> [185.62.86.134] 333  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287192/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287192; rev:1;)
alert tcp $HOME_NET any -> [158.220.83.114] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287191; rev:1;)
alert tcp $HOME_NET any -> [161.97.151.222] 113  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287190; rev:1;)
alert tcp $HOME_NET any -> [207.174.26.115] 5505  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287189/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287189; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.59] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287188/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287188; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.59] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287187/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287187; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.59] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287186; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.118] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287185/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287185; rev:1;)
alert tcp $HOME_NET any -> [118.107.244.99] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287184; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.12] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287183; rev:1;)
alert tcp $HOME_NET any -> [212.251.109.161] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287182; rev:1;)
alert tcp $HOME_NET any -> [187.224.5.254] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287181; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.88] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287180; rev:1;)
alert tcp $HOME_NET any -> [72.66.32.219] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287179; rev:1;)
alert tcp $HOME_NET any -> [45.32.128.142] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287178; rev:1;)
alert tcp $HOME_NET any -> [194.156.98.101] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287177; rev:1;)
alert tcp $HOME_NET any -> [172.86.75.53] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287176; rev:1;)
alert tcp $HOME_NET any -> [61.14.210.209] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287175; rev:1;)
alert tcp $HOME_NET any -> [41.234.57.93] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_21; classtype:trojan-activity; sid:91287174; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"wizarr.manate.ch"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287172/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_21; classtype:trojan-activity; sid:91287172; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"go-sw6-02.adventos.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287173/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_21; classtype:trojan-activity; sid:91287173; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.54] 87  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287171; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 34880  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287165/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287165; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"deadsecc-34880.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287166/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287166; rev:1;)
alert tcp $HOME_NET any -> [3.127.253.86] 17778  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287164/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287164; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 10935  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287161/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287161; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 17778  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287162/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287162; rev:1;)
alert tcp $HOME_NET any -> [3.121.139.82] 17778  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287163; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lake-french.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287158/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287158; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 10935  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287159/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287159; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 10935  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287160/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287160; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 33694  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.btini.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.btini.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287152; rev:1;)
alert tcp $HOME_NET any -> [41.249.49.248] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287156/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.btini.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287153; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 16906  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287167; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"grade-excellence.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287168/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287168; rev:1;)
alert tcp $HOME_NET any -> [41.249.109.189] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287169/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_21; classtype:trojan-activity; sid:91287169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287170; rev:1;)
alert tcp $HOME_NET any -> [107.175.101.198] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_21; classtype:trojan-activity; sid:91287155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"156.247.14.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287149; rev:1;)
alert tcp $HOME_NET any -> [156.247.14.253] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287150; rev:1;)
alert tcp $HOME_NET any -> [185.11.61.242] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"185.11.61.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/plugins/search/contacts/chrndi.php"; depth:35; nocase; http.host; content:"arbeitsschutz-mmk.de"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/44snwx.php"; depth:46; nocase; http.host; content:"elpgtextil.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/zca2ck.php"; depth:46; nocase; http.host; content:"jlholgado.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/rleoec.php"; depth:46; nocase; http.host; content:"carniceriamartinezadria.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287143; rev:1;)
alert tcp $HOME_NET any -> [193.23.161.147] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287142/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287142; rev:1;)
alert tcp $HOME_NET any -> [136.243.151.123] 200  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287141/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287141; rev:1;)
alert tcp $HOME_NET any -> [185.208.158.113] 8010  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287140/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287140; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.214] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287139/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287139; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.214] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287138/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287138; rev:1;)
alert tcp $HOME_NET any -> [128.90.128.218] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287137; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.118] 6006  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287136; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.4] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287135; rev:1;)
alert tcp $HOME_NET any -> [46.226.167.205] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287134; rev:1;)
alert tcp $HOME_NET any -> [192.3.44.150] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287133; rev:1;)
alert tcp $HOME_NET any -> [112.124.5.76] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287132; rev:1;)
alert tcp $HOME_NET any -> [142.171.225.72] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287131; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.24] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287130; rev:1;)
alert tcp $HOME_NET any -> [149.109.116.223] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287129; rev:1;)
alert tcp $HOME_NET any -> [195.123.219.150] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287128; rev:1;)
alert tcp $HOME_NET any -> [5.181.159.86] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287127; rev:1;)
alert tcp $HOME_NET any -> [149.28.153.80] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287126; rev:1;)
alert tcp $HOME_NET any -> [74.119.193.120] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"onecapitalresidences.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"onecapitalresidences.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287113; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"onecapitalresidences.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"onecapitalresidences.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.php"; depth:9; nocase; http.host; content:"daveiz.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.brandontucker.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287118; rev:1;)
alert tcp $HOME_NET any -> [184.174.96.179] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287107/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_20; classtype:trojan-activity; sid:91287107; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"pirkomagar.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287108/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_20; classtype:trojan-activity; sid:91287108; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"ggrastyal.live"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287109/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_20; classtype:trojan-activity; sid:91287109; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ryruhuu3.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287111; rev:1;)
alert tcp $HOME_NET any -> [89.185.85.206] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287124; rev:1;)
alert tcp $HOME_NET any -> [172.94.53.132] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287123; rev:1;)
alert tcp $HOME_NET any -> [8.138.104.216] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.51.102.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91287121; rev:1;)
alert tcp $HOME_NET any -> [1.12.44.34] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"1.12.44.34"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287119; rev:1;)
alert tcp $HOME_NET any -> [45.141.87.218] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"j282895d.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/54596186971079"; depth:25; nocase; http.host; content:"45.61.136.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287106; rev:1;)
alert tcp $HOME_NET any -> [95.181.151.121] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/94903f819d758732.php"; depth:21; nocase; http.host; content:"5.42.104.211"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287104; rev:1;)
alert tcp $HOME_NET any -> [18.210.161.224] 3637  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1287102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287102; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"munan.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1287103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/ajax.php"; depth:19; nocase; http.host; content:"45.61.136.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1287101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91287101; rev:1;)
alert tcp $HOME_NET any -> [64.7.198.158] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286932/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_20; classtype:trojan-activity; sid:91286932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/w5qc7zcd"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286930; rev:1;)
alert tcp $HOME_NET any -> [207.154.230.90] 4782  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/posts.php"; depth:20; nocase; http.host; content:"45.61.136.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.bordingfriluftsbad.dk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.bordingfriluftsbad.dk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/endpoint"; depth:9; nocase; http.host; content:"ndas8m92.lol"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286925; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.146] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286879/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_20; classtype:trojan-activity; sid:91286879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hell/you/goback.html"; depth:21; nocase; http.host; content:"flynews.us"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"flynews.us"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hell/you/rare.zip"; depth:18; nocase; http.host; content:"flynews.us"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286928; rev:1;)
alert tcp $HOME_NET any -> [119.29.227.52] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-jjtluhvu-1308426789.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286922; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-jjtluhvu-1308426789.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286923; rev:1;)
alert tcp $HOME_NET any -> [206.188.196.16] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.tiasjdwwd.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286919; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.tiasjdwwd.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"47.238.48.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286918; rev:1;)
alert tcp $HOME_NET any -> [92.118.112.189] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286917; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"distinctive-highlight-gw.aws-euw2.cloud-ara.tyk.io"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"distinctive-highlight-gw.aws-euw2.cloud-ara.tyk.io"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/logo.jpg"; depth:9; nocase; http.host; content:"8.134.249.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286914; rev:1;)
alert tcp $HOME_NET any -> [47.97.22.116] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"83.229.127.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286911; rev:1;)
alert tcp $HOME_NET any -> [83.229.127.20] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286912; rev:1;)
alert tcp $HOME_NET any -> [202.95.13.230] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"202.95.13.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.97.22.116"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.236.74.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"1.12.44.34"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286905; rev:1;)
alert tcp $HOME_NET any -> [1.12.44.34] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"106.52.102.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286904; rev:1;)
alert tcp $HOME_NET any -> [54.224.97.58] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"54.224.97.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-4iisjdnk-1314135568.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286900; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-4iisjdnk-1314135568.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286901; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blacksys.deltadefenses.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286898; rev:1;)
alert tcp $HOME_NET any -> [62.162.9.18] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"blacksys.deltadefenses.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286897; rev:1;)
alert tcp $HOME_NET any -> [151.236.16.221] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"151.236.16.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"206.237.23.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"119.29.227.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"202.95.13.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286892; rev:1;)
alert tcp $HOME_NET any -> [83.229.127.20] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"83.229.127.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286890; rev:1;)
alert tcp $HOME_NET any -> [47.76.67.52] 90  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.76.67.52"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.121.112.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286887; rev:1;)
alert tcp $HOME_NET any -> [116.202.14.187] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286885/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_20; classtype:trojan-activity; sid:91286885; rev:1;)
alert tcp $HOME_NET any -> [92.249.48.43] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286886/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_20; classtype:trojan-activity; sid:91286886; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.32] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286884/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_20; classtype:trojan-activity; sid:91286884; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gosuslugi.zilab.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"gosuslugi.zilab.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286882; rev:1;)
alert tcp $HOME_NET any -> [111.230.28.217] 7001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"123.207.66.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cudohub.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286878; rev:1;)
alert tcp $HOME_NET any -> [128.90.129.85] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286875; rev:1;)
alert tcp $HOME_NET any -> [34.41.177.91] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286874; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.241] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286873; rev:1;)
alert tcp $HOME_NET any -> [46.29.162.49] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286872; rev:1;)
alert tcp $HOME_NET any -> [49.113.76.1] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286871; rev:1;)
alert tcp $HOME_NET any -> [107.172.8.49] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286870; rev:1;)
alert tcp $HOME_NET any -> [54.214.177.108] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286869; rev:1;)
alert tcp $HOME_NET any -> [149.28.147.99] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286868; rev:1;)
alert tcp $HOME_NET any -> [149.28.153.80] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286867; rev:1;)
alert tcp $HOME_NET any -> [172.233.121.249] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286866; rev:1;)
alert tcp $HOME_NET any -> [185.29.10.248] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286865; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20077  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286864; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20069  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286863; rev:1;)
alert tcp $HOME_NET any -> [116.206.166.212] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286862; rev:1;)
alert tcp $HOME_NET any -> [15.197.146.59] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286861; rev:1;)
alert tcp $HOME_NET any -> [163.181.100.96] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286860; rev:1;)
alert tcp $HOME_NET any -> [144.202.12.174] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286859; rev:1;)
alert tcp $HOME_NET any -> [158.247.250.154] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_20; classtype:trojan-activity; sid:91286858; rev:1;)
alert tcp $HOME_NET any -> [185.221.198.94] 48367  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"pelicanbcnsolutions.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286797; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pelicanbcnsolutions.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"pelicanbcnsolutions.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"pelicanbcnsolutions.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.femmetech.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286815; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndas8m92.lol"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"206.119.171.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286855; rev:1;)
alert tcp $HOME_NET any -> [206.119.171.239] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/webhooks/1251490311834828870/bqerh7nm_ktafdik4zykv8xpncvkaxxhfpdvbb95og9m0gjecfaslf1yjaqjattinicp"; depth:102; nocase; http.host; content:"discord.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286853/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_20; classtype:trojan-activity; sid:91286853; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwarsut775laudrye3.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286822; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjnourt38haoust1.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286823; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bossnacarpet.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286819; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oriondedjdissd.con-ip.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286820; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwarsut775laudrye2.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagelinepython_httpdbgeneratorpublicdownloads.php"; depth:51; nocase; http.host; content:"951669cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0996251.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_20; classtype:trojan-activity; sid:91286817; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.66] 58709  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286816; rev:1;)
alert tcp $HOME_NET any -> [49.232.185.51] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-e5obcthn-1301549065.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-e5obcthn-1301549065.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286813; rev:1;)
alert tcp $HOME_NET any -> [206.119.171.239] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"206.119.171.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286810; rev:1;)
alert tcp $HOME_NET any -> [8.138.150.121] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"8.138.150.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"81.71.18.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286807; rev:1;)
alert tcp $HOME_NET any -> [49.232.217.206] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"49.232.217.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286805; rev:1;)
alert tcp $HOME_NET any -> [101.200.237.247] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.200.237.247"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286803; rev:1;)
alert tcp $HOME_NET any -> [114.115.183.119] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"114.115.183.119"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286801; rev:1;)
alert tcp $HOME_NET any -> [92.249.48.6] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286796/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286796; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.100] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286795/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286795; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.100] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286794/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286794; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.100] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286793; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.100] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286791/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286791; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.100] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286792/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286792; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.100] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286790; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.78] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286788; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.78] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286789; rev:1;)
alert tcp $HOME_NET any -> [43.154.134.124] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286787; rev:1;)
alert tcp $HOME_NET any -> [185.229.9.27] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286786; rev:1;)
alert tcp $HOME_NET any -> [104.225.129.140] 59393  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286785; rev:1;)
alert tcp $HOME_NET any -> [162.212.154.121] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286784; rev:1;)
alert tcp $HOME_NET any -> [13.60.5.73] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286783; rev:1;)
alert tcp $HOME_NET any -> [16.171.113.25] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286781; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-povdf8ll-1257331363.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-povdf8ll-1257331363.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"81.19.136.252"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"81.19.136.252"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.136.43.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"119.3.253.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.222.140.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"118.178.105.142"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"119.3.253.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tenancy-agreement-sample-guyana/"; depth:33; nocase; http.host; content:"eberlie.ca"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.almik.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/data.php"; depth:16; nocase; http.host; content:"newmarketofficecleaning.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286571; rev:1;)
alert tcp $HOME_NET any -> [172.67.212.234] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286572/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286572; rev:1;)
alert tcp $HOME_NET any -> [104.21.23.190] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286573/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286573; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"midwestsoil.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"rvandccc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286567; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rvandccc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"rvandccc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"rvandccc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286570; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x8f7a89.pics"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286565; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jsincloud.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286566; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lifestylechoices.us"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286575; rev:1;)
alert tcp $HOME_NET any -> [45.9.73.82] 12345  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286537/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286537; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jswebcache.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286561; rev:1;)
alert tcp $HOME_NET any -> [94.131.115.191] 15643  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286563; rev:1;)
alert tcp $HOME_NET any -> [45.77.80.158] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286562; rev:1;)
alert tcp $HOME_NET any -> [77.221.149.178] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286560/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286560; rev:1;)
alert tcp $HOME_NET any -> [116.203.252.168] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286559; rev:1;)
alert tcp $HOME_NET any -> [185.208.158.50] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286558/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286558; rev:1;)
alert tcp $HOME_NET any -> [45.55.36.222] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286557/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286557; rev:1;)
alert tcp $HOME_NET any -> [34.83.108.106] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286556/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286556; rev:1;)
alert tcp $HOME_NET any -> [5.161.245.54] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286555/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286555; rev:1;)
alert tcp $HOME_NET any -> [104.194.143.5] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286554; rev:1;)
alert tcp $HOME_NET any -> [34.16.215.110] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286553; rev:1;)
alert tcp $HOME_NET any -> [34.130.217.52] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286552; rev:1;)
alert tcp $HOME_NET any -> [34.130.221.34] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286551; rev:1;)
alert tcp $HOME_NET any -> [5.9.247.137] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286550; rev:1;)
alert tcp $HOME_NET any -> [47.74.9.201] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286549/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286549; rev:1;)
alert tcp $HOME_NET any -> [69.49.244.37] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286548; rev:1;)
alert tcp $HOME_NET any -> [194.26.29.140] 15643  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286547; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.78] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286546; rev:1;)
alert tcp $HOME_NET any -> [194.233.73.183] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286545; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.158] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286544; rev:1;)
alert tcp $HOME_NET any -> [194.55.186.119] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286543; rev:1;)
alert tcp $HOME_NET any -> [104.168.54.191] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286542; rev:1;)
alert tcp $HOME_NET any -> [50.60.139.168] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286541; rev:1;)
alert tcp $HOME_NET any -> [149.28.147.99] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286540/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286540; rev:1;)
alert tcp $HOME_NET any -> [91.207.183.16] 25  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286539/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286539; rev:1;)
alert tcp $HOME_NET any -> [54.234.100.124] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsupdatedefaulttrafficcentral.php"; depth:34; nocase; http.host; content:"235566cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpha/five/fre.php"; depth:19; nocase; http.host; content:"midwestsoil.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286535/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286535; rev:1;)
alert tcp $HOME_NET any -> [83.147.17.46] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286533/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286533; rev:1;)
alert tcp $HOME_NET any -> [5.42.221.10] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286534/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286534; rev:1;)
alert tcp $HOME_NET any -> [5.255.117.240] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286531; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.17] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286532/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286532; rev:1;)
alert tcp $HOME_NET any -> [91.242.163.63] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286530/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm4"; depth:16; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm5"; depth:16; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.arm6"; depth:16; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mips"; depth:16; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.ppc"; depth:15; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.mpsl"; depth:16; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sh"; depth:14; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sparc"; depth:17; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.x86"; depth:15; nocase; http.host; content:"87.251.79.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286528; rev:1;)
alert tcp $HOME_NET any -> [87.251.79.242] 4258  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.ppc"; depth:12; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.sparc"; depth:14; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.mips"; depth:13; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.mpsl"; depth:13; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.arm4"; depth:13; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.arm6"; depth:13; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286513; rev:1;)
alert tcp $HOME_NET any -> [45.87.247.120] 4258  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.arm5"; depth:13; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286512; rev:1;)
alert tcp $HOME_NET any -> [107.189.14.198] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286486; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"test-1627838.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awawawa.x86"; depth:12; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidakibest.sh"; depth:14; nocase; http.host; content:"45.87.247.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/86ffacb9.php"; depth:13; nocase; http.host; content:"a0995830.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286507; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.163] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286506; rev:1;)
alert tcp $HOME_NET any -> [192.253.251.227] 57484  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286504; rev:1;)
alert tcp $HOME_NET any -> [8.222.156.244] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"8.222.156.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-qvjas1rh-1309482226.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286500; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-qvjas1rh-1309482226.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286501; rev:1;)
alert tcp $HOME_NET any -> [194.233.88.218] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"194.233.88.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"180.210.220.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286497; rev:1;)
alert tcp $HOME_NET any -> [192.121.162.12] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"192.121.162.12"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"111.231.51.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286493; rev:1;)
alert tcp $HOME_NET any -> [8.130.65.156] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-80zid8ci-1317810329.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286490; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-80zid8ci-1317810329.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286491; rev:1;)
alert tcp $HOME_NET any -> [159.75.110.16] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286489; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-d27o3nmv-1324720265.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-d27o3nmv-1324720265.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286487; rev:1;)
alert tcp $HOME_NET any -> [154.204.178.164] 61189  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286485; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.91av.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286484; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.149] 15170  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286448; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2023endofyear.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286449; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.149] 15230  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286450; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 26704  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286451; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"local-quote.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286452; rev:1;)
alert tcp $HOME_NET any -> [2.58.149.83] 443  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286454; rev:1;)
alert tcp $HOME_NET any -> [184.105.192.5] 2669  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286453; rev:1;)
alert tcp $HOME_NET any -> [160.177.58.73] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286455; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 12876  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286456; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 10651  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286457; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 12984  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286458; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"windows-app.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286460; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 19650  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286461/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286461; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 15683  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286459; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 19650  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286462/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286462; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 19650  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286463/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286463; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 25701  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286464/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286464; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"month-luxembourg.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286465/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286465; rev:1;)
alert tcp $HOME_NET any -> [179.13.6.213] 2019  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286466/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286466; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"carlitosmoreno1794.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286467/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286467; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 30481  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286468/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286468; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"20.ip.gl.ply.gg"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286469/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286469; rev:1;)
alert tcp $HOME_NET any -> [3.125.188.168] 17799  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286470/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286470; rev:1;)
alert tcp $HOME_NET any -> [154.204.178.164] 80  (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/curl.sh"; depth:8; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.arm4"; depth:11; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.arm5"; depth:11; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.arm6"; depth:11; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.arm7"; depth:11; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.mips"; depth:11; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.mpsl"; depth:11; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.ppc"; depth:10; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.sparc"; depth:12; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.sh"; depth:9; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nginx.x86"; depth:10; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wget.sh"; depth:8; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x.sh"; depth:5; nocase; http.host; content:"154.204.178.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286447; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.sarele.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286429/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286429; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fortindo-fsm.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286433/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286433; rev:1;)
alert tcp $HOME_NET any -> [52.71.57.184] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286428/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286428; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mygreencity.in"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.alisa-nails-koeln.de"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286413; rev:1;)
alert tcp $HOME_NET any -> [5.59.248.211] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286377/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286377; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"krestaop.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286378; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"lustrafeel.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286379; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"pumcarcheto.red"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286380/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286380; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"mastgonzo.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286381/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286381; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"loolsena.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286382/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286382; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"riscoarchez.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286383; rev:1;)
alert tcp $HOME_NET any -> [85.239.61.165] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286384/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_19; classtype:trojan-activity; sid:91286384; rev:1;)
alert tcp $HOME_NET any -> [192.153.57.136] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286394/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_19; classtype:trojan-activity; sid:91286394; rev:1;)
alert tcp $HOME_NET any -> [192.236.160.230] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286395/; target:src_ip; metadata: confidence_level 85, first_seen 2024_06_19; classtype:trojan-activity; sid:91286395; rev:1;)
alert tcp $HOME_NET any -> [45.83.31.253] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286483; rev:1;)
alert tcp $HOME_NET any -> [45.83.31.253] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286482; rev:1;)
alert tcp $HOME_NET any -> [45.83.31.253] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286481/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286481; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.78] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286480/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286480; rev:1;)
alert tcp $HOME_NET any -> [128.90.129.55] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286479/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286479; rev:1;)
alert tcp $HOME_NET any -> [207.246.119.249] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286478; rev:1;)
alert tcp $HOME_NET any -> [124.220.133.70] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286477/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286477; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.17] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286476; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.3] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286475; rev:1;)
alert tcp $HOME_NET any -> [171.80.217.247] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286474; rev:1;)
alert tcp $HOME_NET any -> [159.65.114.122] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.59.57.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286472; rev:1;)
alert tcp $HOME_NET any -> [80.76.49.148] 4545  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286471/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"alvinclayman.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286426; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.26] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286424/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286424; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.28] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286425/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_19; classtype:trojan-activity; sid:91286425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.222.140.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_19; classtype:trojan-activity; sid:91286423; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.205] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286421/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_19; classtype:trojan-activity; sid:91286421; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.247] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286422/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_19; classtype:trojan-activity; sid:91286422; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.206] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286419/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_19; classtype:trojan-activity; sid:91286419; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.246] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286420/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_19; classtype:trojan-activity; sid:91286420; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.245] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286418/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_19; classtype:trojan-activity; sid:91286418; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ahaamthuc.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286417; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"barusake.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286409; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"aberzing.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286410; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"marusto.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286411; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sekubar.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286412; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"rebusand.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286407; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lameruka.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286408; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"reliseti.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286406; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pentefaith.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_19; classtype:trojan-activity; sid:91286405; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.205] 80  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286403; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"chubcharm.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286404/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286404; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ahazko.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286401; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ricoshea.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286402; rev:1;)
alert tcp $HOME_NET any -> [185.31.200.215] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"teleshow.space"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286398; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teleshow.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286399; rev:1;)
alert tcp $HOME_NET any -> [43.139.124.158] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.139.124.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286396; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.169] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_18; classtype:trojan-activity; sid:91286393; rev:1;)
alert tcp $HOME_NET any -> [8.138.118.107] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286392; rev:1;)
alert tcp $HOME_NET any -> [123.57.90.204] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"kwqislxk.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286388; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fastsecurityup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kwqislxk.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"kwqislxk.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"fastsecurityup.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"fastsecurityup.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286385; rev:1;)
alert tcp $HOME_NET any -> [47.97.31.229] 3333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286376; rev:1;)
alert tcp $HOME_NET any -> [212.86.114.67] 42666  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286375; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.100] 8008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286374; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.100] 6006  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286373; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.66] 9090  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286372/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286372; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.214] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286371/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286371; rev:1;)
alert tcp $HOME_NET any -> [193.124.115.63] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286369; rev:1;)
alert tcp $HOME_NET any -> [43.134.118.131] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286368/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286368; rev:1;)
alert tcp $HOME_NET any -> [154.9.229.182] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286367/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286367; rev:1;)
alert tcp $HOME_NET any -> [47.119.22.47] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286366/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286366; rev:1;)
alert tcp $HOME_NET any -> [23.94.168.52] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286365/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286365; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.143] 1011  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286364/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286364; rev:1;)
alert tcp $HOME_NET any -> [69.157.7.226] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286363/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286363; rev:1;)
alert tcp $HOME_NET any -> [65.20.79.2] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286362; rev:1;)
alert tcp $HOME_NET any -> [38.180.83.85] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286361; rev:1;)
alert tcp $HOME_NET any -> [195.123.219.150] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286360/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286360; rev:1;)
alert tcp $HOME_NET any -> [5.252.177.220] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286359/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286359; rev:1;)
alert tcp $HOME_NET any -> [35.209.99.39] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286358/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286358; rev:1;)
alert tcp $HOME_NET any -> [81.43.20.223] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286357/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286357; rev:1;)
alert tcp $HOME_NET any -> [206.237.28.231] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286356/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286356; rev:1;)
alert tcp $HOME_NET any -> [65.153.151.50] 10011  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286355/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286355; rev:1;)
alert tcp $HOME_NET any -> [13.60.91.126] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286354/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286354; rev:1;)
alert tcp $HOME_NET any -> [51.20.134.151] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286353/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286353; rev:1;)
alert tcp $HOME_NET any -> [103.117.101.73] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286352; rev:1;)
alert tcp $HOME_NET any -> [152.42.198.168] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286351; rev:1;)
alert tcp $HOME_NET any -> [72.5.43.15] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_18; classtype:trojan-activity; sid:91286350; rev:1;)
alert tcp $HOME_NET any -> [94.228.166.40] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"91.92.254.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"www.thaiticketmajor.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"121.37.214.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/af/fgjds2u"; depth:11; nocase; http.host; content:"20.83.148.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-rfgb6jer-1257331363.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286172; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-rfgb6jer-1257331363.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"58.185.25.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"45.9.74.176"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286170; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.110] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286169; rev:1;)
alert tcp $HOME_NET any -> [103.198.26.130] 56765  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286168/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_18; classtype:trojan-activity; sid:91286168; rev:1;)
alert tcp $HOME_NET any -> [103.198.26.130] 45645  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_18; classtype:trojan-activity; sid:91286167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"154.12.19.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286166; rev:1;)
alert tcp $HOME_NET any -> [39.100.66.199] 7443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.xincyun.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286163; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.xincyun.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"193.239.86.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286162; rev:1;)
alert tcp $HOME_NET any -> [39.100.74.192] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.74.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286160; rev:1;)
alert tcp $HOME_NET any -> [58.185.25.6] 8585  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"114.115.174.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286158; rev:1;)
alert tcp $HOME_NET any -> [136.144.240.165] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/questions/32251816/c-sharp-directives-compilation-error"; depth:56; nocase; http.host; content:"magnitogorsk.nl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286155; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magnitogorsk.nl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release"; depth:8; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286154; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flynotion.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286152; rev:1;)
alert tcp $HOME_NET any -> [54.226.186.244] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"flynotion.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286151; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evokvm.eu.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286149; rev:1;)
alert tcp $HOME_NET any -> [142.171.234.248] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avatars"; depth:8; nocase; http.host; content:"evokvm.eu.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286148; rev:1;)
alert tcp $HOME_NET any -> [1.92.96.35] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/v2.66/g6ebs8vjr0"; depth:25; nocase; http.host; content:"47.115.53.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286146; rev:1;)
alert tcp $HOME_NET any -> [120.78.217.180] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.78.217.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286144; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updatel2.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"anexchange.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"callias.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"plagmat.store"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bugday.site"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.142.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"162.55.53.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.205.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.205.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.182.224"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.182.224"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"theemir.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"poocoin.online"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286131; rev:1;)
alert tcp $HOME_NET any -> [95.216.182.224] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286125; rev:1;)
alert tcp $HOME_NET any -> [95.216.182.224] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286126; rev:1;)
alert tcp $HOME_NET any -> [78.47.205.62] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286128; rev:1;)
alert tcp $HOME_NET any -> [162.55.53.18] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286129; rev:1;)
alert tcp $HOME_NET any -> [95.216.142.162] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286130; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poocoin.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286119; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theemir.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286120; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bugday.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286121; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plagmat.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286122; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"callias.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286123; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anexchange.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286124; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.100] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286118; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.14] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286117; rev:1;)
alert tcp $HOME_NET any -> [207.174.26.69] 5505  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286116; rev:1;)
alert tcp $HOME_NET any -> [34.67.130.7] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286115; rev:1;)
alert tcp $HOME_NET any -> [101.35.228.105] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286114/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286114; rev:1;)
alert tcp $HOME_NET any -> [139.180.156.234] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286113; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.19] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286112; rev:1;)
alert tcp $HOME_NET any -> [198.23.173.178] 60012  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286111/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286111; rev:1;)
alert tcp $HOME_NET any -> [121.45.71.8] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286110; rev:1;)
alert tcp $HOME_NET any -> [182.30.23.115] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286109; rev:1;)
alert tcp $HOME_NET any -> [45.61.135.31] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286108; rev:1;)
alert tcp $HOME_NET any -> [185.38.142.151] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286107; rev:1;)
alert tcp $HOME_NET any -> [185.29.8.219] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286106; rev:1;)
alert tcp $HOME_NET any -> [202.69.47.95] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286105; rev:1;)
alert tcp $HOME_NET any -> [102.44.180.221] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_18; classtype:trojan-activity; sid:91286104; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"goalcempiz.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286054/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286054; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"grizmotras.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286055/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286055; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"grunzalom.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286056/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286056; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"jertacco.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286058/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286058; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"jarinamaers.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286057/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286057; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"kokcheez.website"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286059/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286059; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"mastralakkot.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286060/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286060; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"miistoria.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286061/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286061; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"minndarespo.icu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286062/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286062; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"niceburlat.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286063/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286063; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"pewwhranet.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286064/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286064; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"plwskoret.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286065/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"popfealt.one"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286066/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286066; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"postolwepok.tech"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286067/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286067; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"scifimond.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286068/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286068; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"startmast.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286070/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286070; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"titnovacrion.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286071/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286071; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"ganowernis.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286051/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286051; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"ginzbargatey.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286053/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286053; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"fasestarkalim.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286048/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286048; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"fluraresto.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286049/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286049; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"frotneels.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286050/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286050; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"ganstaeraop.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286052/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286052; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"drifajizo.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286047/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286047; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"aytobusesre.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286045/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286045; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"drendormedia.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286046/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286046; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"aplihartom.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286044/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286044; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"skinnyjeanso.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286069/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286069; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"trasenanoyr.best"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286072/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286072; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"wikistarhmania.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286073/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286073; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"wrankaget.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286074/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286074; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"zumkoshapsret.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286075/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_18; classtype:trojan-activity; sid:91286075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"upstatesunflowerfestival.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"upstatesunflowerfestival.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"upstatesunflowerfestival.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"upstatesunflowerfestival.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.aalborgfaegteklub.dk"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"www.ackesbilservice.se"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286095; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.26] 6302  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286103; rev:1;)
alert tcp $HOME_NET any -> [34.65.245.112] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286102; rev:1;)
alert tcp $HOME_NET any -> [34.125.95.100] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286101; rev:1;)
alert tcp $HOME_NET any -> [35.237.76.147] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286099; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.66] 3121  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linepacketgeoasyncuniversal.php"; depth:32; nocase; http.host; content:"a0994812.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286097; rev:1;)
alert tcp $HOME_NET any -> [105.154.97.216] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_18; classtype:trojan-activity; sid:91286096; rev:1;)
alert tcp $HOME_NET any -> [79.137.205.182] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_18; classtype:trojan-activity; sid:91286093; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.5] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286088; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opensecurity-legacy.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"opensecurity-legacy.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286086; rev:1;)
alert tcp $HOME_NET any -> [8.138.23.74] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safebrowsing/fp/283vv1fh6lymwufjad8ftwr8ztbgsxicow3wrgg"; depth:56; nocase; http.host; content:"8.138.23.74"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"103.97.59.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286082; rev:1;)
alert tcp $HOME_NET any -> [103.97.59.115] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286083; rev:1;)
alert tcp $HOME_NET any -> [104.129.20.167] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_17; classtype:trojan-activity; sid:91286079; rev:1;)
alert tcp $HOME_NET any -> [190.211.254.153] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286080/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_17; classtype:trojan-activity; sid:91286080; rev:1;)
alert tcp $HOME_NET any -> [5.230.34.68] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286081/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_17; classtype:trojan-activity; sid:91286081; rev:1;)
alert tcp $HOME_NET any -> [5.255.113.173] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_17; classtype:trojan-activity; sid:91286078; rev:1;)
alert tcp $HOME_NET any -> [47.94.11.195] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286077/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286077; rev:1;)
alert tcp $HOME_NET any -> [47.93.190.162] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286076/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286076; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vip.zto.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1286043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"vip.zto.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eo"; depth:3; nocase; http.host; content:"79.110.49.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"119.45.21.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"microsoftsoftwave.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1286038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286038; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.194] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286037; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.194] 8088  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286036; rev:1;)
alert tcp $HOME_NET any -> [47.121.120.18] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286035; rev:1;)
alert tcp $HOME_NET any -> [157.20.182.5] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286034; rev:1;)
alert tcp $HOME_NET any -> [106.54.2.149] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286033; rev:1;)
alert tcp $HOME_NET any -> [103.30.78.8] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286032; rev:1;)
alert tcp $HOME_NET any -> [35.181.4.33] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286031; rev:1;)
alert tcp $HOME_NET any -> [178.163.140.156] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286030; rev:1;)
alert tcp $HOME_NET any -> [20.25.175.214] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286029; rev:1;)
alert tcp $HOME_NET any -> [185.229.9.27] 8090  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286028; rev:1;)
alert tcp $HOME_NET any -> [45.41.187.137] 7613  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286027; rev:1;)
alert tcp $HOME_NET any -> [16.16.185.182] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286026/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91286026; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 12876  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286025; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 12876  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286023; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 12876  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286024; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 12876  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286022; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 12876  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91286021; rev:1;)
alert tcp $HOME_NET any -> [85.208.108.4] 34568  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286020/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286020; rev:1;)
alert tcp $HOME_NET any -> [8.134.146.35] 60000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286019/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286019; rev:1;)
alert tcp $HOME_NET any -> [39.165.218.230] 22223  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286018/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286018; rev:1;)
alert tcp $HOME_NET any -> [54.226.186.244] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286017/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286017; rev:1;)
alert tcp $HOME_NET any -> [38.207.178.199] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286016/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286016; rev:1;)
alert tcp $HOME_NET any -> [45.149.92.100] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286015/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286015; rev:1;)
alert tcp $HOME_NET any -> [47.238.48.116] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1286014/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91286014; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.38] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285909/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285909; rev:1;)
alert tcp $HOME_NET any -> [185.237.165.53] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285769; rev:1;)
alert tcp $HOME_NET any -> [45.155.250.89] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285768; rev:1;)
alert tcp $HOME_NET any -> [185.237.206.119] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285767; rev:1;)
alert tcp $HOME_NET any -> [31.214.157.103] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285766; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"proresupdate.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285765/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"icarusairlines.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285734; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"icarusairlines.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"icarusairlines.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/33per.php"; depth:17; nocase; http.host; content:"icarusairlines.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"hamaraneta.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285738; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"businessdownloads.ltd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/369eea3a.php"; depth:13; nocase; http.host; content:"a0995485.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h9fmdw5/index.php"; depth:18; nocase; http.host; content:"proresupdate.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"154.221.24.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.134.75.9"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285759; rev:1;)
alert tcp $HOME_NET any -> [8.134.75.9] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"106.52.102.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"156.238.235.164"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285757; rev:1;)
alert tcp $HOME_NET any -> [119.3.190.209] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"119.3.190.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"154.221.24.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"112.124.6.100"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"120.78.131.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285752; rev:1;)
alert tcp $HOME_NET any -> [89.116.128.246] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"89.116.128.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.71.111.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"106.55.181.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285748; rev:1;)
alert tcp $HOME_NET any -> [49.235.122.75] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.10.min.js"; depth:21; nocase; http.host; content:"39.101.193.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285745; rev:1;)
alert tcp $HOME_NET any -> [39.101.193.22] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"83.229.122.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285744; rev:1;)
alert tcp $HOME_NET any -> [107.173.89.211] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"107.173.89.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"152.67.221.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"106.52.102.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285740; rev:1;)
alert tcp $HOME_NET any -> [49.235.122.75] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0994622.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285733; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x99y.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ea7887ac.php"; depth:13; nocase; http.host; content:"cq11142.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzrmzmjjztg1zmvj/"; depth:18; nocase; http.host; content:"biricruelidurdursunn.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzrmzmjjztg1zmvj/"; depth:18; nocase; http.host; content:"gurcistancruell33.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzrmzmjjztg1zmvj/"; depth:18; nocase; http.host; content:"cruelveblack32.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzrmzmjjztg1zmvj/"; depth:18; nocase; http.host; content:"cruelgurcistandaaaa42.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285695/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzrmzmjjztg1zmvj/"; depth:18; nocase; http.host; content:"lalagkcvagurcuuuu.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285696/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzrmzmjjztg1zmvj/"; depth:18; nocase; http.host; content:"biricruelidurdursunloo.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"senanlamazsndili.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285698/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"keskinbaltadndu.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285699/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"zatenacikmisttm.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285700/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"sokakdaldiregibas.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285701/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"chennemburasialmnya.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285703/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"avmevsimibsladikk.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285702/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"verelmsnieldenele.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285705/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"amagibikertenkeellee.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285706/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"gldigimyerchennmindibi.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285704/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kraltacikralmisinhaci.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285707/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"ustuneyagdimrmi.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285708/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bedelniodedkicmzynayna.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285709/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"tlefondingalokimo.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285710/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"birdnbireoluvrdihrsy.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285711/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"sefernakliatfln.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285714/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bilereklermibildiler.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285713/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"uzanrmigokyuzuneumutlarm.xyz"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285715/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"gozlermkankrmizisi.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285712/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"dardidardomama.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285716/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"giydirbilirfren.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285717/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"multipay-3d.website"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285718/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"novediaben52.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285719/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"novediayladostadogru3.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285720/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"kolaicmiyorumlanben3.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285721/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"uyumuyorumlanben2.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285722/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjnlm2zhmjlhnjni/"; depth:18; nocase; http.host; content:"yemekyoksuyok42.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285723/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"guvenli-odeme.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285724/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"merhabalarlao55.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285725/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"kirmizibalikgolde34.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285726/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"selamkralhg5.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285727/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"uiyynuripapacum55.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285728/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"selamcanim2361.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285729/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjk4yza3mgnhzjfl/"; depth:18; nocase; http.host; content:"naberbebekbenkelebek34.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285730/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e10fc428.php"; depth:13; nocase; http.host; content:"a0995122.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raud/get.php"; depth:13; nocase; http.host; content:"cajgtus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zx29"; depth:5; nocase; http.host; content:"101.133.148.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_17; classtype:trojan-activity; sid:91285689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-8gtq0019-1257331363.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285687; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-8gtq0019-1257331363.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285686; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.thaiticketmajor.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"www.thaiticketmajor.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"meetlak.link"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.120.67.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz61028.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285681; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.172] 15170  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285680; rev:1;)
alert tcp $HOME_NET any -> [47.236.149.142] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel"; depth:6; nocase; http.host; content:"47.236.149.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0987400.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"welfare.sjp.ac.lk"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"welfare.sjp.ac.lk"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"wp.henko.nu"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"wp.henko.nu"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"wp.snowbombing.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/article.php"; depth:12; nocase; http.host; content:"wp.snowbombing.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b674edbb.php"; depth:13; nocase; http.host; content:"a0994533.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285676; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arcf-sj.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0986195.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285674; rev:1;)
alert tcp $HOME_NET any -> [95.216.142.162] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285670; rev:1;)
alert tcp $HOME_NET any -> [162.55.53.18] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285671; rev:1;)
alert tcp $HOME_NET any -> [195.201.47.189] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285672; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feeldog.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.47.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"feeldog.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"162.55.53.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.142.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285666; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 10651  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285665; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 10651  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285663; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 10651  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285664; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 10651  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285662; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.92] 27953  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/935156794695"; depth:23; nocase; http.host; content:"104.248.205.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285660; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.249] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285659; rev:1;)
alert tcp $HOME_NET any -> [101.33.226.198] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285658; rev:1;)
alert tcp $HOME_NET any -> [114.132.46.191] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285657/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285657; rev:1;)
alert tcp $HOME_NET any -> [175.178.90.5] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285656/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"ulysse-cazabonne.cam"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285655; rev:1;)
alert tcp $HOME_NET any -> [118.25.150.250] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285654/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285654; rev:1;)
alert tcp $HOME_NET any -> [103.99.178.15] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285653; rev:1;)
alert tcp $HOME_NET any -> [45.241.42.55] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285652/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285652; rev:1;)
alert tcp $HOME_NET any -> [139.59.161.102] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285651; rev:1;)
alert tcp $HOME_NET any -> [45.77.190.71] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285650/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285650; rev:1;)
alert tcp $HOME_NET any -> [45.32.128.142] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285649; rev:1;)
alert tcp $HOME_NET any -> [91.231.186.203] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285648; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20075  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285647; rev:1;)
alert tcp $HOME_NET any -> [51.15.227.211] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285646; rev:1;)
alert tcp $HOME_NET any -> [51.20.76.114] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_17; classtype:trojan-activity; sid:91285645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8625e85.php"; depth:13; nocase; http.host; content:"a0992097.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285644; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.172] 15230  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/32f05f31.php"; depth:13; nocase; http.host; content:"a0994900.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"host1871899.hostland.pro"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/882842611"; depth:20; nocase; http.host; content:"104.248.205.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285640; rev:1;)
alert tcp $HOME_NET any -> [94.228.166.59] 1441  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_17; classtype:trojan-activity; sid:91285639; rev:1;)
alert tcp $HOME_NET any -> [124.70.99.224] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285634/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285634; rev:1;)
alert tcp $HOME_NET any -> [8.131.50.94] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285633/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285633; rev:1;)
alert tcp $HOME_NET any -> [101.201.54.74] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285632/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285632; rev:1;)
alert tcp $HOME_NET any -> [116.62.197.217] 3663  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285631/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285631; rev:1;)
alert tcp $HOME_NET any -> [138.2.50.211] 4567  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285630/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285630; rev:1;)
alert tcp $HOME_NET any -> [5.188.86.216] 10518  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285629/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285629; rev:1;)
alert tcp $HOME_NET any -> [116.114.20.180] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285628/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285628; rev:1;)
alert tcp $HOME_NET any -> [8.134.146.35] 50001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285627/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285627; rev:1;)
alert tcp $HOME_NET any -> [193.239.86.156] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285626/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_17; classtype:trojan-activity; sid:91285626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a32875a6.php"; depth:13; nocase; http.host; content:"a0986288.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285625; rev:1;)
alert tcp $HOME_NET any -> [165.154.33.10] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285624; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 12984  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285623; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 12984  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285622; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 12984  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285621; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 12984  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285620; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"homeimageidea.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285619; rev:1;)
alert tcp $HOME_NET any -> [46.249.58.101] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_16; classtype:trojan-activity; sid:91285617; rev:1;)
alert tcp $HOME_NET any -> [194.26.141.31] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_16; classtype:trojan-activity; sid:91285618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_central.php"; depth:13; nocase; http.host; content:"424673cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"150.158.13.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285615; rev:1;)
alert tcp $HOME_NET any -> [149.56.30.19] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285614; rev:1;)
alert tcp $HOME_NET any -> [149.56.30.19] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285613; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.85] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285612; rev:1;)
alert tcp $HOME_NET any -> [45.83.31.241] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285611; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.213] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285610; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.213] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285609; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.213] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285608/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285608; rev:1;)
alert tcp $HOME_NET any -> [31.124.151.250] 9000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285607/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285607; rev:1;)
alert tcp $HOME_NET any -> [185.186.146.142] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285606/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285606; rev:1;)
alert tcp $HOME_NET any -> [114.132.61.132] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285605; rev:1;)
alert tcp $HOME_NET any -> [142.247.185.41] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285604; rev:1;)
alert tcp $HOME_NET any -> [196.64.171.157] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285603; rev:1;)
alert tcp $HOME_NET any -> [202.61.204.177] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285602; rev:1;)
alert tcp $HOME_NET any -> [110.175.49.3] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285601; rev:1;)
alert tcp $HOME_NET any -> [185.158.248.39] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285600; rev:1;)
alert tcp $HOME_NET any -> [217.182.76.45] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/528ed93e.php"; depth:13; nocase; http.host; content:"a0993996.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285596; rev:1;)
alert tcp $HOME_NET any -> [43.138.181.202] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285442/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285442; rev:1;)
alert tcp $HOME_NET any -> [39.105.126.81] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285441/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285441; rev:1;)
alert tcp $HOME_NET any -> [47.121.117.100] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285440/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285440; rev:1;)
alert tcp $HOME_NET any -> [94.247.42.62] 443  (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285439/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285439; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.106] 50555  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285438; rev:1;)
alert tcp $HOME_NET any -> [47.96.184.137] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285437/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285437; rev:1;)
alert tcp $HOME_NET any -> [117.72.41.241] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285436; rev:1;)
alert tcp $HOME_NET any -> [188.166.210.23] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285435; rev:1;)
alert tcp $HOME_NET any -> [149.0.1.32] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285434; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ieee-ecce.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285430/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_16; classtype:trojan-activity; sid:91285430; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kauzalvip.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_16; classtype:trojan-activity; sid:91285431; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nakit-yok.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285432/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_16; classtype:trojan-activity; sid:91285432; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nathanhr.services"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285433/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_16; classtype:trojan-activity; sid:91285433; rev:1;)
alert tcp $HOME_NET any -> [103.185.248.178] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"103.185.248.178"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.120.32.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285427; rev:1;)
alert tcp $HOME_NET any -> [5.188.88.20] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"42.239.152.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285425; rev:1;)
alert tcp $HOME_NET any -> [165.227.208.119] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285424; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evolved-fashion.azurewebsites.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geo.php"; depth:8; nocase; http.host; content:"evolved-fashion.azurewebsites.net"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285422; rev:1;)
alert tcp $HOME_NET any -> [103.185.248.178] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"103.185.248.178"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285420; rev:1;)
alert tcp $HOME_NET any -> [45.141.87.16] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285419; rev:1;)
alert tcp $HOME_NET any -> [134.175.233.55] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"134.175.233.55"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.35.252.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285415; rev:1;)
alert tcp $HOME_NET any -> [101.35.252.242] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285416; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monitor.kdkz1213.icu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285414; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.kdkz1213.icu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"monitor.kdkz1213.icu"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"api.kdkz1213.icu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285411; rev:1;)
alert tcp $HOME_NET any -> [34.146.210.28] 2087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"appstore.windowsupdate.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285408; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"appstore.windowsupdate.shop"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"139.198.187.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.120.32.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.108.239.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.108.239.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"checkupgpt.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285399; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"checkupgpt.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/aisigus9nhmsi6alwcxw9p"; depth:40; nocase; http.host; content:"sydnc.net"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285397; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sydnc.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/12c5a512.php"; depth:13; nocase; http.host; content:"a0993445.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwu1ztrhmzu1zjdi/"; depth:18; nocase; http.host; content:"jaffioptru.me"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285394/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwu1ztrhmzu1zjdi/"; depth:18; nocase; http.host; content:"jaffioptru.biz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285395/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285395; rev:1;)
alert tcp $HOME_NET any -> [185.62.86.134] 1411  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285393; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.137] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285392; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.62] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285391; rev:1;)
alert tcp $HOME_NET any -> [2.50.34.69] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285390; rev:1;)
alert tcp $HOME_NET any -> [175.10.44.100] 4432  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285389; rev:1;)
alert tcp $HOME_NET any -> [91.236.230.33] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285388; rev:1;)
alert tcp $HOME_NET any -> [111.19.135.79] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285387; rev:1;)
alert tcp $HOME_NET any -> [36.159.60.161] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285386/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_16; classtype:trojan-activity; sid:91285386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0993651.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285385; rev:1;)
alert tcp $HOME_NET any -> [192.227.228.34] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285384; rev:1;)
alert tcp $HOME_NET any -> [192.227.228.34] 1124  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0994027.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285382; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.77] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285381; rev:1;)
alert tcp $HOME_NET any -> [41.249.109.69] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_16; classtype:trojan-activity; sid:91285380; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.117] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285379; rev:1;)
alert tcp $HOME_NET any -> [93.95.225.24] 4093  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285378; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.210] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285377/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285377; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.159] 34568  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285376/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285376; rev:1;)
alert tcp $HOME_NET any -> [5.182.87.173] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285375/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285375; rev:1;)
alert tcp $HOME_NET any -> [194.180.191.6] 26996  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285374/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285374; rev:1;)
alert tcp $HOME_NET any -> [185.200.221.19] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285373/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285373; rev:1;)
alert tcp $HOME_NET any -> [5.252.176.30] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285372/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285372; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.236] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285371/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285371; rev:1;)
alert tcp $HOME_NET any -> [8.134.102.18] 8282  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285370/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285370; rev:1;)
alert tcp $HOME_NET any -> [58.87.70.252] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285369/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_16; classtype:trojan-activity; sid:91285369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"l0sscommun.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285368; rev:1;)
alert tcp $HOME_NET any -> [79.110.49.175] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_home_active"; depth:16; nocase; http.host; content:"79.110.49.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285366; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.glamourstorepa.com.br"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1285365/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285365; rev:1;)
alert tcp $HOME_NET any -> [45.83.31.241] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285364/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285364; rev:1;)
alert tcp $HOME_NET any -> [45.83.31.241] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285363/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285363; rev:1;)
alert tcp $HOME_NET any -> [207.174.26.70] 5505  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285362; rev:1;)
alert tcp $HOME_NET any -> [104.243.34.3] 6669  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285361; rev:1;)
alert tcp $HOME_NET any -> [104.243.34.3] 6668  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285360/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285360; rev:1;)
alert tcp $HOME_NET any -> [37.44.244.201] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285359/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285359; rev:1;)
alert tcp $HOME_NET any -> [108.142.155.132] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285358/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285358; rev:1;)
alert tcp $HOME_NET any -> [124.222.164.235] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285357/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285357; rev:1;)
alert tcp $HOME_NET any -> [1.161.70.172] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285356/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285356; rev:1;)
alert tcp $HOME_NET any -> [15.164.161.42] 4443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285355/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/polllongpollasyncdleuploads.php"; depth:32; nocase; http.host; content:"196844cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285354; rev:1;)
alert tcp $HOME_NET any -> [45.137.22.67] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285353; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 15683  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285352; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 15683  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285351; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 15683  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285350; rev:1;)
alert tcp $HOME_NET any -> [47.113.107.52] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285160/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285160; rev:1;)
alert tcp $HOME_NET any -> [124.156.166.78] 8765  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285159/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285159; rev:1;)
alert tcp $HOME_NET any -> [92.118.170.81] 63845  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285158/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285158; rev:1;)
alert tcp $HOME_NET any -> [47.243.57.229] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285157/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285157; rev:1;)
alert tcp $HOME_NET any -> [123.249.11.152] 6443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285156/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285156; rev:1;)
alert tcp $HOME_NET any -> [123.249.11.152] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285155/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285155; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.220] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285154/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91285154; rev:1;)
alert tcp $HOME_NET any -> [185.236.228.125] 15140  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285153; rev:1;)
alert tcp $HOME_NET any -> [90.188.254.248] 5655  (msg:"ThreatFox RMS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285152; rev:1;)
alert tcp $HOME_NET any -> [5.35.98.86] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285151; rev:1;)
alert tcp $HOME_NET any -> [136.243.151.21] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285150/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285150; rev:1;)
alert tcp $HOME_NET any -> [136.243.151.21] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285148/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285148; rev:1;)
alert tcp $HOME_NET any -> [136.243.151.21] 9990  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285149/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285149; rev:1;)
alert tcp $HOME_NET any -> [136.243.151.21] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285147/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285147; rev:1;)
alert tcp $HOME_NET any -> [98.67.161.144] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285146/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285146; rev:1;)
alert tcp $HOME_NET any -> [213.252.247.202] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285145/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285145; rev:1;)
alert tcp $HOME_NET any -> [213.252.247.202] 555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285144/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285144; rev:1;)
alert tcp $HOME_NET any -> [213.195.117.131] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285143/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285143; rev:1;)
alert tcp $HOME_NET any -> [213.195.117.131] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285142/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285142; rev:1;)
alert tcp $HOME_NET any -> [213.195.117.131] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285141/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285141; rev:1;)
alert tcp $HOME_NET any -> [213.195.117.131] 5003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285140/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285140; rev:1;)
alert tcp $HOME_NET any -> [213.195.117.131] 4001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285138/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285138; rev:1;)
alert tcp $HOME_NET any -> [213.195.117.131] 4002  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285139/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285139; rev:1;)
alert tcp $HOME_NET any -> [103.195.102.21] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285137; rev:1;)
alert tcp $HOME_NET any -> [192.250.225.3] 5020  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285136; rev:1;)
alert tcp $HOME_NET any -> [185.212.47.40] 5000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285135; rev:1;)
alert tcp $HOME_NET any -> [185.212.47.40] 1998  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285133; rev:1;)
alert tcp $HOME_NET any -> [185.212.47.40] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285134; rev:1;)
alert tcp $HOME_NET any -> [185.212.47.40] 20000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285132; rev:1;)
alert tcp $HOME_NET any -> [185.212.47.40] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285131; rev:1;)
alert tcp $HOME_NET any -> [185.212.47.40] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285130; rev:1;)
alert tcp $HOME_NET any -> [38.180.92.22] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285128; rev:1;)
alert tcp $HOME_NET any -> [38.180.92.22] 3333  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285129; rev:1;)
alert tcp $HOME_NET any -> [157.20.182.6] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285127; rev:1;)
alert tcp $HOME_NET any -> [46.4.37.212] 82  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285126; rev:1;)
alert tcp $HOME_NET any -> [45.80.158.22] 9090  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285125; rev:1;)
alert tcp $HOME_NET any -> [66.225.254.182] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285124; rev:1;)
alert tcp $HOME_NET any -> [66.225.254.182] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285123; rev:1;)
alert tcp $HOME_NET any -> [66.225.254.182] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285122; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.74] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285121; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.74] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285119; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.74] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285120; rev:1;)
alert tcp $HOME_NET any -> [154.17.167.74] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285118; rev:1;)
alert tcp $HOME_NET any -> [51.81.105.250] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285116; rev:1;)
alert tcp $HOME_NET any -> [51.81.105.250] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285117; rev:1;)
alert tcp $HOME_NET any -> [192.250.226.28] 7066  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285115; rev:1;)
alert tcp $HOME_NET any -> [162.244.210.96] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285114/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285114; rev:1;)
alert tcp $HOME_NET any -> [162.244.210.96] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285113; rev:1;)
alert tcp $HOME_NET any -> [162.244.210.96] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285112; rev:1;)
alert tcp $HOME_NET any -> [66.225.254.222] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285110; rev:1;)
alert tcp $HOME_NET any -> [66.225.254.222] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285111/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285111; rev:1;)
alert tcp $HOME_NET any -> [66.225.254.222] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285109; rev:1;)
alert tcp $HOME_NET any -> [185.62.86.134] 555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285108; rev:1;)
alert tcp $HOME_NET any -> [185.16.38.38] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285107; rev:1;)
alert tcp $HOME_NET any -> [185.16.38.38] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285106; rev:1;)
alert tcp $HOME_NET any -> [185.16.38.38] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285105; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.169] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285104; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.169] 6006  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285102/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285102; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.169] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285103; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.169] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285101/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285101; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.169] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285100; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.169] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285098/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285098; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.169] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285099/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285099; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.169] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285097; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.169] 8008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285096; rev:1;)
alert tcp $HOME_NET any -> [45.94.31.124] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285095; rev:1;)
alert tcp $HOME_NET any -> [45.94.31.124] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285094; rev:1;)
alert tcp $HOME_NET any -> [45.94.31.124] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285093/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285093; rev:1;)
alert tcp $HOME_NET any -> [162.244.210.92] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285091/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285091; rev:1;)
alert tcp $HOME_NET any -> [162.244.210.92] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285092/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285092; rev:1;)
alert tcp $HOME_NET any -> [162.244.210.92] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285090/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285090; rev:1;)
alert tcp $HOME_NET any -> [185.25.51.99] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285089/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285089; rev:1;)
alert tcp $HOME_NET any -> [185.25.51.99] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285088/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285088; rev:1;)
alert tcp $HOME_NET any -> [185.241.208.213] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285087; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.126] 8716  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285086; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.126] 8715  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285085; rev:1;)
alert tcp $HOME_NET any -> [51.77.113.177] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285084; rev:1;)
alert tcp $HOME_NET any -> [51.77.113.177] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285082; rev:1;)
alert tcp $HOME_NET any -> [51.77.113.177] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285083; rev:1;)
alert tcp $HOME_NET any -> [51.77.113.177] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285081/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285081; rev:1;)
alert tcp $HOME_NET any -> [51.77.113.177] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285080/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285080; rev:1;)
alert tcp $HOME_NET any -> [51.77.113.177] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285079/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285079; rev:1;)
alert tcp $HOME_NET any -> [54.39.216.104] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285077/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285077; rev:1;)
alert tcp $HOME_NET any -> [54.39.216.104] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285078/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285078; rev:1;)
alert tcp $HOME_NET any -> [54.39.216.104] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285076/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285076; rev:1;)
alert tcp $HOME_NET any -> [54.39.216.104] 777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285075/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285075; rev:1;)
alert tcp $HOME_NET any -> [54.39.216.104] 555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285074/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285074; rev:1;)
alert tcp $HOME_NET any -> [158.220.83.114] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285072/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285072; rev:1;)
alert tcp $HOME_NET any -> [158.220.83.114] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285073/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285073; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.67] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285071/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285071; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.67] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285070/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285070; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.252] 1338  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285069/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285069; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.252] 1999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285068/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285068; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.123] 8716  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285067; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.123] 8715  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285066; rev:1;)
alert tcp $HOME_NET any -> [186.137.33.82] 2113  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285065; rev:1;)
alert tcp $HOME_NET any -> [162.244.210.243] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285064; rev:1;)
alert tcp $HOME_NET any -> [162.244.210.243] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285062; rev:1;)
alert tcp $HOME_NET any -> [162.244.210.243] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285063; rev:1;)
alert tcp $HOME_NET any -> [149.56.30.19] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285061; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.241] 4848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285060; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.241] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285058; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.241] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285059; rev:1;)
alert tcp $HOME_NET any -> [108.174.200.80] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285057; rev:1;)
alert tcp $HOME_NET any -> [108.174.200.80] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285056; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.122] 8716  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285055; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.122] 8715  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285054; rev:1;)
alert tcp $HOME_NET any -> [147.135.165.29] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285053; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.124] 8715  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285051; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.124] 8716  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285052; rev:1;)
alert tcp $HOME_NET any -> [134.255.217.251] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285050; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.194] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285048; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.194] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285049; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.34] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285047; rev:1;)
alert tcp $HOME_NET any -> [207.174.26.100] 5505  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285046; rev:1;)
alert tcp $HOME_NET any -> [115.223.43.224] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285045; rev:1;)
alert tcp $HOME_NET any -> [61.14.233.130] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285044; rev:1;)
alert tcp $HOME_NET any -> [61.14.233.130] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285043; rev:1;)
alert tcp $HOME_NET any -> [61.14.233.130] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285042; rev:1;)
alert tcp $HOME_NET any -> [163.5.64.209] 8000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285041; rev:1;)
alert tcp $HOME_NET any -> [163.5.64.209] 6000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285039; rev:1;)
alert tcp $HOME_NET any -> [163.5.64.209] 7000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285040; rev:1;)
alert tcp $HOME_NET any -> [128.90.113.119] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285038; rev:1;)
alert tcp $HOME_NET any -> [104.223.22.86] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285036; rev:1;)
alert tcp $HOME_NET any -> [104.223.22.86] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285037; rev:1;)
alert tcp $HOME_NET any -> [207.32.218.51] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285035; rev:1;)
alert tcp $HOME_NET any -> [178.73.192.10] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285034; rev:1;)
alert tcp $HOME_NET any -> [128.90.113.241] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285033; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.181] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285032; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.181] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285031; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.125] 8716  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285030; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.125] 8715  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285029; rev:1;)
alert tcp $HOME_NET any -> [142.202.240.93] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285028; rev:1;)
alert tcp $HOME_NET any -> [142.202.240.93] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285027; rev:1;)
alert tcp $HOME_NET any -> [136.243.111.71] 3000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285026/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285026; rev:1;)
alert tcp $HOME_NET any -> [136.243.111.71] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285025/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285025; rev:1;)
alert tcp $HOME_NET any -> [45.83.31.241] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285024; rev:1;)
alert tcp $HOME_NET any -> [95.216.41.33] 83  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285023/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285023; rev:1;)
alert tcp $HOME_NET any -> [172.81.60.16] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285022/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285022; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.166] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285021; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.49] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285020; rev:1;)
alert tcp $HOME_NET any -> [108.165.237.196] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285019; rev:1;)
alert tcp $HOME_NET any -> [51.89.207.240] 8088  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285018/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285018; rev:1;)
alert tcp $HOME_NET any -> [154.194.50.163] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285017; rev:1;)
alert tcp $HOME_NET any -> [135.181.65.141] 4099  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285016; rev:1;)
alert tcp $HOME_NET any -> [104.238.173.66] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285015; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.54] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285014/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285014; rev:1;)
alert tcp $HOME_NET any -> [157.254.223.212] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285013/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285013; rev:1;)
alert tcp $HOME_NET any -> [41.216.188.58] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285012/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285012; rev:1;)
alert tcp $HOME_NET any -> [3.26.159.73] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285011/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285011; rev:1;)
alert tcp $HOME_NET any -> [185.228.235.158] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285010/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91285010; rev:1;)
alert tcp $HOME_NET any -> [185.237.165.180] 47454  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285009; rev:1;)
alert tcp $HOME_NET any -> [8.217.21.161] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.217.21.161"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"119.28.153.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.103.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"38.14.250.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.108.182.174"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285003; rev:1;)
alert tcp $HOME_NET any -> [34.146.210.28] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"web.windowsupdate.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1285001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285001; rev:1;)
alert tcp $HOME_NET any -> [116.205.189.153] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1285000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91285000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"116.205.189.153"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"123.58.220.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"119.28.153.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284997; rev:1;)
alert tcp $HOME_NET any -> [45.32.52.84] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"45.32.52.84"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.220.167.247"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284994; rev:1;)
alert tcp $HOME_NET any -> [92.118.112.188] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"whole-girl-gw.aws-usw2.cloud-ara.tyk.io"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284991; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whole-girl-gw.aws-usw2.cloud-ara.tyk.io"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"123.58.220.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"fabguk.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284963/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"jowqem.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284964/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"kozwix.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284965/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"zubpiq.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284966/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"lofyam.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284967/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"rexqaf.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284968/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"wojvuz.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284969/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"kipfeg.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284970/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"zembix.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284971/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"juvqat.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284972/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"kezxof.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284973/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"podguf.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284974/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"zuclav.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284975/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"yubtaz.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284976/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"fuxjeb.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284978/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"qexwip.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284977/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"vopriz.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284979/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"jizxeb.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284981/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"gupbey.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgi1mty1owrjmdc4/"; depth:18; nocase; http.host; content:"qunloz.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284982; rev:1;)
alert tcp $HOME_NET any -> [51.77.113.177] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284989; rev:1;)
alert tcp $HOME_NET any -> [145.239.230.233] 4040  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"60.204.134.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"121.36.105.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mlu/forum.php"; depth:14; nocase; http.host; content:"20.83.148.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nqtj"; depth:5; nocase; http.host; content:"82.156.199.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284983/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_15; classtype:trojan-activity; sid:91284983; rev:1;)
alert tcp $HOME_NET any -> [82.156.199.229] 40001  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284962; rev:1;)
alert tcp $HOME_NET any -> [57.155.50.252] 443  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284961; rev:1;)
alert tcp $HOME_NET any -> [119.42.146.179] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284960; rev:1;)
alert tcp $HOME_NET any -> [43.132.120.112] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284959; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.13] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284958; rev:1;)
alert tcp $HOME_NET any -> [196.64.174.125] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284957; rev:1;)
alert tcp $HOME_NET any -> [5.252.176.53] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284956; rev:1;)
alert tcp $HOME_NET any -> [52.170.209.28] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284955; rev:1;)
alert tcp $HOME_NET any -> [100.27.0.53] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284954; rev:1;)
alert tcp $HOME_NET any -> [45.88.91.78] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284953; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.3] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284952; rev:1;)
alert tcp $HOME_NET any -> [121.227.168.77] 10250  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284951; rev:1;)
alert tcp $HOME_NET any -> [121.227.168.76] 10250  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284950; rev:1;)
alert tcp $HOME_NET any -> [44.234.240.58] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284949; rev:1;)
alert tcp $HOME_NET any -> [163.69.88.244] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284948; rev:1;)
alert tcp $HOME_NET any -> [163.69.88.244] 10001  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"220.165.229.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284946; rev:1;)
alert tcp $HOME_NET any -> [173.195.100.190] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/torequestauthlongpollserversqlasyncuniversalpublic.php"; depth:55; nocase; http.host; content:"751120cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/28ebda70.php"; depth:13; nocase; http.host; content:"a0992098.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284943; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"finasterideanswers.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284940; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"abecopiers.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284941; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"tigermm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_15; classtype:trojan-activity; sid:91284942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/23eae96c.php"; depth:13; nocase; http.host; content:"a0993204.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cq83230.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284938; rev:1;)
alert tcp $HOME_NET any -> [45.61.59.110] 14462  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_15; classtype:trojan-activity; sid:91284937; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.195] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284936/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284936; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.213] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284935/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284935; rev:1;)
alert tcp $HOME_NET any -> [49.232.29.245] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284934/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284934; rev:1;)
alert tcp $HOME_NET any -> [208.85.22.155] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284933/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284933; rev:1;)
alert tcp $HOME_NET any -> [175.178.236.113] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284932/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284932; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.205] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284931/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284931; rev:1;)
alert tcp $HOME_NET any -> [38.147.171.208] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284930/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284930; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.202] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284929/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284929; rev:1;)
alert tcp $HOME_NET any -> [139.155.68.35] 1521  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284928/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284928; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.103] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284927/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284927; rev:1;)
alert tcp $HOME_NET any -> [47.121.116.135] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284926/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284926; rev:1;)
alert tcp $HOME_NET any -> [47.121.116.135] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284925/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284925; rev:1;)
alert tcp $HOME_NET any -> [176.218.133.216] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284924/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_15; classtype:trojan-activity; sid:91284924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.108.239.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284923; rev:1;)
alert tcp $HOME_NET any -> [154.247.143.197] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284922; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 19650  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284921; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 19650  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284920; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 19650  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284919; rev:1;)
alert tcp $HOME_NET any -> [45.137.22.68] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284918; rev:1;)
alert tcp $HOME_NET any -> [198.244.224.83] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284916; rev:1;)
alert tcp $HOME_NET any -> [5.230.45.229] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284917; rev:1;)
alert tcp $HOME_NET any -> [104.129.21.52] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284915; rev:1;)
alert tcp $HOME_NET any -> [120.46.132.72] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284912; rev:1;)
alert tcp $HOME_NET any -> [47.94.167.208] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284913; rev:1;)
alert tcp $HOME_NET any -> [8.137.149.188] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284914; rev:1;)
alert tcp $HOME_NET any -> [8.141.14.176] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284911; rev:1;)
alert tcp $HOME_NET any -> [119.28.159.21] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"119.28.159.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284909; rev:1;)
alert tcp $HOME_NET any -> [185.172.129.208] 8708  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284908; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.14] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284907; rev:1;)
alert tcp $HOME_NET any -> [39.40.210.126] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284906; rev:1;)
alert tcp $HOME_NET any -> [66.131.154.213] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284905; rev:1;)
alert tcp $HOME_NET any -> [14.19.144.236] 8443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284904; rev:1;)
alert tcp $HOME_NET any -> [121.127.33.107] 53  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284903; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.65] 4433  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284902; rev:1;)
alert tcp $HOME_NET any -> [157.245.117.178] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284901; rev:1;)
alert tcp $HOME_NET any -> [185.170.212.17] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284900; rev:1;)
alert tcp $HOME_NET any -> [38.242.198.230] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284899; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.26] 54880  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"104.21.11.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284896; rev:1;)
alert tcp $HOME_NET any -> [121.36.105.186] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"172.67.148.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284895; rev:1;)
alert tcp $HOME_NET any -> [57.128.162.39] 33966  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284893/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284893; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"slq.onlyslq.lol"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"106.53.181.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"152.32.202.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"118.178.133.241"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"119.45.173.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.2.65.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"112.27.189.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.2.65.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"202.155.196.152"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.2.65.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"60.164.246.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"183.178.124.31"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"117.72.68.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"110.40.185.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"42.200.209.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"220.246.84.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"42.192.21.226"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.142.91.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"115.28.26.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"49.232.150.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.2.65.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"124.67.254.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"61.182.69.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"218.4.199.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"139.159.155.204"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"81.70.35.72"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"139.159.155.204"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"49.232.150.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"112.26.186.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"43.135.169.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"1.4.210.149"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"61.163.102.174"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"117.157.17.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"61.144.96.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"182.93.54.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284497; rev:1;)
alert tcp $HOME_NET any -> [47.250.148.5] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284498; rev:1;)
alert tcp $HOME_NET any -> [139.199.99.188] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284499; rev:1;)
alert tcp $HOME_NET any -> [101.32.29.172] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284500; rev:1;)
alert tcp $HOME_NET any -> [47.109.103.199] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284501; rev:1;)
alert tcp $HOME_NET any -> [210.71.232.162] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284503; rev:1;)
alert tcp $HOME_NET any -> [103.97.178.52] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284502; rev:1;)
alert tcp $HOME_NET any -> [140.143.142.124] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284504; rev:1;)
alert tcp $HOME_NET any -> [47.121.131.92] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284505; rev:1;)
alert tcp $HOME_NET any -> [106.166.173.36] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284506; rev:1;)
alert tcp $HOME_NET any -> [123.207.244.148] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284507; rev:1;)
alert tcp $HOME_NET any -> [117.33.131.234] 8000  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284508; rev:1;)
alert tcp $HOME_NET any -> [119.45.129.101] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284509; rev:1;)
alert tcp $HOME_NET any -> [42.192.201.191] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284511; rev:1;)
alert tcp $HOME_NET any -> [114.115.130.53] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284510; rev:1;)
alert tcp $HOME_NET any -> [101.43.24.3] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284512; rev:1;)
alert tcp $HOME_NET any -> [122.114.79.17] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284513; rev:1;)
alert tcp $HOME_NET any -> [114.132.232.37] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284514; rev:1;)
alert tcp $HOME_NET any -> [49.232.26.114] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284515; rev:1;)
alert tcp $HOME_NET any -> [124.70.76.239] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284516; rev:1;)
alert tcp $HOME_NET any -> [101.43.97.202] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284517; rev:1;)
alert tcp $HOME_NET any -> [119.3.45.160] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"183.230.20.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"113.28.105.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"112.74.189.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"8.218.40.158"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"175.178.35.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"222.244.110.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"8.218.40.158"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"106.52.247.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"119.3.45.218"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"1.117.230.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"113.160.249.9"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.2.65.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"59.175.183.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"1.32.57.145"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"124.71.73.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"58.215.245.2"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"218.200.155.204"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"103.35.99.88"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"27.82.11.178"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"203.70.224.72"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"113.28.244.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"107.173.111.4"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"39.103.200.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"60.205.158.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"101.43.112.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"43.233.124.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"58.87.89.254"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"180.222.182.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"119.3.45.160"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"104.234.180.208"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"123.249.4.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"124.70.76.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"101.43.97.202"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"49.232.26.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"122.114.79.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"114.132.232.37"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"42.192.201.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"101.43.24.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"117.33.131.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"119.45.129.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"114.115.130.53"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"106.166.173.36"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"123.207.244.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"47.121.131.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"140.143.142.124"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"210.71.232.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284420; rev:1;)
alert tcp $HOME_NET any -> [104.234.180.208] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284519; rev:1;)
alert tcp $HOME_NET any -> [123.249.4.124] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284520; rev:1;)
alert tcp $HOME_NET any -> [58.87.89.254] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284521; rev:1;)
alert tcp $HOME_NET any -> [180.222.182.49] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284522; rev:1;)
alert tcp $HOME_NET any -> [101.43.112.41] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284523; rev:1;)
alert tcp $HOME_NET any -> [43.233.124.116] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284524; rev:1;)
alert tcp $HOME_NET any -> [39.103.200.155] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284525; rev:1;)
alert tcp $HOME_NET any -> [60.205.158.103] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284526; rev:1;)
alert tcp $HOME_NET any -> [113.28.244.231] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284527; rev:1;)
alert tcp $HOME_NET any -> [107.173.111.4] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284528; rev:1;)
alert tcp $HOME_NET any -> [27.82.11.178] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284529; rev:1;)
alert tcp $HOME_NET any -> [203.70.224.72] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284530; rev:1;)
alert tcp $HOME_NET any -> [103.35.99.88] 8080  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284531; rev:1;)
alert tcp $HOME_NET any -> [124.71.73.181] 83  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284532; rev:1;)
alert tcp $HOME_NET any -> [58.215.245.2] 9000  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284533; rev:1;)
alert tcp $HOME_NET any -> [218.200.155.204] 8164  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284534; rev:1;)
alert tcp $HOME_NET any -> [59.175.183.106] 6713  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284535; rev:1;)
alert tcp $HOME_NET any -> [1.32.57.145] 8080  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284536; rev:1;)
alert tcp $HOME_NET any -> [113.160.249.9] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284537; rev:1;)
alert tcp $HOME_NET any -> [203.2.65.29] 8088  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284538; rev:1;)
alert tcp $HOME_NET any -> [1.117.230.49] 7080  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284539; rev:1;)
alert tcp $HOME_NET any -> [119.3.45.218] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284540; rev:1;)
alert tcp $HOME_NET any -> [106.52.247.30] 6080  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284541; rev:1;)
alert tcp $HOME_NET any -> [175.178.35.16] 8081  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284542; rev:1;)
alert tcp $HOME_NET any -> [222.244.110.238] 8089  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284543; rev:1;)
alert tcp $HOME_NET any -> [8.218.40.158] 8088  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284544; rev:1;)
alert tcp $HOME_NET any -> [8.218.40.158] 4433  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284545; rev:1;)
alert tcp $HOME_NET any -> [112.74.189.44] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284546; rev:1;)
alert tcp $HOME_NET any -> [183.230.20.189] 8088  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284547; rev:1;)
alert tcp $HOME_NET any -> [113.28.105.178] 8081  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284548; rev:1;)
alert tcp $HOME_NET any -> [118.178.133.241] 65500  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284549; rev:1;)
alert tcp $HOME_NET any -> [119.45.173.126] 8080  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284550; rev:1;)
alert tcp $HOME_NET any -> [203.2.65.29] 8087  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284551; rev:1;)
alert tcp $HOME_NET any -> [112.27.189.32] 8090  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284552; rev:1;)
alert tcp $HOME_NET any -> [203.2.65.29] 8081  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284553; rev:1;)
alert tcp $HOME_NET any -> [202.155.196.152] 8080  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284554; rev:1;)
alert tcp $HOME_NET any -> [203.2.65.29] 8086  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284555; rev:1;)
alert tcp $HOME_NET any -> [60.164.246.250] 8081  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284556; rev:1;)
alert tcp $HOME_NET any -> [183.178.124.31] 8899  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284557; rev:1;)
alert tcp $HOME_NET any -> [117.72.68.197] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284558; rev:1;)
alert tcp $HOME_NET any -> [110.40.185.110] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284559; rev:1;)
alert tcp $HOME_NET any -> [42.200.209.195] 8001  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284560; rev:1;)
alert tcp $HOME_NET any -> [220.246.84.200] 8088  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284561; rev:1;)
alert tcp $HOME_NET any -> [42.192.21.226] 8080  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284562; rev:1;)
alert tcp $HOME_NET any -> [115.28.26.10] 8080  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284563; rev:1;)
alert tcp $HOME_NET any -> [203.142.91.39] 8121  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284564; rev:1;)
alert tcp $HOME_NET any -> [49.232.150.208] 8002  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284565; rev:1;)
alert tcp $HOME_NET any -> [203.2.65.29] 8085  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284566; rev:1;)
alert tcp $HOME_NET any -> [124.67.254.109] 61234  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284567; rev:1;)
alert tcp $HOME_NET any -> [61.182.69.190] 11111  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284568; rev:1;)
alert tcp $HOME_NET any -> [218.4.199.122] 8090  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284569; rev:1;)
alert tcp $HOME_NET any -> [139.159.155.204] 88  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284570; rev:1;)
alert tcp $HOME_NET any -> [81.70.35.72] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284571; rev:1;)
alert tcp $HOME_NET any -> [139.159.155.204] 81  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284572; rev:1;)
alert tcp $HOME_NET any -> [49.232.150.208] 444  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284573; rev:1;)
alert tcp $HOME_NET any -> [112.26.186.56] 8090  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284574; rev:1;)
alert tcp $HOME_NET any -> [43.135.169.132] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284575; rev:1;)
alert tcp $HOME_NET any -> [1.4.210.149] 8081  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284576; rev:1;)
alert tcp $HOME_NET any -> [61.163.102.174] 9999  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284577; rev:1;)
alert tcp $HOME_NET any -> [117.157.17.194] 9999  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284578; rev:1;)
alert tcp $HOME_NET any -> [61.144.96.223] 888  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284579; rev:1;)
alert tcp $HOME_NET any -> [182.93.54.42] 8081  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"77.58.156.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284598; rev:1;)
alert tcp $HOME_NET any -> [103.142.87.174] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"171.109.52.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"116.198.32.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"210.87.198.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"150.138.79.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"159.75.83.162"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"118.104.146.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"114.33.53.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"114.115.141.157"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"120.46.35.129"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"211.159.172.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"1.94.5.103"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"156.232.9.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"124.222.81.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"103.143.10.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"cococuy8.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"103.142.87.174"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"cococuy8.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284581; rev:1;)
alert tcp $HOME_NET any -> [156.232.9.208] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284600; rev:1;)
alert tcp $HOME_NET any -> [124.222.81.43] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284601; rev:1;)
alert tcp $HOME_NET any -> [103.143.10.73] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284602; rev:1;)
alert tcp $HOME_NET any -> [211.159.172.120] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284603; rev:1;)
alert tcp $HOME_NET any -> [159.75.83.162] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284604; rev:1;)
alert tcp $HOME_NET any -> [1.94.5.103] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284605; rev:1;)
alert tcp $HOME_NET any -> [118.104.146.106] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284606; rev:1;)
alert tcp $HOME_NET any -> [114.33.53.141] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284607; rev:1;)
alert tcp $HOME_NET any -> [114.115.141.157] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284608; rev:1;)
alert tcp $HOME_NET any -> [120.46.35.129] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284609; rev:1;)
alert tcp $HOME_NET any -> [116.198.32.42] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284610; rev:1;)
alert tcp $HOME_NET any -> [210.87.198.112] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284611; rev:1;)
alert tcp $HOME_NET any -> [150.138.79.154] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284612; rev:1;)
alert tcp $HOME_NET any -> [171.109.52.222] 8000  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284613; rev:1;)
alert tcp $HOME_NET any -> [77.58.156.127] 80  (msg:"ThreatFox Coinminer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uploadlogs"; depth:11; nocase; http.host; content:"20.199.87.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/injection"; depth:14; nocase; http.host; content:"20.199.87.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/filelogs"; depth:9; nocase; http.host; content:"api.ilovecats.life"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284617; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.ilovecats.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilovecats.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"feckwear.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284621; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"feckwear.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"feckwear.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"feckwear.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/data.php"; depth:16; nocase; http.host; content:"santapubcrawlchattanooga.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284625; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 23193  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284868/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284868; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"america-dividend.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284869/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284869; rev:1;)
alert tcp $HOME_NET any -> [185.91.127.219] 33455  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284871; rev:1;)
alert tcp $HOME_NET any -> [80.209.225.170] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284874/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284874; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.38] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284867; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"kalopvard.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284888; rev:1;)
alert tcp $HOME_NET any -> [185.93.221.108] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284887; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"lettecoft.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"47.109.103.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"103.97.178.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"139.199.99.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"101.32.29.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284417; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cococuy8.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.scr"; depth:9; nocase; http.host; content:"47.250.148.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284415; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.140] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284886/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284886; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.203] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284885; rev:1;)
alert tcp $HOME_NET any -> [139.155.68.35] 63909  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284884; rev:1;)
alert tcp $HOME_NET any -> [34.220.26.176] 22222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284883; rev:1;)
alert tcp $HOME_NET any -> [89.110.76.194] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284882; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.200] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284881; rev:1;)
alert tcp $HOME_NET any -> [209.97.160.90] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284880; rev:1;)
alert tcp $HOME_NET any -> [104.234.240.171] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284879; rev:1;)
alert tcp $HOME_NET any -> [47.108.182.174] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284878; rev:1;)
alert tcp $HOME_NET any -> [154.9.225.100] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284877; rev:1;)
alert tcp $HOME_NET any -> [123.57.85.206] 50001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284876/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284876; rev:1;)
alert tcp $HOME_NET any -> [82.157.99.208] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284875/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284875; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.60] 2525  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284873; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.15] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g9bkfkwf/index.php"; depth:19; nocase; http.host; content:"77.91.77.140"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284870; rev:1;)
alert tcp $HOME_NET any -> [65.109.240.138] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284626; rev:1;)
alert tcp $HOME_NET any -> [45.61.132.128] 1952  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284620/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0993016.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284413; rev:1;)
alert tcp $HOME_NET any -> [20.199.87.174] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284406; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"biwumii5.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284366; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malivscute.lol"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284412; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jegyfuy0.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284367; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ginidue5.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284368; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"disypoy4.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"97.64.18.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"97.64.18.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.220.192.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"106.53.181.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284405; rev:1;)
alert tcp $HOME_NET any -> [107.149.241.7] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.1.min.js"; depth:20; nocase; http.host; content:"www.deerllt.store"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.1.min.js"; depth:20; nocase; http.host; content:"www-deer.deerllt.store"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284402; rev:1;)
alert tcp $HOME_NET any -> [107.175.218.216] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"jkbs168.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"39.108.220.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284399; rev:1;)
alert tcp $HOME_NET any -> [47.108.239.86] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.108.239.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284397; rev:1;)
alert tcp $HOME_NET any -> [120.53.250.9] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cwonajlbo/vtneww11212/"; depth:23; nocase; http.host; content:"120.53.250.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284395; rev:1;)
alert tcp $HOME_NET any -> [139.199.216.201] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.42.10.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284393; rev:1;)
alert tcp $HOME_NET any -> [124.222.91.4] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.nbch1na.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nbch1na.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"117.72.45.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284388; rev:1;)
alert tcp $HOME_NET any -> [117.72.45.41] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.93.87.164"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284386; rev:1;)
alert tcp $HOME_NET any -> [47.93.87.164] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"103.245.39.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284384; rev:1;)
alert tcp $HOME_NET any -> [103.245.39.66] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284385; rev:1;)
alert tcp $HOME_NET any -> [107.149.241.7] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.1.min.js"; depth:20; nocase; http.host; content:"www.deerllt.store"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284381; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.deerllt.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284382; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www-deer.deerllt.store"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.1.min.js"; depth:20; nocase; http.host; content:"www-deer.deerllt.store"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284379; rev:1;)
alert tcp $HOME_NET any -> [20.2.209.212] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"20.2.209.212"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"152.136.11.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284376; rev:1;)
alert tcp $HOME_NET any -> [107.175.218.216] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284375; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkbs168.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"jkbs168.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284373; rev:1;)
alert tcp $HOME_NET any -> [172.245.53.132] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.chinaunion.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/docs/"; depth:13; nocase; http.host; content:"api.chinaunion.info"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284370; rev:1;)
alert tcp $HOME_NET any -> [82.153.68.38] 3778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284365/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284365; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mnbvcxz.biz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284334/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284334; rev:1;)
alert tcp $HOME_NET any -> [41.249.41.241] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284340/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284340; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"businessresources.ltd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284320; rev:1;)
alert tcp $HOME_NET any -> [216.55.179.28] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284333/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_14; classtype:trojan-activity; sid:91284333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"x52op6gt0i.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/data.zip"; depth:12; nocase; http.host; content:"businessresources.ltd"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"x52op6gt0i.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284317; rev:1;)
alert tcp $HOME_NET any -> [91.199.154.172] 15486  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284283; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"x52op6gt0i.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284294; rev:1;)
alert tcp $HOME_NET any -> [85.31.224.201] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284364/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284364; rev:1;)
alert tcp $HOME_NET any -> [47.76.67.52] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284363/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284363; rev:1;)
alert tcp $HOME_NET any -> [119.42.146.178] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284362; rev:1;)
alert tcp $HOME_NET any -> [37.107.29.70] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284361; rev:1;)
alert tcp $HOME_NET any -> [34.89.109.34] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284360/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284360; rev:1;)
alert tcp $HOME_NET any -> [66.228.59.65] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284359/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284359; rev:1;)
alert tcp $HOME_NET any -> [121.227.168.78] 10250  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284358/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284358; rev:1;)
alert tcp $HOME_NET any -> [3.19.59.206] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284357/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284357; rev:1;)
alert tcp $HOME_NET any -> [51.20.127.177] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284356/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284356; rev:1;)
alert tcp $HOME_NET any -> [3.9.82.206] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284355/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284355; rev:1;)
alert tcp $HOME_NET any -> [3.15.156.228] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284354/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284354; rev:1;)
alert tcp $HOME_NET any -> [51.20.119.112] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284353/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284353; rev:1;)
alert tcp $HOME_NET any -> [139.84.217.198] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284352; rev:1;)
alert tcp $HOME_NET any -> [18.177.14.165] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284351; rev:1;)
alert tcp $HOME_NET any -> [64.226.91.223] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284350/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284350; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 51379  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284349; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 46694  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284348; rev:1;)
alert tcp $HOME_NET any -> [107.175.31.172] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284347; rev:1;)
alert tcp $HOME_NET any -> [107.175.31.172] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284346; rev:1;)
alert tcp $HOME_NET any -> [107.175.31.172] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_14; classtype:trojan-activity; sid:91284345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"218.29.30.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_14; classtype:trojan-activity; sid:91284344; rev:1;)
alert tcp $HOME_NET any -> [193.233.75.241] 8080  (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284343/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284343; rev:1;)
alert tcp $HOME_NET any -> [92.143.110.175] 1716  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284342/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284342; rev:1;)
alert tcp $HOME_NET any -> [72.5.43.196] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284341/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284341; rev:1;)
alert tcp $HOME_NET any -> [8.137.144.130] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284339/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284339; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.217] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284338/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284338; rev:1;)
alert tcp $HOME_NET any -> [107.151.240.224] 7788  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284337/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284337; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.200] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284336/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284336; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.211] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284335/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_14; classtype:trojan-activity; sid:91284335; rev:1;)
alert tcp $HOME_NET any -> [185.29.9.101] 9098  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.75.155.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284330; rev:1;)
alert tcp $HOME_NET any -> [106.75.155.80] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284331; rev:1;)
alert tcp $HOME_NET any -> [43.134.59.76] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.134.59.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284328; rev:1;)
alert tcp $HOME_NET any -> [5.181.202.127] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"5.181.202.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"103.97.59.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284324; rev:1;)
alert tcp $HOME_NET any -> [103.97.59.121] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284325; rev:1;)
alert tcp $HOME_NET any -> [8.134.160.65] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284323; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qax1.top"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"qax1.top"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284321; rev:1;)
alert tcp $HOME_NET any -> [38.114.102.6] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284316/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284316; rev:1;)
alert tcp $HOME_NET any -> [47.93.172.239] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284315/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284315; rev:1;)
alert tcp $HOME_NET any -> [60.205.104.45] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284312/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284312; rev:1;)
alert tcp $HOME_NET any -> [1.94.198.82] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284313/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284313; rev:1;)
alert tcp $HOME_NET any -> [1.92.68.1] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284314/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284314; rev:1;)
alert tcp $HOME_NET any -> [8.147.109.58] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"111.67.195.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.222.230.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"103.143.248.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284307; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 10942  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284306; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 10942  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284305; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 10942  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284304; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 10942  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"61.170.44.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"111.6.56.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.51.156.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"183.232.189.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-b0kt7bkd-1307485220.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284295; rev:1;)
alert tcp $HOME_NET any -> [193.164.5.111] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284293; rev:1;)
alert tcp $HOME_NET any -> [4.157.252.211] 8443  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284292; rev:1;)
alert tcp $HOME_NET any -> [8.210.100.19] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284291; rev:1;)
alert tcp $HOME_NET any -> [86.98.9.55] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284290; rev:1;)
alert tcp $HOME_NET any -> [88.232.103.32] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284289/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284289; rev:1;)
alert tcp $HOME_NET any -> [45.241.44.65] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284288/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284288; rev:1;)
alert tcp $HOME_NET any -> [47.236.116.179] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284287/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284287; rev:1;)
alert tcp $HOME_NET any -> [174.138.23.208] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284286/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284286; rev:1;)
alert tcp $HOME_NET any -> [166.88.159.17] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284285; rev:1;)
alert tcp $HOME_NET any -> [45.133.195.90] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shaderify.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284277; rev:1;)
alert tcp $HOME_NET any -> [93.190.8.212] 80  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284278; rev:1;)
alert tcp $HOME_NET any -> [93.190.8.212] 443  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284279; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bettershaders.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284280; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shaderify.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284281; rev:1;)
alert tcp $HOME_NET any -> [106.250.166.45] 5726  (msg:"ThreatFox RMS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284282; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 21936  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284275/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284275; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"license-reception.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284276/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284276; rev:1;)
alert tcp $HOME_NET any -> [147.45.78.162] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284274/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284274; rev:1;)
alert tcp $HOME_NET any -> [147.45.78.162] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284273/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284273; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.207] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284272/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284272; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.212] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284271/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284271; rev:1;)
alert tcp $HOME_NET any -> [116.205.188.138] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284270/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284270; rev:1;)
alert tcp $HOME_NET any -> [42.193.53.72] 7751  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284269/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284269; rev:1;)
alert tcp $HOME_NET any -> [89.169.54.70] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284268/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284268; rev:1;)
alert tcp $HOME_NET any -> [45.11.181.128] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284267/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284267; rev:1;)
alert tcp $HOME_NET any -> [117.72.68.194] 33389  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284266/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284266; rev:1;)
alert tcp $HOME_NET any -> [18.212.125.154] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284265/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284265; rev:1;)
alert tcp $HOME_NET any -> [35.226.167.237] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284264/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284264; rev:1;)
alert tcp $HOME_NET any -> [24.199.88.54] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284263/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284263; rev:1;)
alert tcp $HOME_NET any -> [64.227.65.209] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284262/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284262; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.201] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284261/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284261; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.204] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284260/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284260; rev:1;)
alert tcp $HOME_NET any -> [191.101.15.138] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284259/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284259; rev:1;)
alert tcp $HOME_NET any -> [1.92.121.68] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284258/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284258; rev:1;)
alert tcp $HOME_NET any -> [62.234.70.74] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284257/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284257; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.220] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284256/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284256; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.215] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284255/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284255; rev:1;)
alert tcp $HOME_NET any -> [147.45.44.49] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284254/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284254; rev:1;)
alert tcp $HOME_NET any -> [5.181.159.42] 2083  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284253/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284253; rev:1;)
alert tcp $HOME_NET any -> [5.181.159.42] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284252/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284252; rev:1;)
alert tcp $HOME_NET any -> [116.202.177.206] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284251/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284251; rev:1;)
alert tcp $HOME_NET any -> [116.202.177.206] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284250; rev:1;)
alert tcp $HOME_NET any -> [172.203.104.154] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284249/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284249; rev:1;)
alert tcp $HOME_NET any -> [178.215.236.251] 717  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284248; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app-login.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0992844.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"106.15.62.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284245; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hw2.chintelecom.com.cn"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.43.12.111"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"172.81.211.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"113.250.188.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"172.81.211.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284237; rev:1;)
alert tcp $HOME_NET any -> [116.204.118.96] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recite/v9.52/6fcq3uvd9"; depth:23; nocase; http.host; content:"116.204.118.96"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284235; rev:1;)
alert tcp $HOME_NET any -> [8.134.160.65] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.134.160.65"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284233; rev:1;)
alert tcp $HOME_NET any -> [18.208.156.248] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284232/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284232; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 21854  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284231/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284231; rev:1;)
alert tcp $HOME_NET any -> [101.200.152.191] 46287  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284229; rev:1;)
alert tcp $HOME_NET any -> [110.117.95.0] 0  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284230; rev:1;)
alert tcp $HOME_NET any -> [162.74.55.118] 4571  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284227; rev:1;)
alert tcp $HOME_NET any -> [9.252.189.253] 60714  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284228; rev:1;)
alert tcp $HOME_NET any -> [73.23.253.56] 17393  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284226; rev:1;)
alert tcp $HOME_NET any -> [214.9.213.13] 12523  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284224; rev:1;)
alert tcp $HOME_NET any -> [117.180.92.184] 46633  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284225; rev:1;)
alert tcp $HOME_NET any -> [48.220.224.248] 32917  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284222; rev:1;)
alert tcp $HOME_NET any -> [224.87.85.180] 40164  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284223; rev:1;)
alert tcp $HOME_NET any -> [96.117.66.72] 0  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284221; rev:1;)
alert tcp $HOME_NET any -> [108.87.254.103] 36138  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284220; rev:1;)
alert tcp $HOME_NET any -> [218.86.11.123] 62100  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284219; rev:1;)
alert tcp $HOME_NET any -> [64.184.233.29] 48193  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284218; rev:1;)
alert tcp $HOME_NET any -> [194.127.196.112] 59762  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284217; rev:1;)
alert tcp $HOME_NET any -> [75.86.4.24] 35165  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284215; rev:1;)
alert tcp $HOME_NET any -> [106.146.239.56] 49679  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284216; rev:1;)
alert tcp $HOME_NET any -> [167.159.67.2] 42455  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284213; rev:1;)
alert tcp $HOME_NET any -> [80.214.112.151] 9618  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284214; rev:1;)
alert tcp $HOME_NET any -> [173.210.161.232] 27188  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284211; rev:1;)
alert tcp $HOME_NET any -> [22.155.219.162] 29117  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284212; rev:1;)
alert tcp $HOME_NET any -> [71.182.193.130] 5327  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284209; rev:1;)
alert tcp $HOME_NET any -> [111.143.132.167] 9985  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284210; rev:1;)
alert tcp $HOME_NET any -> [29.119.168.182] 51370  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284206; rev:1;)
alert tcp $HOME_NET any -> [54.106.172.208] 21101  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284207; rev:1;)
alert tcp $HOME_NET any -> [76.55.174.209] 2746  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284208; rev:1;)
alert tcp $HOME_NET any -> [102.51.5.67] 47820  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284204; rev:1;)
alert tcp $HOME_NET any -> [43.190.241.127] 50708  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284205; rev:1;)
alert tcp $HOME_NET any -> [74.234.32.185] 42698  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284203; rev:1;)
alert tcp $HOME_NET any -> [192.1.213.104] 14212  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284201; rev:1;)
alert tcp $HOME_NET any -> [145.3.120.239] 20068  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284202; rev:1;)
alert tcp $HOME_NET any -> [124.230.27.11] 44408  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284199; rev:1;)
alert tcp $HOME_NET any -> [205.255.39.94] 54675  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284200; rev:1;)
alert tcp $HOME_NET any -> [162.117.200.91] 29984  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284194; rev:1;)
alert tcp $HOME_NET any -> [31.248.76.23] 24072  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284197; rev:1;)
alert tcp $HOME_NET any -> [224.77.182.18] 55579  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284198; rev:1;)
alert tcp $HOME_NET any -> [11.239.81.233] 37  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284196; rev:1;)
alert tcp $HOME_NET any -> [187.144.110.117] 36330  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284193; rev:1;)
alert tcp $HOME_NET any -> [159.254.223.192] 31154  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284195; rev:1;)
alert tcp $HOME_NET any -> [124.77.95.5] 46163  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284191; rev:1;)
alert tcp $HOME_NET any -> [196.90.29.190] 30693  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284192; rev:1;)
alert tcp $HOME_NET any -> [201.136.101.182] 38323  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284190; rev:1;)
alert tcp $HOME_NET any -> [78.94.148.92] 1753  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284188; rev:1;)
alert tcp $HOME_NET any -> [134.180.185.240] 32987  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284189; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 19605  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"newmarketofficecleaning.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283948; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newmarketofficecleaning.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"newmarketofficecleaning.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"newmarketofficecleaning.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283951; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 27425  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283987; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 2089  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283997/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283997; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"duckduck2021.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283998/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283998; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"balm.4rt.eu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284013/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284013; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"table.fastplot.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284014/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284014; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"ashleypuerner.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284015; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.108] 80  (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284016; rev:1;)
alert tcp $HOME_NET any -> [170.130.55.242] 80  (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284017; rev:1;)
alert tcp $HOME_NET any -> [85.234.6.210] 1337  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284018/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284018; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 21552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284033/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284033; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"different-been.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284034/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284034; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 53098  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284035/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284035; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"northern-suggested.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284036/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284036; rev:1;)
alert tcp $HOME_NET any -> [103.226.155.59] 881  (msg:"ThreatFox FatalRat botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284037/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284037; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 13022  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284038; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 13022  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284039; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.120] 4252  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284053/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91284053; rev:1;)
alert tcp $HOME_NET any -> [79.132.130.191] 80  (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284153/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284153; rev:1;)
alert tcp $HOME_NET any -> [103.233.255.176] 443  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f/666993516fb8bcf3e9a2416b"; depth:27; nocase; http.host; content:"nocodeform.io"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283942; rev:1;)
alert tcp $HOME_NET any -> [103.102.228.188] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283943; rev:1;)
alert tcp $HOME_NET any -> [119.59.98.116] 7812  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283944; rev:1;)
alert tcp $HOME_NET any -> [194.55.186.49] 2424  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283945; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"kokmausrest.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283946/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283946; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"ultroawest.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283947/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283947; rev:1;)
alert tcp $HOME_NET any -> [103.158.37.147] 443  (msg:"ThreatFox Ghost RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"santapubcrawlchattanooga.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"r6pedihosi.website"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283938; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"kongtuke.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283911/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_13; classtype:trojan-activity; sid:91283911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"santapubcrawlchattanooga.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283936; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"santapubcrawlchattanooga.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"santapubcrawlchattanooga.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283934; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"missingandfound.com.my"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283908; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"uhsee.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283910/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_13; classtype:trojan-activity; sid:91283910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"biripildiridurdursunlaan.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"sonykulaklik61.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283900/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"evdesuyok51x.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283898/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"dizaynmalikane61.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283897/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"aritmasuyux2.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283899/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"bumberceket56.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283901/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"sedakavanozkapagix1.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283902/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"mariooyunoynuyorx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283903/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283903; rev:1;)
alert tcp $HOME_NET any -> [206.238.220.206] 7777  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy/"; depth:18; nocase; http.host; content:"haberlersvar01.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283894/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmwmza1yjq0ndmy"; depth:17; nocase; http.host; content:"biripildiridur32.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283895/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91283895; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 11331  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283881/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283881; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 11331  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283882/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283882; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 11331  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283883/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_13; classtype:trojan-activity; sid:91283883; rev:1;)
alert tcp $HOME_NET any -> [45.94.168.134] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283891; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"collar.agrcwv.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91283892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"104.194.153.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284186; rev:1;)
alert tcp $HOME_NET any -> [34.146.210.28] 2086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"web.windowsupdate.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284183; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web.windowsupdate.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284184; rev:1;)
alert tcp $HOME_NET any -> [47.120.60.201] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.120.60.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.242.22.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"60.204.171.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284179; rev:1;)
alert tcp $HOME_NET any -> [134.175.235.98] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/v1_upload"; depth:20; nocase; http.host; content:"111.230.207.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"139.199.216.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"134.175.235.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"117.72.45.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284173; rev:1;)
alert tcp $HOME_NET any -> [117.72.45.41] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cwonajlbo/vtneww11212/"; depth:23; nocase; http.host; content:"120.53.250.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"43.138.20.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284171; rev:1;)
alert tcp $HOME_NET any -> [47.120.60.201] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"liolio.cn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284168; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liolio.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284169; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sportsmensgifts.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284167; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tourbigs.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284166; rev:1;)
alert tcp $HOME_NET any -> [45.8.146.124] 2005  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tempproton/2baseprivate/datalifeserverlow/0lowdlesecure/4generatordownloadsserver/4geohttp/mariadb/wordpress/eternalvmtojavascriptprocessprotectflower.php"; depth:155; nocase; http.host; content:"5.42.104.243"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284164; rev:1;)
alert tcp $HOME_NET any -> [152.42.224.53] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284163; rev:1;)
alert tcp $HOME_NET any -> [103.84.90.252] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284162/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284162; rev:1;)
alert tcp $HOME_NET any -> [107.175.0.202] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284161/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284161; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.3] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284160/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284160; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.3] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284159/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284159; rev:1;)
alert tcp $HOME_NET any -> [216.137.228.229] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284158/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284158; rev:1;)
alert tcp $HOME_NET any -> [189.140.13.100] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284157/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284157; rev:1;)
alert tcp $HOME_NET any -> [189.175.208.222] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284156/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284156; rev:1;)
alert tcp $HOME_NET any -> [155.138.144.27] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284155/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284155; rev:1;)
alert tcp $HOME_NET any -> [155.138.144.27] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284154/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284154; rev:1;)
alert tcp $HOME_NET any -> [79.141.173.238] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284152/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284152; rev:1;)
alert tcp $HOME_NET any -> [18.206.197.222] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284151/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284151; rev:1;)
alert tcp $HOME_NET any -> [116.203.4.20] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284147; rev:1;)
alert tcp $HOME_NET any -> [195.201.46.4] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284148; rev:1;)
alert tcp $HOME_NET any -> [195.201.248.182] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284149; rev:1;)
alert tcp $HOME_NET any -> [116.203.13.51] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.13.51"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284144; rev:1;)
alert tcp $HOME_NET any -> [65.109.240.138] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284145; rev:1;)
alert tcp $HOME_NET any -> [195.201.251.58] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.248.182"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.46.4"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.4.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.251.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284139; rev:1;)
alert tcp $HOME_NET any -> [99.83.171.148] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284138/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284138; rev:1;)
alert tcp $HOME_NET any -> [13.60.6.180] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284137; rev:1;)
alert tcp $HOME_NET any -> [100.25.159.142] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284136; rev:1;)
alert tcp $HOME_NET any -> [13.53.216.241] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284135; rev:1;)
alert tcp $HOME_NET any -> [16.171.181.75] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284134; rev:1;)
alert tcp $HOME_NET any -> [38.147.171.173] 33389  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284133; rev:1;)
alert tcp $HOME_NET any -> [89.23.97.100] 15799  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284132; rev:1;)
alert tcp $HOME_NET any -> [117.72.16.69] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284131; rev:1;)
alert tcp $HOME_NET any -> [117.72.16.69] 60000  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284130; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.135] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284129/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284129; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.135] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284128/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284128; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.132] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284127/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284127; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.132] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284126/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284126; rev:1;)
alert tcp $HOME_NET any -> [57.181.170.149] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284125/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284125; rev:1;)
alert tcp $HOME_NET any -> [57.181.170.149] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284124/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284124; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.138] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284123/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284123; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.138] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284122; rev:1;)
alert tcp $HOME_NET any -> [103.77.246.53] 47925  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284121; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.103] 47925  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284120; rev:1;)
alert tcp $HOME_NET any -> [141.98.152.165] 47925  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284119; rev:1;)
alert tcp $HOME_NET any -> [103.151.238.184] 47925  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284118; rev:1;)
alert tcp $HOME_NET any -> [116.62.189.237] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284117; rev:1;)
alert tcp $HOME_NET any -> [104.208.65.22] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284116; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.214] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284115; rev:1;)
alert tcp $HOME_NET any -> [47.99.151.161] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284114; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.205] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284113; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.204] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284112; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.6] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284111/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284111; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.195] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284110/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284110; rev:1;)
alert tcp $HOME_NET any -> [156.242.42.220] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284109/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284109; rev:1;)
alert tcp $HOME_NET any -> [103.146.158.113] 9000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284108; rev:1;)
alert tcp $HOME_NET any -> [114.132.98.252] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284107/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284107; rev:1;)
alert tcp $HOME_NET any -> [212.113.122.131] 9000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284106; rev:1;)
alert tcp $HOME_NET any -> [47.106.154.91] 10443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284105; rev:1;)
alert tcp $HOME_NET any -> [154.198.245.62] 3389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284104/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284104; rev:1;)
alert tcp $HOME_NET any -> [103.15.91.9] 10086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284103/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284103; rev:1;)
alert tcp $HOME_NET any -> [64.176.35.5] 62299  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284102; rev:1;)
alert tcp $HOME_NET any -> [74.48.89.54] 23  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284101; rev:1;)
alert tcp $HOME_NET any -> [47.238.44.41] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284100; rev:1;)
alert tcp $HOME_NET any -> [93.95.97.102] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284099; rev:1;)
alert tcp $HOME_NET any -> [20.2.18.117] 4433  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284098; rev:1;)
alert tcp $HOME_NET any -> [45.87.247.63] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284097; rev:1;)
alert tcp $HOME_NET any -> [103.168.67.9] 57395  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284096; rev:1;)
alert tcp $HOME_NET any -> [82.157.184.100] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284095/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284095; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.195] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284094; rev:1;)
alert tcp $HOME_NET any -> [212.192.15.37] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284093; rev:1;)
alert tcp $HOME_NET any -> [79.132.232.232] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284092; rev:1;)
alert tcp $HOME_NET any -> [39.105.130.70] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284091; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.212] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284090; rev:1;)
alert tcp $HOME_NET any -> [120.53.250.9] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284089; rev:1;)
alert tcp $HOME_NET any -> [120.53.250.9] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284088; rev:1;)
alert tcp $HOME_NET any -> [112.124.71.123] 60443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284087; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.95] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284086; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.65] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284085; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.51] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284084; rev:1;)
alert tcp $HOME_NET any -> [193.233.254.16] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284083/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284083; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.66] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284082/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284082; rev:1;)
alert tcp $HOME_NET any -> [188.27.165.223] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284081/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284081; rev:1;)
alert tcp $HOME_NET any -> [45.88.91.213] 4443  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284080; rev:1;)
alert tcp $HOME_NET any -> [154.212.149.63] 446  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284079/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284079; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.116] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284078/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284078; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.96] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284077/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284077; rev:1;)
alert tcp $HOME_NET any -> [89.38.135.28] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284076/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284076; rev:1;)
alert tcp $HOME_NET any -> [79.133.51.249] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284075/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284075; rev:1;)
alert tcp $HOME_NET any -> [94.228.166.22] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284074/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284074; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.54] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284073/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284073; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.137] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284072/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284072; rev:1;)
alert tcp $HOME_NET any -> [147.45.44.2] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284071/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284071; rev:1;)
alert tcp $HOME_NET any -> [88.99.127.107] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284070/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284070; rev:1;)
alert tcp $HOME_NET any -> [188.245.35.23] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284069/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284069; rev:1;)
alert tcp $HOME_NET any -> [188.245.35.23] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284068/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284068; rev:1;)
alert tcp $HOME_NET any -> [116.202.5.195] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284067; rev:1;)
alert tcp $HOME_NET any -> [116.202.5.195] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284066/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284066; rev:1;)
alert tcp $HOME_NET any -> [115.74.42.106] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284065/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284065; rev:1;)
alert tcp $HOME_NET any -> [115.74.42.106] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284064/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284064; rev:1;)
alert tcp $HOME_NET any -> [115.74.42.106] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284063/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284063; rev:1;)
alert tcp $HOME_NET any -> [115.74.42.106] 5002  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284062/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284062; rev:1;)
alert tcp $HOME_NET any -> [115.74.42.106] 5001  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284061/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284061; rev:1;)
alert tcp $HOME_NET any -> [115.74.42.106] 5000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284060/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284060; rev:1;)
alert tcp $HOME_NET any -> [178.20.42.245] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284059/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284059; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.16] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284058; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.193] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284057; rev:1;)
alert tcp $HOME_NET any -> [87.248.157.236] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284056; rev:1;)
alert tcp $HOME_NET any -> [107.175.101.155] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284055; rev:1;)
alert tcp $HOME_NET any -> [5.75.215.90] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_13; classtype:trojan-activity; sid:91284054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"140.238.27.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284052; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bsrc.baidusec.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284051; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as.baidusec.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lu.js"; depth:6; nocase; http.host; content:"bsrc.baidusec.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284050; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b2b.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lu.js"; depth:6; nocase; http.host; content:"as.baidusec.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284048; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tag.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lu.js"; depth:6; nocase; http.host; content:"b2b.baidusec.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lu.js"; depth:6; nocase; http.host; content:"tag.baidusec.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lu.js"; depth:6; nocase; http.host; content:"www.baidusec.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lu.js"; depth:6; nocase; http.host; content:"baidusec.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"alphormo.servequake.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284040; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alphormo.servequake.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284041; rev:1;)
alert tcp $HOME_NET any -> [18.158.58.205] 13687  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284032; rev:1;)
alert tcp $HOME_NET any -> [3.67.62.142] 13687  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284031; rev:1;)
alert tcp $HOME_NET any -> [3.64.4.198] 13687  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284030; rev:1;)
alert tcp $HOME_NET any -> [3.67.112.102] 13687  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_13; classtype:trojan-activity; sid:91284029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.213.86.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.247.189.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_13; classtype:trojan-activity; sid:91284027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.104.230.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284025; rev:1;)
alert tcp $HOME_NET any -> [47.104.230.173] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284026; rev:1;)
alert tcp $HOME_NET any -> [45.150.65.209] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"fix.sougou87.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284022; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fix.sougou87.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284023; rev:1;)
alert tcp $HOME_NET any -> [140.238.27.183] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"cstrike.webroot.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284019; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cstrike.webroot.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284020; rev:1;)
alert tcp $HOME_NET any -> [39.105.131.206] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284011/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91284011; rev:1;)
alert tcp $HOME_NET any -> [47.121.113.121] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284012/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91284012; rev:1;)
alert tcp $HOME_NET any -> [39.106.79.101] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284008/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91284008; rev:1;)
alert tcp $HOME_NET any -> [123.249.19.46] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284009/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91284009; rev:1;)
alert tcp $HOME_NET any -> [39.104.49.52] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284010/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91284010; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.6] 44911  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1284007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/v2.66/g6ebs8vjr0"; depth:25; nocase; http.host; content:"service-i4ipkrwm-1317712796.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"106.14.75.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"106.14.75.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"35.74.6.169"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1284001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-opql05nu-1253504731.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283999; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-opql05nu-1253504731.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1284000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91284000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"35.74.6.169"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"service-hzdzk12c-1318485841.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/v2.66/g6ebs8vjr0"; depth:25; nocase; http.host; content:"service-i4ipkrwm-1317712796.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283990; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-i4ipkrwm-1317712796.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"139.159.203.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283989; rev:1;)
alert tcp $HOME_NET any -> [52.242.20.137] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283988; rev:1;)
alert tcp $HOME_NET any -> [89.23.99.151] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283986; rev:1;)
alert tcp $HOME_NET any -> [41.142.208.122] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"146.70.149.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283983; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.68] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283982; rev:1;)
alert tcp $HOME_NET any -> [103.142.8.173] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283981; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.81] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283980; rev:1;)
alert tcp $HOME_NET any -> [103.142.8.150] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283979; rev:1;)
alert tcp $HOME_NET any -> [154.212.148.132] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283978; rev:1;)
alert tcp $HOME_NET any -> [84.106.85.6] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283977; rev:1;)
alert tcp $HOME_NET any -> [45.89.53.197] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283976; rev:1;)
alert tcp $HOME_NET any -> [40.85.178.51] 8443  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283975; rev:1;)
alert tcp $HOME_NET any -> [38.147.171.173] 28888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283974; rev:1;)
alert tcp $HOME_NET any -> [185.238.248.214] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283973; rev:1;)
alert tcp $HOME_NET any -> [38.147.186.117] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283972; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.17] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283971; rev:1;)
alert tcp $HOME_NET any -> [103.30.78.218] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283970; rev:1;)
alert tcp $HOME_NET any -> [197.3.219.97] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283969; rev:1;)
alert tcp $HOME_NET any -> [103.79.76.166] 8443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283968; rev:1;)
alert tcp $HOME_NET any -> [103.152.255.69] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283967; rev:1;)
alert tcp $HOME_NET any -> [138.2.135.17] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283966; rev:1;)
alert tcp $HOME_NET any -> [193.149.189.27] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283965; rev:1;)
alert tcp $HOME_NET any -> [54.71.125.251] 7443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283964; rev:1;)
alert tcp $HOME_NET any -> [13.60.75.58] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283963; rev:1;)
alert tcp $HOME_NET any -> [58.8.255.53] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283962; rev:1;)
alert tcp $HOME_NET any -> [51.20.108.241] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283961; rev:1;)
alert tcp $HOME_NET any -> [13.48.128.36] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283960; rev:1;)
alert tcp $HOME_NET any -> [43.206.219.14] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283959; rev:1;)
alert tcp $HOME_NET any -> [159.65.42.191] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283958; rev:1;)
alert tcp $HOME_NET any -> [62.106.66.222] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283957; rev:1;)
alert tcp $HOME_NET any -> [106.53.181.113] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"106.53.181.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283955; rev:1;)
alert tcp $HOME_NET any -> [43.242.200.159] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.242.200.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.222.176.39"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0992583.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"60.204.134.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283933; rev:1;)
alert tcp $HOME_NET any -> [124.222.176.39] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.222.176.39"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"139.198.30.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283930; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qtvnews.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283928; rev:1;)
alert tcp $HOME_NET any -> [1.12.227.144] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.fca2a8c137.10.1.slim.min.js"; depth:47; nocase; http.host; content:"www.qtvnews.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283927; rev:1;)
alert tcp $HOME_NET any -> [8.138.150.198] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.138.150.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283925; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.207] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"173.44.141.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283923; rev:1;)
alert tcp $HOME_NET any -> [43.134.231.228] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283922; rev:1;)
alert tcp $HOME_NET any -> [111.230.5.199] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/antdesign3.js"; depth:14; nocase; http.host; content:"api.sftech.one"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283919; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.sftech.one"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.96.184.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"139.155.68.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283917; rev:1;)
alert tcp $HOME_NET any -> [52.180.147.200] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"52.180.147.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"173.44.141.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283913; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.207] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/9460648709801952970"; depth:30; nocase; http.host; content:"45.61.136.239"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a01f7e32.php"; depth:13; nocase; http.host; content:"a0992229.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283909; rev:1;)
alert tcp $HOME_NET any -> [172.232.239.216] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processorbaseuniversal.php"; depth:27; nocase; http.host; content:"901329cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5server/pythongame/cdn/pythondefaultjavascript/2voiddb/mariadbprivate/tempwpmulti/packet/voiddb2/vmpacket0/baseapi8update/uploadsprocessorvoiddb/phpapidle.php"; depth:159; nocase; http.host; content:"5.35.98.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283893; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad-ed.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283887; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asd-e.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283888; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad-es.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283889; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ab-cc.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283890; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a-bcd.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283886; rev:1;)
alert tcp $HOME_NET any -> [5.180.155.40] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283885; rev:1;)
alert tcp $HOME_NET any -> [107.175.229.139] 8823  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/94d487b2.php"; depth:13; nocase; http.host; content:"a0991598.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283880; rev:1;)
alert tcp $HOME_NET any -> [41.248.117.232] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283858/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_12; classtype:trojan-activity; sid:91283858; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"born-administrative.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283866/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_12; classtype:trojan-activity; sid:91283866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"107.174.253.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283879; rev:1;)
alert tcp $HOME_NET any -> [185.93.221.101] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283878/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_12; classtype:trojan-activity; sid:91283878; rev:1;)
alert tcp $HOME_NET any -> [8.138.131.251] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283876; rev:1;)
alert tcp $HOME_NET any -> [47.94.95.22] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283877; rev:1;)
alert tcp $HOME_NET any -> [8.147.105.128] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283873; rev:1;)
alert tcp $HOME_NET any -> [47.116.191.243] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283874; rev:1;)
alert tcp $HOME_NET any -> [106.14.248.223] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_12; classtype:trojan-activity; sid:91283875; rev:1;)
alert tcp $HOME_NET any -> [38.180.9.93] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6d4a22a1.php"; depth:13; nocase; http.host; content:"a0992445.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283871; rev:1;)
alert tcp $HOME_NET any -> [216.250.255.226] 3731  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283870; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.119] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_12; classtype:trojan-activity; sid:91283869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.109.49.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283868; rev:1;)
alert tcp $HOME_NET any -> [20.201.106.233] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/roko/gate.php"; depth:18; nocase; http.host; content:"devotionrehab.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283865; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 10324  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283864; rev:1;)
alert tcp $HOME_NET any -> [38.60.253.49] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/media"; depth:6; nocase; http.host; content:"api.vnaillslivns.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283862; rev:1;)
alert tcp $HOME_NET any -> [148.135.56.71] 26745  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283861; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"img.vdtuconsole.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc/def/"; depth:9; nocase; http.host; content:"img.vdtuconsole.online"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"37.46.130.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.206.167.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283856; rev:1;)
alert tcp $HOME_NET any -> [193.149.176.37] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283855; rev:1;)
alert tcp $HOME_NET any -> [78.185.193.7] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283854; rev:1;)
alert tcp $HOME_NET any -> [2.88.155.150] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283853; rev:1;)
alert tcp $HOME_NET any -> [91.254.214.149] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283852; rev:1;)
alert tcp $HOME_NET any -> [13.55.48.44] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283851; rev:1;)
alert tcp $HOME_NET any -> [46.250.255.162] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283850/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283850; rev:1;)
alert tcp $HOME_NET any -> [121.40.69.44] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283849/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283849; rev:1;)
alert tcp $HOME_NET any -> [45.8.99.215] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283848/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283848; rev:1;)
alert tcp $HOME_NET any -> [3.36.173.8] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283847/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/conditional-contract-meaning/"; depth:30; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283846; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nuevos2024.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283843/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283843; rev:1;)
alert tcp $HOME_NET any -> [41.44.209.185] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283844/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283844; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jokarrrrr333322.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283845/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283845; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.8] 2054  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283842; rev:1;)
alert tcp $HOME_NET any -> [3.36.173.8] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4ydl"; depth:5; nocase; http.host; content:"124.71.111.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283840/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283840; rev:1;)
alert tcp $HOME_NET any -> [124.71.111.64] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283839; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nymsportsmen.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283837; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"truckingaccidentattorneyblog.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283838; rev:1;)
alert tcp $HOME_NET any -> [5.42.67.8] 5953  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"d1namias.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283832; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.207] 63882  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283831; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lechiavetteusb.it"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imgs/usb/logo/spiralitykszkj.exe"; depth:33; nocase; http.host; content:"lechiavetteusb.it"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283816; rev:1;)
alert tcp $HOME_NET any -> [89.251.22.227] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guacos.php"; depth:11; nocase; http.host; content:"89.251.22.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283814; rev:1;)
alert tcp $HOME_NET any -> [38.110.1.69] 993  (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283802/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283802; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.yah00.o-r.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283803/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283803; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.aslark.kro.kr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283804/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283804; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.aslark1.kro.kr"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283805/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283805; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.lazor.kro.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283806/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283806; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.devf.n-e.kr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283807/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283807; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.lfgu.n-e.kr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283808/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283808; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.luvb.n-b.kr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283809/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283809; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.navver.o-r.kr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283810/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"w3.navver.o-r.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283811/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283811; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"www.kepir.p-e.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283812/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283812; rev:1;)
alert tcp $HOME_NET any -> [104.168.145.83] 993  (msg:"ThreatFox Kimsuky botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283801/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_11; classtype:trojan-activity; sid:91283801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/dfpublishfile.aspx/fileid11362523730/key98sgla2a2tap/689/827546472/329736746804680/tuengrqlxvpd/securitybank-bankdeposit.txt.jar"; depth:134; nocase; http.host; content:"66.220.9.57"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/dfpublishfile.aspx/fileid11362523730/key98sgla2a2tap/689/827546472/329736746804680/tuengrqlxvpd/securitybank-bankdeposit.txt.jar"; depth:134; nocase; http.host; content:"www.drivehq.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/dfpublishfile.aspx/fileid11362523730/key98sgla2a2tap/689/827546472/329736746804680/tuengrqlxvpd/securitybank-bankdeposit.txt.jar"; depth:134; nocase; http.host; content:"66.220.9.57"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283797; rev:1;)
alert tcp $HOME_NET any -> [185.255.114.28] 1000  (msg:"ThreatFox QRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sample-house-rules-for-tenants-creating-a-fair-and-legal-living-environment/"; depth:77; nocase; http.host; content:"regyan.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/armistice-agreement-1953/"; depth:26; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283751; rev:1;)
alert tcp $HOME_NET any -> [108.181.115.133] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283829/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_11; classtype:trojan-activity; sid:91283829; rev:1;)
alert tcp $HOME_NET any -> [45.8.146.142] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283830/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_11; classtype:trojan-activity; sid:91283830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/698d3620.php"; depth:13; nocase; http.host; content:"a0991799.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283828; rev:1;)
alert tcp $HOME_NET any -> [49.13.32.109] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283827; rev:1;)
alert tcp $HOME_NET any -> [116.203.14.211] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283825; rev:1;)
alert tcp $HOME_NET any -> [65.109.243.78] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.109"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.243.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.14.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/memve4erin"; depth:11; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199699680841"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/63ab30c8.php"; depth:13; nocase; http.host; content:"a0991129.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/456773bf.php"; depth:13; nocase; http.host; content:"a0991200.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283813; rev:1;)
alert tcp $HOME_NET any -> [144.202.69.96] 22868  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f98ca1bd.php"; depth:13; nocase; http.host; content:"egorostroux.000webhostapp.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.200.84.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/serverapiflower/wordpress5/vmuniversaldbmariadb/dumpmariadb/8dbprivate/processorpython/1centralauth/externalimagevmjavascriptdbbasedle.php"; depth:139; nocase; http.host; content:"185.180.231.214"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283792; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dr-networks.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"82.156.145.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283789; rev:1;)
alert tcp $HOME_NET any -> [103.186.214.199] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"103.186.214.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q2/index.php"; depth:13; nocase; http.host; content:"20.83.148.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/public/login"; depth:23; nocase; http.host; content:"service-l24muftx-1251354025.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"97.64.18.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/transaction"; depth:12; nocase; http.host; content:"action-winds.cfd"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete"; depth:9; nocase; http.host; content:"microstar.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/error"; depth:6; nocase; http.host; content:"1c-marketing.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"146.70.149.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283777; rev:1;)
alert tcp $HOME_NET any -> [154.91.64.22] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.91.64.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.34.240.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283773; rev:1;)
alert tcp $HOME_NET any -> [101.34.240.87] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283774; rev:1;)
alert tcp $HOME_NET any -> [39.100.103.175] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.103.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283771; rev:1;)
alert tcp $HOME_NET any -> [154.91.64.22] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.91.64.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"97.64.18.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283768; rev:1;)
alert tcp $HOME_NET any -> [8.134.90.1] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.134.90.1"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.128.255.192"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283764; rev:1;)
alert tcp $HOME_NET any -> [47.128.255.192] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283765; rev:1;)
alert tcp $HOME_NET any -> [89.23.108.208] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"organic-satire-gw.aws-euc1.cloud-ara.tyk.io"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283761; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"organic-satire-gw.aws-euc1.cloud-ara.tyk.io"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.34.240.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"106.75.191.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283759; rev:1;)
alert tcp $HOME_NET any -> [47.120.45.94] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.120.45.94"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msdownload/update/v3/static/trustedr/en/disallowedcertstl.cab"; depth:62; nocase; http.host; content:"v2.events.data.microsoftsubmit.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283755; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2.events.data.microsoftsubmit.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.24.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"119.91.253.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283752; rev:1;)
alert tcp $HOME_NET any -> [101.33.193.195] 31845  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmpythonpollsecureauthwindowstracktempuploadsdownloads.php"; depth:59; nocase; http.host; content:"972464cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/51638e12.php"; depth:13; nocase; http.host; content:"a0988426.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283749; rev:1;)
alert tcp $HOME_NET any -> [49.113.77.245] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283748; rev:1;)
alert tcp $HOME_NET any -> [74.48.115.132] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283747; rev:1;)
alert tcp $HOME_NET any -> [86.48.7.17] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283746; rev:1;)
alert tcp $HOME_NET any -> [107.174.188.48] 8443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283745; rev:1;)
alert tcp $HOME_NET any -> [172.236.65.158] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283744; rev:1;)
alert tcp $HOME_NET any -> [15.235.166.83] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283743; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.14] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283742; rev:1;)
alert tcp $HOME_NET any -> [105.155.171.91] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283694/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283694; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 15337  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283720; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"listing-trackbacks.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283721; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 19926  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283729/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283729; rev:1;)
alert tcp $HOME_NET any -> [3.127.253.86] 18227  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283730; rev:1;)
alert tcp $HOME_NET any -> [3.127.59.75] 18227  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283731; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 18227  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283732/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_11; classtype:trojan-activity; sid:91283732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"javelinmarketing.nl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"larandeteknik.se"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283740; rev:1;)
alert tcp $HOME_NET any -> [194.163.162.213] 4000  (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283741; rev:1;)
alert tcp $HOME_NET any -> [176.10.125.23] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_11; classtype:trojan-activity; sid:91283738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.33.37.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_11; classtype:trojan-activity; sid:91283737; rev:1;)
alert tcp $HOME_NET any -> [165.3.87.196] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sanhaozhifu.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283733; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 19926  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283728; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 19926  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283727; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 19926  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283726; rev:1;)
alert tcp $HOME_NET any -> [190.211.254.187] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283724/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_10; classtype:trojan-activity; sid:91283724; rev:1;)
alert tcp $HOME_NET any -> [66.63.189.102] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283725/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_10; classtype:trojan-activity; sid:91283725; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"jkshb.su"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/index.php"; depth:16; nocase; http.host; content:"jkshb.su"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.242.200.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283719; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.114] 8082  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283718; rev:1;)
alert tcp $HOME_NET any -> [89.23.101.213] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283717; rev:1;)
alert tcp $HOME_NET any -> [74.50.89.62] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283716; rev:1;)
alert tcp $HOME_NET any -> [118.25.102.204] 18888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283715; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.17] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283714; rev:1;)
alert tcp $HOME_NET any -> [88.253.72.170] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283713; rev:1;)
alert tcp $HOME_NET any -> [2.50.38.96] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283712; rev:1;)
alert tcp $HOME_NET any -> [1.161.72.11] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283711; rev:1;)
alert tcp $HOME_NET any -> [91.132.95.28] 10443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283710; rev:1;)
alert tcp $HOME_NET any -> [104.248.34.11] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283709; rev:1;)
alert tcp $HOME_NET any -> [159.65.114.122] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283708; rev:1;)
alert tcp $HOME_NET any -> [91.245.255.99] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283707; rev:1;)
alert tcp $HOME_NET any -> [81.43.27.250] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283706; rev:1;)
alert tcp $HOME_NET any -> [5.104.80.155] 27564  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283705; rev:1;)
alert tcp $HOME_NET any -> [158.160.82.115] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283704; rev:1;)
alert tcp $HOME_NET any -> [185.59.74.254] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283703; rev:1;)
alert tcp $HOME_NET any -> [180.117.162.14] 3443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283702; rev:1;)
alert tcp $HOME_NET any -> [115.87.213.147] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283701; rev:1;)
alert tcp $HOME_NET any -> [92.204.83.36] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283700; rev:1;)
alert tcp $HOME_NET any -> [114.55.230.1] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283698; rev:1;)
alert tcp $HOME_NET any -> [114.55.230.1] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283699; rev:1;)
alert tcp $HOME_NET any -> [123.57.150.35] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283695; rev:1;)
alert tcp $HOME_NET any -> [121.37.42.20] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283696; rev:1;)
alert tcp $HOME_NET any -> [47.94.113.161] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283697; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xiao.spicn.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283692; rev:1;)
alert tcp $HOME_NET any -> [23.94.94.149] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"xiao.spicn.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283691; rev:1;)
alert tcp $HOME_NET any -> [165.3.87.196] 2087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sanhaozhifu.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283689; rev:1;)
alert tcp $HOME_NET any -> [168.119.119.140] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283688; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megacitta190004.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"djinfo.pl"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283687; rev:1;)
alert tcp $HOME_NET any -> [147.45.79.91] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283683; rev:1;)
alert tcp $HOME_NET any -> [18.158.58.205] 16307  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283682/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_10; classtype:trojan-activity; sid:91283682; rev:1;)
alert tcp $HOME_NET any -> [60.204.235.186] 80  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283681; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vnaillslivns.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lv"; depth:3; nocase; http.host; content:"vnaillslivns.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lv"; depth:3; nocase; http.host; content:"api.vnaillslivns.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283677; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.vnaillslivns.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283678; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.collegel.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283676; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.collegel.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283675; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.collegel.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"64.7.199.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"111.229.142.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"senkiv.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"bbill.freehostpro.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283669; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gpsuser.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"gpsuser.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283666; rev:1;)
alert tcp $HOME_NET any -> [106.52.102.35] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"42.193.130.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283664; rev:1;)
alert tcp $HOME_NET any -> [134.175.213.82] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"134.175.213.82"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283662; rev:1;)
alert tcp $HOME_NET any -> [54.179.250.192] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"yk.test2024.sbs"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283659; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yk.test2024.sbs"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283660; rev:1;)
alert tcp $HOME_NET any -> [107.148.1.188] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283658; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.whatsappsignup.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-4.8.1.min.js"; depth:20; nocase; http.host; content:"support.whatsappsignup.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283656; rev:1;)
alert tcp $HOME_NET any -> [23.94.94.149] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"s1.botdash.app"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283653; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s1.botdash.app"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283654; rev:1;)
alert tcp $HOME_NET any -> [154.44.28.49] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.121.133.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"49.232.129.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283650; rev:1;)
alert tcp $HOME_NET any -> [106.52.102.35] 7001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"42.193.130.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~eric/wp/masterddl/2022/09/10/hot-cargo-agreement-define/"; depth:58; nocase; http.host; content:"experimentation.univ-littoral.fr"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"francesmacve.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"docsjapan.xsrv.jp"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283645; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alphabetllc.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_10; classtype:trojan-activity; sid:91283643; rev:1;)
alert tcp $HOME_NET any -> [95.217.135.112] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283640; rev:1;)
alert tcp $HOME_NET any -> [49.13.235.244] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.235.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.135.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpha/five/fre.php"; depth:19; nocase; http.host; content:"alphabetllc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283637/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_10; classtype:trojan-activity; sid:91283637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619916287"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619157993"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619938930"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619927938"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619855608"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619915856"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620444957"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619564077"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620058328"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199618998288"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620788109"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619525937"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619987302"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619729848"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619383712"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283622; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ctze.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283617; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a-bc.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd-d.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283619; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llzl.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283620; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nafiskaran.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283621; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddbc.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283616; rev:1;)
alert tcp $HOME_NET any -> [194.59.30.174] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283615; rev:1;)
alert tcp $HOME_NET any -> [31.177.108.30] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283614; rev:1;)
alert tcp $HOME_NET any -> [94.49.204.101] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283613; rev:1;)
alert tcp $HOME_NET any -> [162.238.154.3] 2000  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283612; rev:1;)
alert tcp $HOME_NET any -> [192.3.86.166] 2096  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"hyatyumrukgibi.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283571/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"dnliyomsadeceuzaktan.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283572/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"gecicekyramatuzatma.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283573/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"birgunolucakelbeet.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283574/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"sankioguncokuzakk.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283575/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"snayatkatalicam.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283576/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"olanlarigoruceez.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283577/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kfamhepkarambol.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283578/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"birbirbirdenikidir.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283579/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"fesatlarafesatkk.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283580/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bitmeztukenmezbuenerjj.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283581/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kirmizimavigelldii.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283583/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"ckinsanaffettmm.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283582/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"dememelalemnedeerr.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283584/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"savuryadarsavuun.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283585/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"taktmkafayikapattmkafayi.xyz"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283586/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"taktimbirtipayivedekovayi.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283587/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bileneaferinbilmeyeneketamn.xyz"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283588/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"gormedenglenlereslm.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283589/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"saffetsafmigerckten.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283590/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"vypzjiqv.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283591/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"qunxbliv.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283592/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zoxkfwem.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283593/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kuzpjynx.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283594/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"qlizfuvp.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283595/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"pluxzwik.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283597/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jylxqizm.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283596/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"qyphfipx.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283598/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jorzklyv.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283599/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"qubzzimp.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283600/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"fynxqolp.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283601/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jikmzyrf.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283602/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"plukqerj.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283603/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jopzblix.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283604/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"quvmfuzj.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283605/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zytkqapv.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283606/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jizqkuwp.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283607/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zivxfqim.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283608/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jypzquzx.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283609/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"blifqevp.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283610/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_10; classtype:trojan-activity; sid:91283610; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_10; classtype:trojan-activity; sid:91283570; rev:1;)
alert tcp $HOME_NET any -> [144.202.2.143] 7995  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"elvesofiax.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"imaginaria.pl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"elvesofiax.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283564; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"elvesofiax.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"devblog.ludikreation.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"detforening.dk"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dresstherapist.sakura.ne.jp"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"elvesofiax.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283566; rev:1;)
alert tcp $HOME_NET any -> [3.6.30.85] 17831  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283554; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.64] 17831  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283555; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.182] 17831  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283556; rev:1;)
alert tcp $HOME_NET any -> [3.6.98.232] 17831  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283557; rev:1;)
alert tcp $HOME_NET any -> [3.6.122.107] 17831  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_10; classtype:trojan-activity; sid:91283558; rev:1;)
alert tcp $HOME_NET any -> [4.185.27.237] 13528  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alert/v6.04/wwuf3e1d"; depth:21; nocase; http.host; content:"216.245.184.159"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283553; rev:1;)
alert tcp $HOME_NET any -> [149.88.93.193] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lv"; depth:3; nocase; http.host; content:"149.88.93.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283551; rev:1;)
alert tcp $HOME_NET any -> [18.229.248.167] 11262  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283550; rev:1;)
alert tcp $HOME_NET any -> [194.62.250.122] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283549; rev:1;)
alert tcp $HOME_NET any -> [89.110.78.222] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283548; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.83] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283547; rev:1;)
alert tcp $HOME_NET any -> [94.228.166.50] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283546; rev:1;)
alert tcp $HOME_NET any -> [203.104.42.92] 2233  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283545; rev:1;)
alert tcp $HOME_NET any -> [1.161.82.10] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283544; rev:1;)
alert tcp $HOME_NET any -> [188.54.56.236] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283543; rev:1;)
alert tcp $HOME_NET any -> [157.245.248.231] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283542; rev:1;)
alert tcp $HOME_NET any -> [192.46.232.196] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283541; rev:1;)
alert tcp $HOME_NET any -> [180.117.162.14] 380  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283540/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283540; rev:1;)
alert tcp $HOME_NET any -> [137.175.113.92] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283539/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283539; rev:1;)
alert tcp $HOME_NET any -> [163.181.140.108] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283538; rev:1;)
alert tcp $HOME_NET any -> [208.123.119.159] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283537/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283537; rev:1;)
alert tcp $HOME_NET any -> [208.123.119.159] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283536/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalsecurebase.php"; depth:22; nocase; http.host; content:"securitytransfer.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/service-level-agreement-laboratory/"; depth:36; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"lamperdingen.ch"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283533; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.144] 8691  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_09; classtype:trojan-activity; sid:91283531; rev:1;)
alert tcp $HOME_NET any -> [89.23.107.91] 35077  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283530; rev:1;)
alert tcp $HOME_NET any -> [39.105.27.160] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283529; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"download.netuse1.eu.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283528; rev:1;)
alert tcp $HOME_NET any -> [37.152.57.102] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hukukarastirmavakfi.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post.php"; depth:9; nocase; http.host; content:"rsmbscm.wikilogistics.wiki"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283525/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_09; classtype:trojan-activity; sid:91283525; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"rsmbscm.wikilogistics.wiki"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283526/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_09; classtype:trojan-activity; sid:91283526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"31.128.39.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283524; rev:1;)
alert tcp $HOME_NET any -> [47.92.162.69] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.162.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283522; rev:1;)
alert tcp $HOME_NET any -> [154.44.29.15] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"154.44.28.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"128.1.40.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283519; rev:1;)
alert tcp $HOME_NET any -> [154.44.29.15] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.44.28.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283517; rev:1;)
alert tcp $HOME_NET any -> [1.92.96.35] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-79k3uwa0-1317712796.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283515; rev:1;)
alert tcp $HOME_NET any -> [165.3.87.196] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sanhaozhifu.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"renklidunyalarinrenkleriolsun.top"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sevdaninsarkisigibigelsin.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"umutkutusuilehayatolsun.top"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"mutlulukyolculuguguzelolsun.xyz"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sevgidansarkilarigelsin.xyz"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283488/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"huzurunadresigizemliolsun.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"anilarinpeksimdihayatolsun.top"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283486/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"guzelliklerinpekisiolsun.xyz"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283487/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"masalsendromuduygusugelsin.top"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283484/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"ruyalarinyoluyolculukolsun.top"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283485/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sonsuzlukhikayesibaslasin.xyz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283483/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"gizemlisularinsirriacilsin.top"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283480/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"yildizlararasindayolculukolsun.top"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283482/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"mutluluklimanlarigibiyolculuk.top"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"umutkaynaklarihayatinolsun.xyz"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"ruyalarindabulusmakolsun.top"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sevgiyoluolusturmakolsun.xyz"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"hayatrenklidirnefesolsun.top"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"mutlulukyolculugudanolsun.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sonsuzlukyolculugundanolsun.top"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283500/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"huzurunkaynaginagidenolsun.top"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283501/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sevgiyuregimizdeyerolsun.top"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"umutharitasiguzelolsun.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"hayalperestdunyalarindanolsun.top"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283504/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"guzelliklerinpesindeyizolsun.top"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"anilariniziunutmayinolsun.xyz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"gizemlihayallerkurmakolsun.xyz"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"umutgunesindeyizolsun.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"umutseslerimutlulukgelsin.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283477/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"huzurunsirrikeyifles.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283476/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"hayalperestdunyamagazinolsun.xyz"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283481/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"sevgiyolculugugibioxyzgelsin.top"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283474/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"maceraperestdunyagezin.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283475/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"mutlulukkutusuhediyeolsun.xyz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283478/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dykkyhj8rwcvwqha/"; depth:18; nocase; http.host; content:"renklikalemlerimagidolsun.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283479/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_09; classtype:trojan-activity; sid:91283479; rev:1;)
alert tcp $HOME_NET any -> [185.164.138.158] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"health.sjp.ac.lk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283469; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"activecode.work"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283462/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283462; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"blacktds.black"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283463; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"blacktds.cloud"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283464; rev:1;)
alert tcp $HOME_NET any -> [43.143.245.43] 7002  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"1.12.45.242"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"116.62.232.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283473/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_09; classtype:trojan-activity; sid:91283473; rev:1;)
alert tcp $HOME_NET any -> [1.92.96.35] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-79k3uwa0-1317712796.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283470; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-79k3uwa0-1317712796.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lebohdc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283466; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pinaylizzie.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"somlwebtactics.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283468; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cloudsafeuae.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283465; rev:1;)
alert tcp $HOME_NET any -> [196.217.71.182] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283424/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_09; classtype:trojan-activity; sid:91283424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"coffeecrumbs.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283454; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"coffeecrumbs.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"coffeecrumbs.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/22per.php"; depth:17; nocase; http.host; content:"coffeecrumbs.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help.php"; depth:9; nocase; http.host; content:"psk777.casa"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"georaldc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dmboxing.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wisconsin-tax-installment-agreement"; depth:36; nocase; http.host; content:"platypus-verlag.ch"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ecoledebatteriejonathandesrumeaux.fr"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283430; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"experience-apart.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_09; classtype:trojan-activity; sid:91283431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"enhornabatklubb.se"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"geomatikkbedriftene.no"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283436; rev:1;)
alert tcp $HOME_NET any -> [45.74.25.39] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283459; rev:1;)
alert tcp $HOME_NET any -> [45.94.168.134] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283453; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.114] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283452; rev:1;)
alert tcp $HOME_NET any -> [64.227.156.18] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283451; rev:1;)
alert tcp $HOME_NET any -> [5.42.106.219] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283450; rev:1;)
alert tcp $HOME_NET any -> [89.116.159.203] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283449; rev:1;)
alert tcp $HOME_NET any -> [147.45.71.7] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283448; rev:1;)
alert tcp $HOME_NET any -> [45.157.233.27] 2222  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283447; rev:1;)
alert tcp $HOME_NET any -> [216.137.234.175] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283446; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.48] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283445; rev:1;)
alert tcp $HOME_NET any -> [144.76.91.151] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283444; rev:1;)
alert tcp $HOME_NET any -> [46.167.129.231] 15596  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283443; rev:1;)
alert tcp $HOME_NET any -> [103.85.74.193] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283442; rev:1;)
alert tcp $HOME_NET any -> [183.214.129.157] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283441; rev:1;)
alert tcp $HOME_NET any -> [124.239.234.175] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283440; rev:1;)
alert tcp $HOME_NET any -> [52.74.20.24] 5000  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.204.193.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.204.192.241"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_09; classtype:trojan-activity; sid:91283437; rev:1;)
alert tcp $HOME_NET any -> [188.127.247.28] 36800  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/43a214c8.php"; depth:13; nocase; http.host; content:"a0991246.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283434; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 7974  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_09; classtype:trojan-activity; sid:91283425; rev:1;)
alert tcp $HOME_NET any -> [45.137.22.111] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283423; rev:1;)
alert tcp $HOME_NET any -> [18.231.93.153] 15352  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updatesqldb.php"; depth:16; nocase; http.host; content:"505732cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283421; rev:1;)
alert tcp $HOME_NET any -> [5.180.148.45] 7159  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283420; rev:1;)
alert tcp $HOME_NET any -> [18.229.248.167] 15352  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7providerlinux/cdngenerator/jspacketupdateprocessorserverprotecttraffictestdatalifeuploads.php"; depth:95; nocase; http.host; content:"38.180.165.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283418; rev:1;)
alert tcp $HOME_NET any -> [77.83.196.180] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283416; rev:1;)
alert tcp $HOME_NET any -> [101.126.91.145] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283415; rev:1;)
alert tcp $HOME_NET any -> [185.119.196.100] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283414; rev:1;)
alert tcp $HOME_NET any -> [124.71.102.140] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.71.102.140"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"49.232.249.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283411; rev:1;)
alert tcp $HOME_NET any -> [77.221.157.6] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283410; rev:1;)
alert tcp $HOME_NET any -> [58.137.140.238] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"58.137.140.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283408; rev:1;)
alert tcp $HOME_NET any -> [74.48.45.204] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283407; rev:1;)
alert tcp $HOME_NET any -> [54.169.254.221] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"54.169.254.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283405; rev:1;)
alert tcp $HOME_NET any -> [47.92.162.69] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.162.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283403; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sanhaozhifu.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283401; rev:1;)
alert tcp $HOME_NET any -> [165.3.87.196] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sanhaozhifu.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283400; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.18] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"185.22.152.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283398; rev:1;)
alert tcp $HOME_NET any -> [78.178.72.163] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"118.89.200.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283395; rev:1;)
alert tcp $HOME_NET any -> [118.89.200.169] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"97.64.18.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"146.70.149.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283393; rev:1;)
alert tcp $HOME_NET any -> [20.244.96.7] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"20.244.96.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283391; rev:1;)
alert tcp $HOME_NET any -> [13.49.238.38] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"58.53.128.67"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bad-week-gw.aws-usw2.cloud-ara.tyk.io"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"bad-week-gw.aws-usw2.cloud-ara.tyk.io"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283387; rev:1;)
alert tcp $HOME_NET any -> [193.124.33.239] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remove"; depth:7; nocase; http.host; content:"candycappa.store"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283384; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"candycappa.store"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"34.92.25.154"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283383; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hospitalstorage.azureedge.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283381; rev:1;)
alert tcp $HOME_NET any -> [159.89.46.205] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/git.asp"; depth:8; nocase; http.host; content:"hospitalstorage.azureedge.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"110.42.249.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283379; rev:1;)
alert tcp $HOME_NET any -> [84.129.151.24] 3389  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283378; rev:1;)
alert tcp $HOME_NET any -> [152.53.20.106] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283377; rev:1;)
alert tcp $HOME_NET any -> [152.53.20.106] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/agreement-side-effects/"; depth:24; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"lilabrand.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6a9f8e2503d99c04.php"; depth:21; nocase; http.host; content:"23.88.106.134"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283373; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"b9y3b7ner2.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283372; rev:1;)
alert tcp $HOME_NET any -> [18.157.68.73] 17435  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283370/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283370; rev:1;)
alert tcp $HOME_NET any -> [18.156.13.209] 17435  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283371/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283371; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cv2b8uz46e.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283369; rev:1;)
alert tcp $HOME_NET any -> [51.81.30.54] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283368; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chamadoregional.solutions"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283360; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuidadofinanceiro.agency"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283361; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fazenda-sps.one"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283362; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maxtel.solutions"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283363; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nenaviste.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283364; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neskodny.builders"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283365; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prestador-xp.services"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283366; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vistoriaveicular.chat"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283367; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abastecimentoonline.chat"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283357; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atende-br.chat"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283358; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"businessgreat.one"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drosonfinfel.nenaviste.org"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dromonnancal.atende-br.chat"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dromongongor.businessgreat.one"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drocansal.fazenda-sps.one"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drocangoncol.businessgreat.one"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dresonnal4.abastecimentoonline.chat"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drelunral38.maxtel.solutions"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drejal.chamadoregional.solutions"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dratunmintil.fazenda-sps.one"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dratunlinfil.fazenda-sps.one"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dralundinnal.chamadoregional.solutions"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"drabel4.maxtel.solutions"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crovaz.abastecimentoonline.chat"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crotunlinder.chamadoregional.solutions"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crotal.maxtel.solutions"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crosonpal.businessgreat.one"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"croronqual225.vistoriaveicular.chat"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"croringungem.vistoriaveicular.chat"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cronanbel.vistoriaveicular.chat"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crojal.cuidadofinanceiro.agency"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crohal.fazenda-sps.one"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crofer.prestador-xp.services"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crocal3.fazenda-sps.one"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crisonlinder.neskodny.builders"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crironnonbil3.businessgreat.one"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crironcindor3.vistoriaveicular.chat"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"criel.cuidadofinanceiro.agency"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crical.chamadoregional.solutions"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cretonpaz.vistoriaveicular.chat"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cresonrol761.vistoriaveicular.chat"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crediz.atende-br.chat"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crasonqual.atende-br.chat"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crasonnal.cuidadofinanceiro.agency"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"crapennal24.prestador-xp.services"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cramengonwel143.businessgreat.one"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cracal.nenaviste.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cracal.cuidadofinanceiro.agency"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"clesonqual.vistoriaveicular.chat"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cleriz.prestador-xp.services"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"clegongor2.prestador-xp.services"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"clananbel.neskodny.builders"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"clahenkil037.fazenda-sps.one"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brutonlinjal.nenaviste.org"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brutonlanfer.maxtel.solutions"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brusonroncol.chamadoregional.solutions"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brumol164.fazenda-sps.one"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brumengonwel.abastecimentoonline.chat"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brudiz.vistoriaveicular.chat"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brudiz.neskodny.builders"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brudensintal.vistoriaveicular.chat"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brucal.nenaviste.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"brubenbonzol183.prestador-xp.services"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bluronpal.maxtel.solutions"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bluronbonxil.cuidadofinanceiro.agency"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blumol3.maxtel.solutions"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blulunwinim.neskodny.builders"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blufel2.nenaviste.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bloriz.prestador-xp.services"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wisconsin-tax-installment-agreement/"; depth:37; nocase; http.host; content:"www.platypus-verlag.ch"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283295; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 17046  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ktweb.home.pl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"labstyl.nazwa.pl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283297; rev:1;)
alert tcp $HOME_NET any -> [37.44.238.75] 81  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283284; rev:1;)
alert tcp $HOME_NET any -> [3.64.4.198] 13678  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283292/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283292; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"assets.rdntocdns.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283242; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn.rdntocdns.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283243; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"css.rdntocdns.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283244; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rest1.rdntocdns.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283245; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"rest2.rdntocdns.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"intranat.vhfk.se"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283253; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"v7yen47u2e.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/read-agreement-of-being-gay-for-30-days"; depth:40; nocase; http.host; content:"exotours.in"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283281; rev:1;)
alert tcp $HOME_NET any -> [158.160.11.208] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"iheartredteams.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283290; rev:1;)
alert tcp $HOME_NET any -> [154.198.245.62] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"154.198.245.62"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283288; rev:1;)
alert tcp $HOME_NET any -> [105.105.234.158] 555  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283286; rev:1;)
alert tcp $HOME_NET any -> [47.103.52.146] 443  (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283285; rev:1;)
alert tcp $HOME_NET any -> [154.12.26.80] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283282; rev:1;)
alert tcp $HOME_NET any -> [185.186.146.25] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"185.186.146.25"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283278; rev:1;)
alert tcp $HOME_NET any -> [47.97.79.97] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.226.26.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"27.37.200.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"61.170.81.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.182.226.161"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.195.185.112"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"180.213.179.141"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"61.170.80.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283270; rev:1;)
alert tcp $HOME_NET any -> [124.71.153.115] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.71.153.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283268; rev:1;)
alert tcp $HOME_NET any -> [124.71.153.149] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/css/font-awesome.css"; depth:28; nocase; http.host; content:"124.71.153.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"4.191.74.1"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.239.1.232"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283263; rev:1;)
alert tcp $HOME_NET any -> [47.239.1.232] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"106.52.130.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283262; rev:1;)
alert tcp $HOME_NET any -> [124.71.153.115] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"112.124.5.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283260; rev:1;)
alert tcp $HOME_NET any -> [43.138.143.146] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-o1dc3wx3-1311799005.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283257; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-o1dc3wx3-1311799005.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"89.116.48.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"111.231.51.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"39.104.230.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.35.42.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"213.109.202.188"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"64.7.199.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283239; rev:1;)
alert tcp $HOME_NET any -> [16.16.206.231] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283238; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.21] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283237; rev:1;)
alert tcp $HOME_NET any -> [39.96.169.89] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283236; rev:1;)
alert tcp $HOME_NET any -> [82.168.162.65] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283234/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283234; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.194] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283233/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283233; rev:1;)
alert tcp $HOME_NET any -> [104.238.61.20] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283232/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283232; rev:1;)
alert tcp $HOME_NET any -> [92.243.64.130] 31205  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283231/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283231; rev:1;)
alert tcp $HOME_NET any -> [136.144.162.236] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283230/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"pq2trelsquu44xbpritocamel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283207/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"k6fvq8c11dqqjd446ck9camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283205/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"7l19jlu5trkqndh24li4camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283206/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"brfw0g97s9mwun8juhb0camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283203/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"re5bvyc4l6004tqmtzp4camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283204/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"6zimks6know8jihvtoa8camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283201/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"3w0mi18gkfrf6l8a8d09camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283202/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"83.97.73.39"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283199/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"97felu2ehv0r5iff3cslcamel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283200/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/tologin"; depth:14; nocase; http.host; content:"dcc.olcrv.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283180/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_08; classtype:trojan-activity; sid:91283180; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 12374  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283185/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_08; classtype:trojan-activity; sid:91283185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"wlw7obu15d6ru3eqy3o8camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283208/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"hqj6lhsgcnuxfnlj5y95camel.store"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283209/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytyxnjljzdi1yzfh/"; depth:18; nocase; http.host; content:"inat-protv-box.net.tr"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283210/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_08; classtype:trojan-activity; sid:91283210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hvamkulturogforsamlingshus.dk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hvamkulturogforsamlingshus.dk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hvamkulturogforsamlingshus.dk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hvamkulturogforsamlingshus.dk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stamping-fee-for-sp-agreement"; depth:30; nocase; http.host; content:"saasfeerentals.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"i-likeitalot.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ikenouedojo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283226; rev:1;)
alert tcp $HOME_NET any -> [138.162.7.28] 8000  (msg:"ThreatFox Sliver payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283229/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_08; classtype:trojan-activity; sid:91283229; rev:1;)
alert tcp $HOME_NET any -> [4.203.104.98] 1024  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.92.24.58"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283227; rev:1;)
alert tcp $HOME_NET any -> [154.12.93.14] 1153  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_08; classtype:trojan-activity; sid:91283225; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.193] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283216; rev:1;)
alert tcp $HOME_NET any -> [94.142.138.6] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"94.142.138.6"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283214; rev:1;)
alert tcp $HOME_NET any -> [81.69.242.80] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.69.242.80"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283212; rev:1;)
alert tcp $HOME_NET any -> [45.152.65.65] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283198/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283198; rev:1;)
alert tcp $HOME_NET any -> [107.173.83.222] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283197/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283197; rev:1;)
alert tcp $HOME_NET any -> [121.127.245.224] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283196/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283196; rev:1;)
alert tcp $HOME_NET any -> [103.145.191.123] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283195; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.208] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283194/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283194; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.194] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283193/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283193; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.178] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283192/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283192; rev:1;)
alert tcp $HOME_NET any -> [128.14.237.188] 83  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283191; rev:1;)
alert tcp $HOME_NET any -> [151.236.16.18] 25184  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283190; rev:1;)
alert tcp $HOME_NET any -> [172.104.162.22] 16033  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283189/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283189; rev:1;)
alert tcp $HOME_NET any -> [116.142.245.94] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283188/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283188; rev:1;)
alert tcp $HOME_NET any -> [5.42.100.30] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283187/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283187; rev:1;)
alert tcp $HOME_NET any -> [54.173.147.137] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283186; rev:1;)
alert tcp $HOME_NET any -> [186.99.155.196] 8093  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283181/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283181; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njnegro8093.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283182/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283182; rev:1;)
alert tcp $HOME_NET any -> [103.140.186.8] 58091  (msg:"ThreatFox BlueShell botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283183; rev:1;)
alert tcp $HOME_NET any -> [52.77.230.248] 80  (msg:"ThreatFox BlueShell botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~druel10/wordpress/"; depth:20; nocase; http.host; content:"experimentation.univ-littoral.fr"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283176; rev:1;)
alert tcp $HOME_NET any -> [185.251.91.214] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283179; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.122] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283177; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"check-ftp.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phantom-equity-plan-agreement"; depth:30; nocase; http.host; content:"yorkbrooks.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"firebirdimages.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283173; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxydncg.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faq"; depth:4; nocase; http.host; content:"xxydncg.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/index.php"; depth:16; nocase; http.host; content:"check-ftp.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/08/10/how-can-i-cancel-my-internet-contract-without-paying/"; depth:65; nocase; http.host; content:"selwoodconsultants.co.ke"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283169; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.122] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pas0uqnfi0zec8kvhkn8cmhkhpai3u/fusionclientdownloader.exe"; depth:58; nocase; http.host; content:"prodfindfeatures.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/session"; depth:12; nocase; http.host; content:"206.166.251.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/session"; depth:12; nocase; http.host; content:"206.166.251.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/session"; depth:12; nocase; http.host; content:"retdirectyourman.eu"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pas0uqnfi0zec8kvhkn8cmhkhpai3u/fusionclientdownloader.exe"; depth:58; nocase; http.host; content:"206.71.149.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pas0uqnfi0zec8kvhkn8cmhkhpai3u/fusionclientdownloader.exe"; depth:58; nocase; http.host; content:"206.71.149.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283136; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"prodfindfeatures.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283138; rev:1;)
alert tcp $HOME_NET any -> [206.71.149.46] 80  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283139; rev:1;)
alert tcp $HOME_NET any -> [206.71.149.46] 443  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283140; rev:1;)
alert tcp $HOME_NET any -> [206.166.251.114] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283142; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"retdirectyourman.eu"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283141; rev:1;)
alert tcp $HOME_NET any -> [206.166.251.114] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"erhvervsundhed.dk"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"retdirectyourman.eu"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"206.166.251.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"206.166.251.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagens/bo/inspecionando.php"; depth:29; nocase; http.host; content:"ebaoffice.com.br"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exercito/inspecionando.php"; depth:27; nocase; http.host; content:"109.110.184.31"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283158/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283158; rev:1;)
alert tcp $HOME_NET any -> [109.110.184.31] 80  (msg:"ThreatFox Ousaban botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283159/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283159; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ebaoffice.com.br"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283160/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"8.210.9.201"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"206.233.133.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/list/hx28/config.php"; depth:21; nocase; http.host; content:"20.83.148.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"192.144.219.118"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283161; rev:1;)
alert tcp $HOME_NET any -> [47.92.24.58] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.92.24.58"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283149; rev:1;)
alert tcp $HOME_NET any -> [116.204.73.173] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/xxx"; depth:8; nocase; http.host; content:"116.204.73.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283147; rev:1;)
alert tcp $HOME_NET any -> [64.94.84.44] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283146; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atlanticshoresresort.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alert/v6.04/wwuf3e1d"; depth:21; nocase; http.host; content:"atlanticshoresresort.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283144; rev:1;)
alert tcp $HOME_NET any -> [162.14.116.25] 8082  (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283131; rev:1;)
alert tcp $HOME_NET any -> [103.253.43.175] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"103.253.43.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"1.92.96.35"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"193.53.126.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283126; rev:1;)
alert tcp $HOME_NET any -> [193.53.126.234] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283127; rev:1;)
alert tcp $HOME_NET any -> [107.172.32.178] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"107.172.32.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"35.74.6.169"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283122; rev:1;)
alert tcp $HOME_NET any -> [35.74.6.169] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"35.74.6.169"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283120; rev:1;)
alert tcp $HOME_NET any -> [35.74.6.169] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.137.182.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/airline-baggage-agreement/"; depth:27; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ependyseis.com.gr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stamping-fee-for-sp-agreement/"; depth:31; nocase; http.host; content:"saasfeerentals.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"energotechnika.com.pl"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283098; rev:1;)
alert tcp $HOME_NET any -> [91.214.78.27] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283113; rev:1;)
alert tcp $HOME_NET any -> [129.211.13.156] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283112; rev:1;)
alert tcp $HOME_NET any -> [104.168.152.144] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283111/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283111; rev:1;)
alert tcp $HOME_NET any -> [179.13.2.154] 2250  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283110; rev:1;)
alert tcp $HOME_NET any -> [187.147.96.86] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283109; rev:1;)
alert tcp $HOME_NET any -> [67.0.216.104] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283108; rev:1;)
alert tcp $HOME_NET any -> [91.105.3.223] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283107; rev:1;)
alert tcp $HOME_NET any -> [2.50.35.165] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283106; rev:1;)
alert tcp $HOME_NET any -> [95.164.7.183] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283105; rev:1;)
alert tcp $HOME_NET any -> [54.219.6.25] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283104; rev:1;)
alert tcp $HOME_NET any -> [181.237.195.93] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283103; rev:1;)
alert tcp $HOME_NET any -> [20.56.35.166] 9443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283101/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283101; rev:1;)
alert tcp $HOME_NET any -> [162.55.63.241] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.204.196.132"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283099/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283099; rev:1;)
alert tcp $HOME_NET any -> [54.254.91.191] 3790  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dressyrsnack.se"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91282715; rev:1;)
alert tcp $HOME_NET any -> [41.216.182.178] 655  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283082/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283082; rev:1;)
alert tcp $HOME_NET any -> [62.72.45.179] 22222  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283083; rev:1;)
alert tcp $HOME_NET any -> [43.134.17.236] 3790  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283084; rev:1;)
alert tcp $HOME_NET any -> [194.233.90.144] 3790  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_07; classtype:trojan-activity; sid:91283086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"edu.ngoinhatienganh.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phantom-equity-plan-agreement/"; depth:31; nocase; http.host; content:"yorkbrooks.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"embracethewater.wondermeeting.se"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1283096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91283096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dressyrsnack.se"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91282714; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moderncssframeworks.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_07; classtype:trojan-activity; sid:91282630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"hediyesepetcidepoz.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282372/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"cocuklukankarakoc.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282373/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"evsizlikmerkezvaz.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282374/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"sagliklidayanikliq.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282375/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"huzursuzoyundunqa.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282376/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"sevgiliaskcekilis.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282377/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"hatirlaunutmauyan.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"guzelresimlerqazan.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"sogukkanlifirtina.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282380/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"kelimelermekaniq.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282381/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"cikaracolukcagiz.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282382/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"kahvehanekeyfian.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282386/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"baslayalimcalism.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"kelebekortulerqoq.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282384/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"sorunludavranisvu.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282385/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"nehirkenariyozca.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282387/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"mutlusunakyollar.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282388/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"buyuluaynalarqizq.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282389/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"hafizadondurucuq.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282390/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"gizlimucizelervar.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282391/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"inandiricibakisvu.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282392/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"kelebekleroyunuq.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282394/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"vazgecilmezlikvur.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282393/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"hayattansikayetim.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282395/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"nefeskesenfirtina.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282396/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"keskecokdileyipto.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282398/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"guzelliklervarqac.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282397/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"isteklergelirgiz.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282399/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"saskinalacagimiz.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282400/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"sabirsizlaniyorum.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282401/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"rahatlikbuyukuyar.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"kalptenbagnazimi.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocvupwbr7dfirxmf/"; depth:18; nocase; http.host; content:"gucunuzetkilerqo.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_07; classtype:trojan-activity; sid:91282404; rev:1;)
alert tcp $HOME_NET any -> [3.124.67.191] 15023  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91282405; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"profilepimpz.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283092/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283092; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"versaillesinfo.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283093; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ankokunews.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283087/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283087; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bkller.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283088/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283088; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"calgarycarfinancing.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283089/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"epsross.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283090/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283090; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jorzineonline.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283091/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_07; classtype:trojan-activity; sid:91283091; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mad.jabils.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283079; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gentradings007.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283080; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wrzn.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283081; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"43030warzone.warzonedns.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283076; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bossnew.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283077; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"itself-lf.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283078; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mad.unicornsupplychains.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283074; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securenetwindows.ddns.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283075; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kolaw.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283072; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"innomac.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283073; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qrat2021.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283071; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrrichie.ddnsfree.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283068; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warzonlogs.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283069; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suitehvd2.home-webserver.de"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283070; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"projex0192.rapiddns.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"avira-antivirus.ydns.eu"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283066; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"khan041.freeddns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283067; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wz-lk.giftsbybierd.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283063; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoldwold.zanity.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283064; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eurolord.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283061; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"website-racing.at.playit.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283062; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dultrasolutions.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283059; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akwz.mypets.ws"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283060; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comblinez.ignorelist.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283057; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"princeofperkia.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283058; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glotreobmoenry.sytes.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283055; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"win64pooldrv.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283056; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akcay.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283053; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recieviblrggg.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283054; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spectrami12.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283051; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"love.pure-luck.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283052; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"halal.home-webserver.de"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283049; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23543254365-58443.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283050; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crypterfile.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283047; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newbroobi.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283048; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowsupdate2024.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283043; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srvzone.gleeze.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283044; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"benzkartel.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283045; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oxb2021.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283046; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linelink-linesn.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283041; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newone1.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283042; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sgh2024.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283040; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tonnersturma-31352.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283039; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zakriexports.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283038; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alpraz.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283035; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"burger042.ddnsfree.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283036; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingbecld.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283037; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"su8z3r0.myvnc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283034; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kabillo.linkpc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283032; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apostlejob2.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283033; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccduckdonald.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283030; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"makatti.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283031; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virtuallogoprepaidmax.duckdns.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283029; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dansjueis.3utilities.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283028; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subal7.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283026; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chenchecnnn.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283027; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcwillis.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mangomanga.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283023; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thebeast415.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283024; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sept06.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283022; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebelxxd2.publicvm.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283021; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boldwold.home.kg"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283019; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mobibaobobo.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283020; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wz-patient001.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283018; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l34d3r.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1283017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283017; rev:1;)
alert tcp $HOME_NET any -> [109.248.151.69] 42255  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283015; rev:1;)
alert tcp $HOME_NET any -> [103.199.17.61] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283016; rev:1;)
alert tcp $HOME_NET any -> [191.101.193.159] 3800  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283012; rev:1;)
alert tcp $HOME_NET any -> [194.49.68.246] 8912  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283013; rev:1;)
alert tcp $HOME_NET any -> [173.212.199.134] 6611  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283014; rev:1;)
alert tcp $HOME_NET any -> [178.124.140.145] 28199  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283010; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.8] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283011; rev:1;)
alert tcp $HOME_NET any -> [23.106.121.172] 3200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283009; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.185] 2844  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283006; rev:1;)
alert tcp $HOME_NET any -> [185.19.85.183] 5208  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283007; rev:1;)
alert tcp $HOME_NET any -> [172.93.222.206] 61134  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283008; rev:1;)
alert tcp $HOME_NET any -> [172.98.71.154] 59226  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283003; rev:1;)
alert tcp $HOME_NET any -> [108.62.118.131] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283004; rev:1;)
alert tcp $HOME_NET any -> [192.236.249.173] 2709  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283005; rev:1;)
alert tcp $HOME_NET any -> [84.38.130.205] 40209  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283000; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.11] 3839  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283001; rev:1;)
alert tcp $HOME_NET any -> [5.253.84.218] 6500  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1283002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91283002; rev:1;)
alert tcp $HOME_NET any -> [167.94.7.143] 3456  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282998; rev:1;)
alert tcp $HOME_NET any -> [64.188.13.46] 13372  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282999; rev:1;)
alert tcp $HOME_NET any -> [2.56.59.221] 5215  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282997; rev:1;)
alert tcp $HOME_NET any -> [161.129.36.61] 2312  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282995; rev:1;)
alert tcp $HOME_NET any -> [94.131.110.60] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282996; rev:1;)
alert tcp $HOME_NET any -> [38.255.43.179] 6789  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282994; rev:1;)
alert tcp $HOME_NET any -> [65.108.26.146] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282991; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.52] 11101  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282992; rev:1;)
alert tcp $HOME_NET any -> [3.137.210.150] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282993; rev:1;)
alert tcp $HOME_NET any -> [45.143.146.112] 7865  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282988; rev:1;)
alert tcp $HOME_NET any -> [103.212.81.155] 1916  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282989; rev:1;)
alert tcp $HOME_NET any -> [161.97.88.42] 45266  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282990; rev:1;)
alert tcp $HOME_NET any -> [193.142.58.28] 53698  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282985; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.91] 1866  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282986; rev:1;)
alert tcp $HOME_NET any -> [185.29.9.45] 49173  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282987; rev:1;)
alert tcp $HOME_NET any -> [109.248.151.213] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282983; rev:1;)
alert tcp $HOME_NET any -> [147.124.214.249] 65210  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282984; rev:1;)
alert tcp $HOME_NET any -> [45.74.4.244] 5205  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282980; rev:1;)
alert tcp $HOME_NET any -> [45.124.54.94] 5590  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282981; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.138] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282982; rev:1;)
alert tcp $HOME_NET any -> [96.9.225.105] 61861  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282977; rev:1;)
alert tcp $HOME_NET any -> [172.94.14.49] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282978; rev:1;)
alert tcp $HOME_NET any -> [23.106.121.172] 1964  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282979; rev:1;)
alert tcp $HOME_NET any -> [37.120.159.243] 11904  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282975; rev:1;)
alert tcp $HOME_NET any -> [51.143.13.25] 4400  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282976; rev:1;)
alert tcp $HOME_NET any -> [84.38.132.126] 59937  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282973; rev:1;)
alert tcp $HOME_NET any -> [192.3.152.217] 48974  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282974; rev:1;)
alert tcp $HOME_NET any -> [194.5.97.10] 3638  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282971; rev:1;)
alert tcp $HOME_NET any -> [109.248.144.183] 60567  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282972; rev:1;)
alert tcp $HOME_NET any -> [172.245.244.106] 7889  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282968; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.188] 4020  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282969; rev:1;)
alert tcp $HOME_NET any -> [140.82.17.48] 5100  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282970; rev:1;)
alert tcp $HOME_NET any -> [45.137.22.105] 4821  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282967; rev:1;)
alert tcp $HOME_NET any -> [38.153.157.23] 2202  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282964; rev:1;)
alert tcp $HOME_NET any -> [185.223.28.102] 5252  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282965; rev:1;)
alert tcp $HOME_NET any -> [144.172.72.234] 2221  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282966; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.135] 8247  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282961; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.13] 3431  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282962; rev:1;)
alert tcp $HOME_NET any -> [217.151.98.163] 6093  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282963; rev:1;)
alert tcp $HOME_NET any -> [107.173.4.16] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282958; rev:1;)
alert tcp $HOME_NET any -> [193.22.99.92] 5599  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282959; rev:1;)
alert tcp $HOME_NET any -> [185.45.193.18] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282960; rev:1;)
alert tcp $HOME_NET any -> [173.212.199.134] 2121  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282956; rev:1;)
alert tcp $HOME_NET any -> [46.183.222.92] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282957; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fontdrvhost.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282955; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prepepe.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282952; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jimmy.axfree.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282953; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"equipemaverick.com.br"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282954; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o.oteqprojects.co.in"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282949; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veronikaa.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282950; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morasergiov.ac.ug"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282951; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erolbasa.ac.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282947; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marktravel.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282948; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evans1990.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282944; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gconnect.pro"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282945; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carecureco.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282946; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secureredirectinfo.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282942; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solarhomesflorida.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282943; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mazooyaar.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282940; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"collegesboard.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282941; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vtqt.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282938; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcee1990.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282939; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gimermarkett.de"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282936; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vu.zzux.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282937; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tel4s6.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282933; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndy.cloudbot.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282934; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ibroot.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282935; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggtyyu.pw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282931; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"turkcoder.com.tr.ht"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282932; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cgibin.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282928; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yungfang.co.vu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282929; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pretorian.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282930; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fair.le-pearl.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hanxlas.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282927; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"courtneysdv.ac.ug"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282923; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spamcxcs.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282924; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaaonyisi.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282925; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zvv.asia"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282922; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kapsengineers.cf"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282920; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malcacnba.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282921; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morasegio.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282918; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"almed-trading.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282919; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bradaltman.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282913; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fsefsfeg.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282914; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fieldhockeygoalies.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282915; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"danielmax.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282916; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kckark.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282917; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malarcvgs.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282908; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"st4q2p.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282909; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"singsing.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282910; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mark02.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282911; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zubroxmack.cf"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282912; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chrisupdated.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282903; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"projecty.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282904; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sl9xa73g7u3eo07wt42n7f4vin5fzh.biz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282905; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ademg.ug"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282906; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v.m-fit.biz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282907; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"golfhomexpresx.ir"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282898; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virzx.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282899; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eesss.online"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282900; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jamesrlon.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282901; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aleaiasko.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282902; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reteroporino.pw"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282895; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hp-tv.tk"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282896; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osiq.club"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282897; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secureconnection.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282889; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"92g938uextmgvb7rllv8wcad.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282890; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5llion.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282891; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndy.derg.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282892; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glancehcs.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282893; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manguerassorna.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282894; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linm.thetxt.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282884; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hersheystyles.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282885; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"destad.axfree.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282886; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"odminponel.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282887; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lg-tvproducts.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282888; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"timecforgoodnes.ml"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282879; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notedemo.axfree.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282880; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clemody.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282881; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gemsbundle.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282882; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hikark.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282883; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiwipl.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282873; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raslack.axwebsite.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282874; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"projectblackhat.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282875; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bhd9999.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282876; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ck7.mooo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282877; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colonna.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282878; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"centarcrkva.rs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282868; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"try.divendesign.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282869; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tgp.opcache.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282870; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuscan-travel.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282871; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thekurva.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282872; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irk1990.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282863; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjggvbc.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282864; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agencybro.tech"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282865; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8.crabdance.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282866; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3ssq.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282867; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nedu1994.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282857; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nmorbertomo.ac.ug"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282858; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dllion.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282859; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4llion.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282860; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmdevelopment.tech"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282861; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maurizio.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282862; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f0575754.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282852; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gisfvui.bankfab.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282853; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samkoproducts.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282854; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cabvui.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282855; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alazlfa.cf"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282856; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gordonhk.ac.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282846; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gervenez.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282847; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gfbrice.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282848; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samsungprod.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282849; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cubicatransport.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282850; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spetralnet2.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282851; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aaaegchigruigb.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282841; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"archosk.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282842; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaragoza.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282843; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stanelectronics.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282844; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irkark.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282845; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.blsasco.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282835; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fine.le-pearl.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282836; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chikkark.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282837; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bebeksarayi.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282838; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masterwork.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282839; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mast3r.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282840; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fredarlessonmark.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282830; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e4v5sa.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282831; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kullasa.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282832; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tecnomedica.com.py"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282833; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"duiy.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282834; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2tril.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282824; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ra.adriansbruce.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282825; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yrhealth.life"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282826; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpsthree.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282827; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tomasisa.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282828; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gagaggahehehqwe.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282829; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostisgerhg.tk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282819; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkangel.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282820; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giuseppex.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282821; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4hzq.club"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282822; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pabloq.ug"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282823; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support121.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282813; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tikwish.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282814; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orisinlog.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282815; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fragly.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282816; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestbundledealer.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282817; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zzz.divendesign.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282818; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msdd.x24hr.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282809; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ivchenkosvetlana.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"21slg.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282811; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madamongo.gq"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edkark.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282804; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brakiporodica.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282805; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spacelogsapp.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282806; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oilproduce.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282807; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"any.anycarservice.ae"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282808; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quisha.axwebsite.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282800; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worthknowing.us"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282801; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"friktomb.cf"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282802; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masterwork2.co.vu"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282803; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taenaiaa.ac.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282795; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v.oteqprojects.co.in"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282796; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dreamyviolet.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282797; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"letitburns.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282798; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buck-mhe.cf"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282799; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serhuwadwtr.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282790; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evakark.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282791; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"str1str2.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282792; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luckydaddy.club"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282793; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zdd.divendesign.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282794; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mastercard.ru.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282785; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foodcircus.ro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282786; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raymond.ug"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282787; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shivabhaiji.in"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282788; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chika1995.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282789; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybersd.axfree.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282780; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5azc.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282781; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a343345.me"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282782; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osiq.icu"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282783; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4hzq.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282784; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"levitt.ug"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282774; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"floorsatregency.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282775; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notedrives.tr.ht"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282776; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vegas2e.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282777; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"internetstores.co.vu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282778; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"regay.ac.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282779; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vtgtradings.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282769; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tvscreen.co.vu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282770; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dellproductz.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282771; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accdemo.axwebsite.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282772; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"robbmaterials.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282773; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aboliki.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282764; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxxze.co.nu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282765; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"12345678987654321.link"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282766; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"master101work.co"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282767; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notedemo.com.tr.ht"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282768; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzworx.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282759; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5azc.club"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282760; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onenote.com.tr.ht"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282761; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modexdeals.ir"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282762; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebatsosatpizdec.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282763; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chika1992.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282754; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hsagoi.ac.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282755; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lettingos.co.vu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282756; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mantis.ug"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282757; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vegas1e.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282758; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k6vq28tbjbz5rhjsgtm3gmsy.xyz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282749; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wellsfargocs.ddns.us"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282750; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratienoinino.pw"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282751; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"califood.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282752; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"takpo.biz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282753; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eurob.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282744; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scarsa.ac.ug"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282745; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sailent.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282746; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.emailonlinechase.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282747; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"payddes.axfree.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282748; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bakas1e.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282739; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jessecoltd.ir"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282740; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"postalresolve.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282741; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corinthiano.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282742; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paulahensingor.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282743; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"domazy.ga"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282734; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"novget.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282735; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tycoonelite.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282736; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikramonayparibuda.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282737; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"milsom.ug"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282738; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"augmentinprod.ir"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282729; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jehovah-reigns.co.za"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282730; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zbd.divendesign.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282731; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twinsoul.co.za"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282732; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"datafishers.club"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282733; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratinonanuere.pw"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282724; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nadia.ac.ug"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282725; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kelbro.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282726; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bin1101oski.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282727; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amazon3.serveuser.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282728; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"777.ultihost.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282719; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unitech.co.vu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282720; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carding.axfree.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282721; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osiq.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282722; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marianne.ac.ug"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282723; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lizzard.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282716; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ourfirm.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282717; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malscxa.ac.ug"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282718; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sunwindz.in.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282705; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tunqyuindia.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282706; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipc-nena.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282707; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9enternecera.ru.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282708; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9entrevera.sa.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282709; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soitaab.co"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282710; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"no1geekfun.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282711; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aegismd.ca"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282712; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"de4mon-p4nel.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282713; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rgjeweller.mu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282692; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mmcjo.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282693; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trafficbadassery.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282694; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dimensionluz.cl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282695; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b1xz.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282696; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web24host.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282697; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zenginler.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282698; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marbellacabs.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282699; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adwa2tv.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282700; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elsantos.co"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282701; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcharglaw.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282702; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smarteyecare.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282703; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pplonline.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"dantsechs.net"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1282691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"tel9e.xyz"; depth:9; nocase; reference:url, threatfox.abuse.ch/ioc/1282688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"lomidut.tk"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1282689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.85.90.220"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1282690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"xpensive.xyz"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1282685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"boeinq.co"; depth:9; nocase; reference:url, threatfox.abuse.ch/ioc/1282686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bsig99.xyz"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1282687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bctpump.us"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1282682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.206.214.130"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sbrenind.com"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1282684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"tel1e4.xyz"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1282680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"basig5.xyz"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1282681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282681; rev:1;)
alert tcp $HOME_NET any -> [52.70.77.94] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/btn_bg.html"; depth:12; nocase; http.host; content:"bimnall.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282678; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d18j3cpsvifpk9.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/btn_bg.html"; depth:12; nocase; http.host; content:"d18j3cpsvifpk9.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"158.247.222.223"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282675; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"binaryassassins2.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282674; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conflicker-35081.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282671; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s7vety-47274.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282672; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"independent-cartoons.gl.at.ply.gg"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282673; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigtitties.hopto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282667; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"user5698921.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282668; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vam0vsem0pizda.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282669; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kissmyasshole.myddns.me"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282670; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sulumantest.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282664; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anime.ddnsking.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282665; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loocarpoint.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282666; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mvncentral.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282660; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owo-whats-this.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282661; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laraloveu-49133.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282662; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dontreachme2.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282663; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"increased-religious.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282655; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"try-belly.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282656; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"title-connectors.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282657; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"general5555-46584.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282658; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanonana24.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282659; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alternative-residents.gl.at.ply.gg"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282653; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bambuvn.webhop.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282654; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solution-fiscal.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282649; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ligeon.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282650; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graphics-absorption.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282651; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asd1ad2.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282652; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"live-promotions.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282646; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malwaretest.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282647; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"femboy.serveminecraft.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282648; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nonamedc.mcv.kr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282642; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riskama.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"following-s.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282644; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"story-towers.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282645; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"centre-shaped.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282638; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrgrayhat.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282639; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"search-mrs.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282640; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"period-disabilities.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282641; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"growtopiagame1.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282636; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kmoukoun.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282637; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uhhusk.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282632; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galrov2.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282633; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medicine-pushing.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282634; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obfuscated.us"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us-dux-53.pointtoserver.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282631; rev:1;)
alert tcp $HOME_NET any -> [37.115.42.57] 12332  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282618; rev:1;)
alert tcp $HOME_NET any -> [94.103.83.231] 1379  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282619; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 56938  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282620; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 19705  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282621; rev:1;)
alert tcp $HOME_NET any -> [185.154.14.217] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282622; rev:1;)
alert tcp $HOME_NET any -> [172.94.54.88] 1756  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282623; rev:1;)
alert tcp $HOME_NET any -> [36.68.21.159] 1134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282624; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 34332  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282625; rev:1;)
alert tcp $HOME_NET any -> [77.105.161.143] 1268  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282626; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.16] 46469  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282627; rev:1;)
alert tcp $HOME_NET any -> [188.119.113.64] 1604  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282628; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 58576  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282629; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 4747  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282603; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 13642  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282604; rev:1;)
alert tcp $HOME_NET any -> [194.33.87.67] 7707  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282605; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 58029  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282606; rev:1;)
alert tcp $HOME_NET any -> [26.65.233.242] 10135  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282607; rev:1;)
alert tcp $HOME_NET any -> [92.240.245.161] 8010  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282608; rev:1;)
alert tcp $HOME_NET any -> [107.175.178.6] 30030  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282609; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 54431  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282610; rev:1;)
alert tcp $HOME_NET any -> [58.172.73.190] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282611; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 29613  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282612; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 43660  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282613; rev:1;)
alert tcp $HOME_NET any -> [80.85.140.103] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282614; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.26] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282615; rev:1;)
alert tcp $HOME_NET any -> [26.98.233.13] 4433  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282616; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 65246  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282617; rev:1;)
alert tcp $HOME_NET any -> [31.220.90.137] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282592; rev:1;)
alert tcp $HOME_NET any -> [91.109.186.2] 1194  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282593; rev:1;)
alert tcp $HOME_NET any -> [100.114.145.122] 7777  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282594; rev:1;)
alert tcp $HOME_NET any -> [178.200.180.146] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282595; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 36598  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282596; rev:1;)
alert tcp $HOME_NET any -> [39.114.81.81] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282597; rev:1;)
alert tcp $HOME_NET any -> [191.101.34.192] 58038  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282598; rev:1;)
alert tcp $HOME_NET any -> [84.145.55.225] 5061  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282599; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 35081  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282600; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 63367  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282601; rev:1;)
alert tcp $HOME_NET any -> [79.139.133.118] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282602; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 61815  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282587; rev:1;)
alert tcp $HOME_NET any -> [78.101.85.87] 4444  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282588; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 10996  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282589; rev:1;)
alert tcp $HOME_NET any -> [74.118.139.67] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282590; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 40772  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282591; rev:1;)
alert tcp $HOME_NET any -> [109.195.6.203] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282573; rev:1;)
alert tcp $HOME_NET any -> [84.32.231.109] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282574; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 54772  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282575; rev:1;)
alert tcp $HOME_NET any -> [158.247.250.127] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282576; rev:1;)
alert tcp $HOME_NET any -> [193.124.65.108] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282577; rev:1;)
alert tcp $HOME_NET any -> [104.250.175.179] 1756  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282578; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 23303  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282579; rev:1;)
alert tcp $HOME_NET any -> [5.180.106.95] 1337  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282580; rev:1;)
alert tcp $HOME_NET any -> [74.208.235.52] 27016  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282581; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 32154  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282582; rev:1;)
alert tcp $HOME_NET any -> [93.157.168.72] 27667  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282583; rev:1;)
alert tcp $HOME_NET any -> [31.44.184.52] 64770  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282584; rev:1;)
alert tcp $HOME_NET any -> [194.33.87.67] 50010  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282585; rev:1;)
alert tcp $HOME_NET any -> [26.122.164.110] 10110  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282586; rev:1;)
alert tcp $HOME_NET any -> [91.151.89.167] 1208  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282567; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 43279  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282568; rev:1;)
alert tcp $HOME_NET any -> [47.37.131.144] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282569; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 64220  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282570; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 52251  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282571; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 59285  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/siv/index.php"; depth:14; nocase; http.host; content:"piontx.ga"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"loqiworou7213.icu"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"abnmz.akrn12.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"207.154.254.218"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"185.202.175.53"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"rakaka.om-nom-nom.li"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"hellokitty.services"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ya/index.php"; depth:13; nocase; http.host; content:"egonla.futbol"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"lizard.pw"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"u-ri.icu"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"invalid666.zzz.com.ua"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/panel/index.php"; depth:20; nocase; http.host; content:"aquavictus.hr"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"45.88.78.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"46.17.46.109"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~ygnwgnrp/gate.php"; depth:19; nocase; http.host; content:"mike.rivalserver.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/petit/index.php"; depth:16; nocase; http.host; content:"petitbox.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"clusterpro.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/disk/index.php"; depth:15; nocase; http.host; content:"vitani.tk"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"pyttyu.info"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sdf41.club"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/andromache/index.php"; depth:21; nocase; http.host; content:"mahnatkin.site"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"noforcingcarttf.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azo/gate.php"; depth:13; nocase; http.host; content:"siteverification.site"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"51.15.76.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"hostname.vip"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sti/gate.php"; depth:13; nocase; http.host; content:"b-cointrade.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"cashouts.tk"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/547d5c/index.php"; depth:17; nocase; http.host; content:"baran.live"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/index.php"; depth:12; nocase; http.host; content:"bronze2.hk"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"au.tanto.pro"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"kinotoday.ug"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"gebbatrip.club"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"2019-new.tk"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1gw3/index.php"; depth:15; nocase; http.host; content:"185.195.236.168"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gray/index.php"; depth:15; nocase; http.host; content:"ciuj.ir"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kc/panel/index.php"; depth:19; nocase; http.host; content:"172.245.142.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"84.38.132.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1a6b3831-a96d-4936-815a-6f7c904ef9c0/index.php"; depth:47; nocase; http.host; content:"163.172.175.132"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/au/gate.php"; depth:12; nocase; http.host; content:"mcgua.com.ua"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"185.70.107.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"178.128.120.2"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"docusign.bit"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/showmoney/index.php"; depth:20; nocase; http.host; content:"ciuj.ir"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/obinna/index.php"; depth:17; nocase; http.host; content:"jahblessus.gq"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lekon/index.php"; depth:16; nocase; http.host; content:"141.105.64.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"5.101.78.169"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8a16f818-e5a3-49ae-bf99-250e1f00b04e/index.php"; depth:47; nocase; http.host; content:"217.8.117.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x/index.php"; depth:12; nocase; http.host; content:"185.195.236.162"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~zadmin/amark/xplora/index.php"; depth:31; nocase; http.host; content:"physdigitech.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modez/3.2/index.php"; depth:20; nocase; http.host; content:"t1t2.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"bulbukito.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8205729e-d49f-49c3-831f-b7f116560634/index.php"; depth:47; nocase; http.host; content:"51.15.199.75"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"fyreplittgothin.pw"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/045ba308-0877-4f9a-935d-9f1a174f7d38/index.php"; depth:47; nocase; http.host; content:"51.15.235.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/goml/panel3/index.php"; depth:22; nocase; http.host; content:"193.56.28.129"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mag/index.php"; depth:14; nocase; http.host; content:"stastports.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"purefinishonerbrothsjke.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"economelogainyjusk.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"alcojoldwograpciw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"patternapplauderw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"disagreemenywyws.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pearcyworkeronej.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"messtimetabledkolvk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"preachbusstyoiwo.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"poledoverglazedkilio.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"handbreeadretwaiw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"biographyfirmtrisie.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wastwfulldashiwnjs.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"horsedwollfedrwos.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tigerrfunerlariro.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"corruptioncrackywosp.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"surpriserangeloggypo.fun"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"rightchampionieo.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"counterrailcrwu.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"survivalpersisttww.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"roleprofittypleasw.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"churchemipircasowl.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"portaircoveragejsuk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tubewelfaredopw.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"glossydecentjuskwos.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"chunkylopsidedwos.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"rankrandomotherwjsui.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"allowbloodythinkews.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stingmisplacedelivrrw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"declineforntyuekw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"geneticsockkdwlsaw.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"surprisemakedjukenw.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"refundemobxyyeols.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"rejectbettysmartws.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"warmstrawcounwyhj.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"questionconservawuts.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pollutiofactwoijk.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"understanndtytonyguw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"comedyhorizonbedwus.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"catlackjellyodwps.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"conceptionextortyosw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"burnfamesoilratewo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"kitchenreviewbewrwsa.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"jobbyshysinduksowp.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pilothardwarreodsi.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cassetteprodueiwo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cinemaclinicttanwk.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"deprivedrinkyfaiir.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ensureclackexcatwi.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"rocketmusclesksj.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fantasticabnormally.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"adoptionalbumgesw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"quitdigitalplatforwi.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hushedsombkereos.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tropicalironexpressiw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"templecharteredowis.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"routinecontoradwjsk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"declarationlastyj.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"greetclassifytalk.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"vehicledropliberwls.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"methodgreenglassdatw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"museumtespaceorsp.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pumpkindribblewo.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"considerrycurrentyws.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"recognizestainsw.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"despairphtsograpgp.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"valuablestraigwhi.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"relaxtionflouwerwi.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bettynoticecovej.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"nimkishraddedrew.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"libertyliebindywv.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"arrangementyforumekw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"voicelighterrrepso.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"souptapedentisttactiwe.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"seasonaldemonstradojs.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"uncertaintyrestsju.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stripmarrystresew.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fireplacecheckwi.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"preocucupationssk.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"footflexibleacts.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"explocommisiowsa.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"simplicitynegotiatiw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"grazeinnocenttyyek.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"colorprioritytubbew.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fixturewordbakewos.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"varianntyfeecterd.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"detailbaconroollyws.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"palacetilecomplew.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fragmentyperspowp.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"distributopsuoprs.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"accountasifkwosov.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"abuselinenaidwjuew.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"negotitatiojdsuktoos.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"descriptionappleoj.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"evokeoutlooklits.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"penetratedworrsyw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ticketgradiencomfj.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"textureshallodsjk.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bowelunitrydoorsko.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"phobicgiddyfivverr.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"paininsrertymarshwke.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"slamcopynammeks.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"demonstratedesighw.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"joblkessprosgeow.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"listenmoutioncow.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"exceptionwillapews.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282406; rev:1;)
alert tcp $HOME_NET any -> [13.54.165.166] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282371/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282371; rev:1;)
alert tcp $HOME_NET any -> [52.242.23.54] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282370/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282370; rev:1;)
alert tcp $HOME_NET any -> [91.103.252.124] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282369; rev:1;)
alert tcp $HOME_NET any -> [34.146.210.28] 2095  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282368/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282368; rev:1;)
alert tcp $HOME_NET any -> [217.165.78.126] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282367/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282367; rev:1;)
alert tcp $HOME_NET any -> [167.71.92.12] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282366/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282366; rev:1;)
alert tcp $HOME_NET any -> [158.140.133.56] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282365/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282365; rev:1;)
alert tcp $HOME_NET any -> [35.90.91.89] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282364/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282364; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20064  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282362; rev:1;)
alert tcp $HOME_NET any -> [194.163.160.254] 53  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282363/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282363; rev:1;)
alert tcp $HOME_NET any -> [97.74.94.45] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282361; rev:1;)
alert tcp $HOME_NET any -> [194.113.75.56] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282360/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dmboxing.co"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282359; rev:1;)
alert tcp $HOME_NET any -> [80.253.239.170] 31089  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282351; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 11520  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282354/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282354; rev:1;)
alert tcp $HOME_NET any -> [3.6.122.107] 10680  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282355; rev:1;)
alert tcp $HOME_NET any -> [165.154.58.22] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"www.163microsoft.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282356; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.163microsoft.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282357; rev:1;)
alert tcp $HOME_NET any -> [165.154.58.22] 3332  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"165.154.33.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.99.194.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282349; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"buyinginfo.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282334/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282334; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"comparetextbook.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282335/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282335; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dmfarmnews.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282336/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282336; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flaworkcomp.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282337/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282337; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"glassdoog.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282338/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282338; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"goodrapp.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282339/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282339; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gulfesolutions.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282340/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282340; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"indiinfo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282341/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282341; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"iplanforamerica.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282342/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282342; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"londonisthereason.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282343/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282343; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mongolianshipregistrar.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282344/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282344; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"onmnews.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282345/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282345; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shreyaninfotech.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282346; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"starlightstar.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282347/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282347; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unixhonpo.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282348/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282348; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"7gzi.com"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282332/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282332; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bramjtop.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282333/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282333; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 17739  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282331/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"denisburns.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"estankaralar.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"mahalleestankaralar.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282317/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"mahallekaradakal.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282318/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"karayakder2.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282319/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"laleneredeler.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282321/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"larnakdalar3.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282320/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"karekeldeds.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282322/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"hasretkalmanav.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282323/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"kamelyanat5.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282324/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"karedekalan.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl"; depth:17; nocase; http.host; content:"hasretkalmanavdas3.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282327/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtewmwe4odfhnzhl/"; depth:18; nocase; http.host; content:"karekeldeds4.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282326/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_06; classtype:trojan-activity; sid:91282326; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 17739  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282328/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"libet-kielce.pl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"licorice.uz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282315; rev:1;)
alert tcp $HOME_NET any -> [103.35.191.158] 46231  (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282314; rev:1;)
alert tcp $HOME_NET any -> [118.70.125.152] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282313; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iheartredteams.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"iheartredteams.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"levaho.fr"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.99.194.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.116.245.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282308; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"getcloudsolutions.dev"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"118.89.125.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"172.81.211.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"62.234.19.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282303; rev:1;)
alert tcp $HOME_NET any -> [31.128.39.137] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"31.128.39.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282296; rev:1;)
alert tcp $HOME_NET any -> [8.222.250.105] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.222.250.105"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282294; rev:1;)
alert tcp $HOME_NET any -> [31.128.39.137] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"31.128.39.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"134.175.107.219"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"106.75.75.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282289; rev:1;)
alert tcp $HOME_NET any -> [8.130.175.231] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"qq.jjxy.link"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282286; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qq.jjxy.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2024/05/9dv7ayhg1ag2kwo30_"; depth:54; nocase; http.host; content:"117.72.35.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"1.92.96.35"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282284; rev:1;)
alert tcp $HOME_NET any -> [101.42.4.160] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-l24muftx-1251354025.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282281; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-l24muftx-1251354025.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1282282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282282; rev:1;)
alert tcp $HOME_NET any -> [120.46.208.63] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"120.46.208.63"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282278; rev:1;)
alert tcp $HOME_NET any -> [106.54.42.56] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/getdata"; depth:15; nocase; http.host; content:"damousese.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282276; rev:1;)
alert tcp $HOME_NET any -> [147.45.41.171] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282275/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282275; rev:1;)
alert tcp $HOME_NET any -> [172.214.254.115] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282274/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282274; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.171] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282273/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282273; rev:1;)
alert tcp $HOME_NET any -> [47.120.40.27] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282272/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282272; rev:1;)
alert tcp $HOME_NET any -> [75.161.225.3] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282271; rev:1;)
alert tcp $HOME_NET any -> [75.161.228.223] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282270; rev:1;)
alert tcp $HOME_NET any -> [160.176.132.123] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282269; rev:1;)
alert tcp $HOME_NET any -> [217.164.83.209] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282268; rev:1;)
alert tcp $HOME_NET any -> [192.53.174.141] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282267; rev:1;)
alert tcp $HOME_NET any -> [103.245.39.231] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282266; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.27] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282265; rev:1;)
alert tcp $HOME_NET any -> [52.194.213.46] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282264; rev:1;)
alert tcp $HOME_NET any -> [163.181.128.95] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282263; rev:1;)
alert tcp $HOME_NET any -> [176.32.68.83] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.214.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282261; rev:1;)
alert tcp $HOME_NET any -> [49.13.214.194] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pmcw4fd/index.php"; depth:18; nocase; http.host; content:"getcloudsolutions.dev"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"24f1989.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91279482; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"24f1989.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91279483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"24f1989.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91279484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"24f1989.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91279485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"les-dessous-de-karen.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282221; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.185] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282222/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282222; rev:1;)
alert tcp $HOME_NET any -> [164.92.254.4] 1111  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282254; rev:1;)
alert tcp $HOME_NET any -> [45.131.111.48] 5555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279165/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91279165; rev:1;)
alert tcp $HOME_NET any -> [209.141.60.86] 47925  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279166/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91279166; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"js.ddcc.bf"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91279167; rev:1;)
alert tcp $HOME_NET any -> [185.49.70.98] 80  (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282257/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282257; rev:1;)
alert tcp $HOME_NET any -> [87.251.67.92] 80  (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282258/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_06; classtype:trojan-activity; sid:91282258; rev:1;)
alert tcp $HOME_NET any -> [80.66.88.146] 80  (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282255; rev:1;)
alert tcp $HOME_NET any -> [185.49.69.41] 80  (msg:"ThreatFox WarmCookie botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282256; rev:1;)
alert tcp $HOME_NET any -> [91.204.163.19] 8090  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282252/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282252; rev:1;)
alert tcp $HOME_NET any -> [94.177.183.28] 8080  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282253/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282253; rev:1;)
alert tcp $HOME_NET any -> [79.127.57.43] 80  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282251/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282251; rev:1;)
alert tcp $HOME_NET any -> [69.163.33.84] 8080  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282250; rev:1;)
alert tcp $HOME_NET any -> [60.52.64.122] 80  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282249; rev:1;)
alert tcp $HOME_NET any -> [45.56.79.249] 443  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282247/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282247; rev:1;)
alert tcp $HOME_NET any -> [42.190.4.92] 443  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282246/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282246; rev:1;)
alert tcp $HOME_NET any -> [220.241.38.226] 50000  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282244/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282244; rev:1;)
alert tcp $HOME_NET any -> [41.75.135.93] 7080  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282245/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282245; rev:1;)
alert tcp $HOME_NET any -> [207.154.204.40] 8080  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282243/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282243; rev:1;)
alert tcp $HOME_NET any -> [201.190.133.235] 8080  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282241/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282241; rev:1;)
alert tcp $HOME_NET any -> [201.213.32.59] 80  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282242/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282242; rev:1;)
alert tcp $HOME_NET any -> [200.113.106.18] 80  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282239/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282239; rev:1;)
alert tcp $HOME_NET any -> [200.58.83.179] 80  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282240/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282240; rev:1;)
alert tcp $HOME_NET any -> [190.96.118.15] 443  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282238/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282238; rev:1;)
alert tcp $HOME_NET any -> [190.79.228.89] 443  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282237/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282237; rev:1;)
alert tcp $HOME_NET any -> [190.217.1.149] 80  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282236/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282236; rev:1;)
alert tcp $HOME_NET any -> [190.182.161.7] 8080  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282234/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282234; rev:1;)
alert tcp $HOME_NET any -> [190.210.184.138] 995  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282235/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282235; rev:1;)
alert tcp $HOME_NET any -> [190.146.131.105] 8080  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282233/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282233; rev:1;)
alert tcp $HOME_NET any -> [190.120.104.21] 443  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282232/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282232; rev:1;)
alert tcp $HOME_NET any -> [187.131.128.238] 50000  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282231/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282231; rev:1;)
alert tcp $HOME_NET any -> [186.23.132.93] 990  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282230/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282230; rev:1;)
alert tcp $HOME_NET any -> [181.16.17.210] 443  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282229/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282229; rev:1;)
alert tcp $HOME_NET any -> [181.135.153.203] 443  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282228/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282228; rev:1;)
alert tcp $HOME_NET any -> [170.130.31.177] 8080  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282227/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282227; rev:1;)
alert tcp $HOME_NET any -> [163.172.40.218] 7080  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282226; rev:1;)
alert tcp $HOME_NET any -> [144.139.158.155] 80  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282225/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282225; rev:1;)
alert tcp $HOME_NET any -> [142.93.114.137] 8080  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282224/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282224; rev:1;)
alert tcp $HOME_NET any -> [111.119.233.65] 80  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282223/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_06; classtype:trojan-activity; sid:91282223; rev:1;)
alert tcp $HOME_NET any -> [103.114.107.28] 80  (msg:"ThreatFox Oski Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_06; classtype:trojan-activity; sid:91282218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponychin/gate.php"; depth:18; nocase; http.host; content:"174.140.171.178"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"198.74.51.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"216.119.142.158"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mbb/foolishtrump/paneltwotwo/gate.php"; depth:38; nocase; http.host; content:"accsandalye.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trip/gate.php"; depth:14; nocase; http.host; content:"rhombus-rolen.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"5.39.15.199"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyd/gate.php"; depth:15; nocase; http.host; content:"213.155.112.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"biledroben.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"usviktory.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponychin/gate.php"; depth:18; nocase; http.host; content:"200.72.183.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/exuss14rwww.php"; depth:16; nocase; http.host; content:"shiftcontrol.biz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"syracuseporsche.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mayor/gate.php"; depth:15; nocase; http.host; content:"accexx.space"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"216.52.143.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fav/gate.php"; depth:13; nocase; http.host; content:"co58724.tmweb.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abukh/cpanels/panel/gate.php"; depth:29; nocase; http.host; content:"www.stritaschools.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ero.php"; depth:8; nocase; http.host; content:"flexyin.info"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"174.140.163.141"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wish/panel/gate.php"; depth:20; nocase; http.host; content:"banizeusz.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"184.154.70.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponychin/gate.php"; depth:18; nocase; http.host; content:"69.194.196.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/db/p/gate.php"; depth:14; nocase; http.host; content:"hivamusic.ir"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bd7d5194/wergwrg3gwer"; depth:23; nocase; http.host; content:"209.236.67.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"spna.ca"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"kpresident.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/css/panel/gate.php"; depth:31; nocase; http.host; content:"tcoolonline.mobi"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buky/gate.php"; depth:14; nocase; http.host; content:"engrseltevs.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xm/coreserver/gate.php"; depth:23; nocase; http.host; content:"handtmann-de.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"semtly.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"sofharrefen.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"salesxpert.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"64.85.169.189"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/office/gate.php"; depth:16; nocase; http.host; content:"webgozar.win"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"sp-co.cf"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghhg/mypage/gate.php"; depth:21; nocase; http.host; content:"faradaxa.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"95.154.250.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"192.241.130.124"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp_nows/gate.php"; depth:20; nocase; http.host; content:"vs-t.eu.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"whitesnowpussy.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//easybrands.ml/lorenz/web/gate.php"; depth:35; nocase; http.host; content:"htttp"; depth:5; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"topprofessionalphotographer.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"50.56.223.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dome/mega/gate.php"; depth:19; nocase; http.host; content:"overider.ml"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mw/p/gate.php"; depth:14; nocase; http.host; content:"dapurslkm.co.id"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"74.91.112.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oo/panelnew/gate.php"; depth:21; nocase; http.host; content:"mci-consultant.id"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"fouseevenghedt.ru"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kz/panel/gate.php"; depth:18; nocase; http.host; content:"seganag.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyb/gate.php"; depth:15; nocase; http.host; content:"uksonlinedating.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/light/admin/gate.php"; depth:21; nocase; http.host; content:"cm02584.tmweb.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sweed/gate.php"; depth:15; nocase; http.host; content:"sweed-viki.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chuksgoogle/gate.php"; depth:21; nocase; http.host; content:"acgfinancial.gq"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/gate.php"; depth:13; nocase; http.host; content:"genic-enterprises.website"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ero.php"; depth:8; nocase; http.host; content:"ctasyus.info"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sy/test/gate.php"; depth:17; nocase; http.host; content:"inmrvogurin.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/insane/head.php"; depth:16; nocase; http.host; content:"184.82.133.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghhg/mypage/gate.php"; depth:21; nocase; http.host; content:"www.faradaxa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"174.140.171.147"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eze/panelnew/gate.php"; depth:22; nocase; http.host; content:"209.222.110.181"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"21.harnessingsystems.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"21.multiplexvehiclesystems.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k/panelnew/gate.php"; depth:20; nocase; http.host; content:"clubdemadrespompiglos.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fend/bolt/gate.php"; depth:19; nocase; http.host; content:"sandstrucks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web-content/log/log/file/gate.php"; depth:34; nocase; http.host; content:"www.janabaalicheck.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dee/gate.php"; depth:13; nocase; http.host; content:"grnthost.icu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyd/gate.php"; depth:15; nocase; http.host; content:"212.58.15.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"zelia.net"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xc/panel/gate.php"; depth:18; nocase; http.host; content:"xdrppped.com.ng"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nedum/gate.php"; depth:15; nocase; http.host; content:"hawkresultbox.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//zjgcdab5.beget.tech/panel/path/gate.php"; depth:41; nocase; http.host; content:"rhttp"; depth:5; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/img/png/panelx/gate.php"; depth:31; nocase; http.host; content:"grupoalfra.cl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awumen/panel/gate.php"; depth:22; nocase; http.host; content:"sp-co.cf"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"seosuccess.net16.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"212.58.15.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"mocnid.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"heshedhowpa.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyd/gate.php"; depth:15; nocase; http.host; content:"213.155.112.92"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/setupslyp/setupslyp/gate.php"; depth:29; nocase; http.host; content:"gamestoredownload.download"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apple/server/gate.php"; depth:22; nocase; http.host; content:"successoryzones.biz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/z/pony/panel/gate.php"; depth:22; nocase; http.host; content:"guata.com.br"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/jnt/panel/gate.php"; depth:24; nocase; http.host; content:"empireacoustical.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bubu/gate.php"; depth:14; nocase; http.host; content:"kosii.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/panel/gate.php"; depth:28; nocase; http.host; content:"krungonline.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/setupcrossp/setupcrossp/gate.php"; depth:33; nocase; http.host; content:"gamestoredownload.download"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bit/panel/gate.php"; depth:19; nocase; http.host; content:"leatherbulletin.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"bullonthewall.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/paul-20june-20july/gate.php"; depth:33; nocase; http.host; content:"libertize.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pond/gate.php"; depth:14; nocase; http.host; content:"whitey.comlu.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyd/gate.php"; depth:15; nocase; http.host; content:"212.58.15.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyb/gate.php"; depth:15; nocase; http.host; content:"siteseoguide.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/id3/panel/gate.php"; depth:31; nocase; http.host; content:"www.tcoolonline.mobi"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"monkey.5bello.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"e3pos.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lovenow/eng/gate.php"; depth:21; nocase; http.host; content:"microsoftoutlook.ga"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tola/gate.php"; depth:14; nocase; http.host; content:"tolain.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nonso/gate.php"; depth:15; nocase; http.host; content:"mitsumidistrlbution.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyb/gate.php"; depth:15; nocase; http.host; content:"199.59.56.105"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server/gate.php"; depth:16; nocase; http.host; content:"ukaytrades.tk"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/by/back/gate.php"; depth:17; nocase; http.host; content:"4maat.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marlon/wossy.php"; depth:17; nocase; http.host; content:"185.11.146.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fanta/panel/gate.php"; depth:21; nocase; http.host; content:"updateguru.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rector/gate.php"; depth:16; nocase; http.host; content:"tekinkgroup.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"dlhrecording.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"tertpertoru.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/uploads/tony/panel/gate.php"; depth:42; nocase; http.host; content:"mammerzo.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony2/gate.php"; depth:15; nocase; http.host; content:"iwillmakeitbigtime.cf"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/nef9ihsvidvghdikn.php"; depth:27; nocase; http.host; content:"ns8iafosjnfuihkcnidkl.org"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"tradelinkengineering.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~admin/maindomainkid009_net/ajuk/fire/gate.php"; depth:47; nocase; http.host; content:"45.58.116.102"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"83.174.131.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/pomo/sima/eng/gate.php"; depth:35; nocase; http.host; content:"s67884.smrtp.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/gate.php"; depth:11; nocase; http.host; content:"zpanel123.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/333.cab"; depth:8; nocase; http.host; content:"palitosdepan.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~blininfo/temp/gate.php"; depth:24; nocase; http.host; content:"139.99.8.218"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~catchusnot/panel/gate.php"; depth:27; nocase; http.host; content:"199.192.25.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/way/like.php"; depth:13; nocase; http.host; content:"bdhkmts.pw"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5101fcf84/vsdfb45wret"; depth:22; nocase; http.host; content:"5.135.8.71"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bd7d5194/rebhg542"; depth:19; nocase; http.host; content:"209.236.67.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/pony/mac.php"; depth:16; nocase; http.host; content:"ponyls.in"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pn1/gate.php"; depth:13; nocase; http.host; content:"productmetro.club"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dp/adm/adm1/gate.php"; depth:21; nocase; http.host; content:"whizzpackage.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"christojati.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//zjgcdab5.beget.tech/panel/gate.php"; depth:36; nocase; http.host; content:"http"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"199.71.212.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/file/panel/gate.php"; depth:20; nocase; http.host; content:"www.funfreecasinogames.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/css/site-logo/gate.php"; depth:30; nocase; http.host; content:"clinique-sainte-marie.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5101fcf84/43ggewvefbwerg"; depth:25; nocase; http.host; content:"5.135.8.71"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/panel/gate.php"; depth:19; nocase; http.host; content:"szevargrows.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tiny/lele/gate.php"; depth:19; nocase; http.host; content:"minddosentshe.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/pony/mac.php"; depth:16; nocase; http.host; content:"fipony.in"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bd7d5194/werghw45gwe"; depth:22; nocase; http.host; content:"209.236.67.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"rohironrof.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/way/like.php"; depth:13; nocase; http.host; content:"bdujyr.pw"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"64.85.169.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/buch-a2/gate.php"; depth:17; nocase; http.host; content:"untablesix.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/network/anyipanelnew/gate.php"; depth:39; nocase; http.host; content:"detailingpro.co.in"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bd7d5194/brgn424t235"; depth:22; nocase; http.host; content:"209.236.67.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bd7d5194/wert34g45ht"; depth:22; nocase; http.host; content:"209.236.67.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/panel/gate.php"; depth:20; nocase; http.host; content:"spokengezraee.idv.am"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/valopsy/gate.php"; depth:17; nocase; http.host; content:"kenthalls.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"62.112.130.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moneylong/benzes/gate.php"; depth:26; nocase; http.host; content:"cb94336.tmweb.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/333.cab"; depth:8; nocase; http.host; content:"ethostraining.es"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"119.110.72.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cms/old2/gate.php"; depth:18; nocase; http.host; content:"topratesforextoyou.biz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"198.74.59.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"donsnookie.club"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifamandiebyaccident/gate.php"; depth:29; nocase; http.host; content:"gregorian.club"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fif/gate.php"; depth:13; nocase; http.host; content:"theonlygoodman.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/water/panelnew/gate.php"; depth:24; nocase; http.host; content:"balsamar.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/333.cab"; depth:8; nocase; http.host; content:"www.van-der-leest.nl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pony/gate.php"; depth:14; nocase; http.host; content:"108.178.59.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lorenz/gate.php"; depth:16; nocase; http.host; content:"easybrands.ml"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-includes/images/media/office/microsoft/gate.php"; depth:61; nocase; http.host; content:"simdisposable.info"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marlon/gate.php"; depth:16; nocase; http.host; content:"185.11.146.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css/gate.php"; depth:13; nocase; http.host; content:"mdi-pk.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/gate.php"; depth:15; nocase; http.host; content:"cryodiffusion.cf"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beef/sult/gate.php"; depth:19; nocase; http.host; content:"anixtier.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1282061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282061; rev:1;)
alert tcp $HOME_NET any -> [185.132.53.236] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282059; rev:1;)
alert tcp $HOME_NET any -> [104.248.151.229] 16164  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282056; rev:1;)
alert tcp $HOME_NET any -> [173.82.168.101] 8031  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282057; rev:1;)
alert tcp $HOME_NET any -> [185.62.188.19] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282058; rev:1;)
alert tcp $HOME_NET any -> [54.39.126.228] 100  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282053; rev:1;)
alert tcp $HOME_NET any -> [198.98.58.235] 53800  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282054; rev:1;)
alert tcp $HOME_NET any -> [51.68.65.174] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282055; rev:1;)
alert tcp $HOME_NET any -> [178.62.21.111] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282051; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.185] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282052; rev:1;)
alert tcp $HOME_NET any -> [205.185.118.175] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282048; rev:1;)
alert tcp $HOME_NET any -> [104.168.171.186] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282049; rev:1;)
alert tcp $HOME_NET any -> [139.59.11.206] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282050; rev:1;)
alert tcp $HOME_NET any -> [204.48.16.27] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282044; rev:1;)
alert tcp $HOME_NET any -> [104.244.77.163] 311  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282045; rev:1;)
alert tcp $HOME_NET any -> [159.65.91.172] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282046; rev:1;)
alert tcp $HOME_NET any -> [139.59.41.236] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282047; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.127] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282041; rev:1;)
alert tcp $HOME_NET any -> [107.172.196.160] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282042; rev:1;)
alert tcp $HOME_NET any -> [45.95.147.69] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282043; rev:1;)
alert tcp $HOME_NET any -> [159.203.160.13] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282039; rev:1;)
alert tcp $HOME_NET any -> [102.165.50.10] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282040; rev:1;)
alert tcp $HOME_NET any -> [149.56.228.32] 252  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282036; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.154] 8888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282037; rev:1;)
alert tcp $HOME_NET any -> [104.244.77.52] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282038; rev:1;)
alert tcp $HOME_NET any -> [185.132.53.64] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282033; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.133] 45  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282034; rev:1;)
alert tcp $HOME_NET any -> [50.115.174.106] 61234  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282035; rev:1;)
alert tcp $HOME_NET any -> [185.11.146.237] 3301  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282030; rev:1;)
alert tcp $HOME_NET any -> [80.211.184.72] 500  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282031; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.248] 252  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282032; rev:1;)
alert tcp $HOME_NET any -> [66.172.33.195] 13337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282027; rev:1;)
alert tcp $HOME_NET any -> [188.166.58.42] 13  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282028; rev:1;)
alert tcp $HOME_NET any -> [94.242.58.245] 48263  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282029; rev:1;)
alert tcp $HOME_NET any -> [155.138.221.227] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282024; rev:1;)
alert tcp $HOME_NET any -> [158.69.57.188] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282025; rev:1;)
alert tcp $HOME_NET any -> [104.168.141.144] 656  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282026; rev:1;)
alert tcp $HOME_NET any -> [178.62.243.26] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282021; rev:1;)
alert tcp $HOME_NET any -> [185.222.202.68] 22922  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282022; rev:1;)
alert tcp $HOME_NET any -> [209.141.40.185] 794  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282023; rev:1;)
alert tcp $HOME_NET any -> [193.35.18.187] 64599  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282018; rev:1;)
alert tcp $HOME_NET any -> [176.32.33.134] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282019; rev:1;)
alert tcp $HOME_NET any -> [142.93.119.170] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282020; rev:1;)
alert tcp $HOME_NET any -> [198.23.137.142] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282016; rev:1;)
alert tcp $HOME_NET any -> [23.95.225.127] 6967  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282017; rev:1;)
alert tcp $HOME_NET any -> [192.3.131.30] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282013; rev:1;)
alert tcp $HOME_NET any -> [31.192.106.250] 1209  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282014; rev:1;)
alert tcp $HOME_NET any -> [194.156.120.5] 879  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282015; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.173] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282011; rev:1;)
alert tcp $HOME_NET any -> [185.112.248.58] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282012; rev:1;)
alert tcp $HOME_NET any -> [167.71.184.8] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282008; rev:1;)
alert tcp $HOME_NET any -> [164.68.115.166] 61271  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282009; rev:1;)
alert tcp $HOME_NET any -> [95.123.85.55] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282010; rev:1;)
alert tcp $HOME_NET any -> [185.101.107.127] 645  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282005; rev:1;)
alert tcp $HOME_NET any -> [80.87.206.123] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282006; rev:1;)
alert tcp $HOME_NET any -> [206.189.69.103] 1749  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282007; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.73] 81  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282003; rev:1;)
alert tcp $HOME_NET any -> [198.12.97.71] 8899  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282004; rev:1;)
alert tcp $HOME_NET any -> [46.29.164.240] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282000; rev:1;)
alert tcp $HOME_NET any -> [91.196.149.73] 766  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282001; rev:1;)
alert tcp $HOME_NET any -> [185.112.249.102] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1282002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91282002; rev:1;)
alert tcp $HOME_NET any -> [134.122.113.143] 6982  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281997; rev:1;)
alert tcp $HOME_NET any -> [107.173.114.24] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281998; rev:1;)
alert tcp $HOME_NET any -> [192.119.66.148] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281999; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.141] 6543  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281993; rev:1;)
alert tcp $HOME_NET any -> [89.34.26.152] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281994; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.78] 55  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281995; rev:1;)
alert tcp $HOME_NET any -> [87.120.254.160] 100  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281996; rev:1;)
alert tcp $HOME_NET any -> [198.27.127.44] 123  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281991; rev:1;)
alert tcp $HOME_NET any -> [46.17.45.226] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281992; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.88] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281988; rev:1;)
alert tcp $HOME_NET any -> [167.99.231.107] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281989; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.129] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281990; rev:1;)
alert tcp $HOME_NET any -> [198.199.84.119] 6969  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281986; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.165] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281987; rev:1;)
alert tcp $HOME_NET any -> [45.76.83.37] 123  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281983; rev:1;)
alert tcp $HOME_NET any -> [159.65.227.17] 54  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281984; rev:1;)
alert tcp $HOME_NET any -> [45.92.108.35] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281985; rev:1;)
alert tcp $HOME_NET any -> [165.22.85.252] 1209  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281980; rev:1;)
alert tcp $HOME_NET any -> [103.109.37.185] 6969  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281981; rev:1;)
alert tcp $HOME_NET any -> [46.29.167.240] 415  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281982; rev:1;)
alert tcp $HOME_NET any -> [46.17.45.73] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281977; rev:1;)
alert tcp $HOME_NET any -> [185.158.248.87] 58380  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281978; rev:1;)
alert tcp $HOME_NET any -> [108.174.197.102] 60000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281979; rev:1;)
alert tcp $HOME_NET any -> [185.172.110.206] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281974; rev:1;)
alert tcp $HOME_NET any -> [162.144.64.110] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281975; rev:1;)
alert tcp $HOME_NET any -> [46.29.163.124] 51029  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281976; rev:1;)
alert tcp $HOME_NET any -> [94.103.124.162] 420  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281971; rev:1;)
alert tcp $HOME_NET any -> [176.123.26.89] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281972; rev:1;)
alert tcp $HOME_NET any -> [142.93.130.222] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281973; rev:1;)
alert tcp $HOME_NET any -> [80.211.70.174] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281968; rev:1;)
alert tcp $HOME_NET any -> [68.183.75.210] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281969; rev:1;)
alert tcp $HOME_NET any -> [209.141.48.138] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281970; rev:1;)
alert tcp $HOME_NET any -> [138.68.40.36] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281965; rev:1;)
alert tcp $HOME_NET any -> [46.29.164.240] 6577  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281966; rev:1;)
alert tcp $HOME_NET any -> [142.93.178.226] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281967; rev:1;)
alert tcp $HOME_NET any -> [192.227.131.125] 31392  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281962; rev:1;)
alert tcp $HOME_NET any -> [198.167.140.148] 252  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281963; rev:1;)
alert tcp $HOME_NET any -> [192.241.128.165] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281964; rev:1;)
alert tcp $HOME_NET any -> [46.166.185.161] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281959; rev:1;)
alert tcp $HOME_NET any -> [159.203.108.157] 920  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281960; rev:1;)
alert tcp $HOME_NET any -> [209.141.55.254] 28713  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281961; rev:1;)
alert tcp $HOME_NET any -> [159.69.156.219] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281956; rev:1;)
alert tcp $HOME_NET any -> [51.81.0.241] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281957; rev:1;)
alert tcp $HOME_NET any -> [185.212.47.32] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281958; rev:1;)
alert tcp $HOME_NET any -> [77.73.69.13] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281954; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.110] 1098  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281955; rev:1;)
alert tcp $HOME_NET any -> [91.209.70.120] 17737  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281951; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.79] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281952; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.53] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281953; rev:1;)
alert tcp $HOME_NET any -> [212.237.58.51] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281948; rev:1;)
alert tcp $HOME_NET any -> [46.17.43.203] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281949; rev:1;)
alert tcp $HOME_NET any -> [45.145.42.90] 4444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281950; rev:1;)
alert tcp $HOME_NET any -> [158.69.217.240] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281945; rev:1;)
alert tcp $HOME_NET any -> [142.11.215.254] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281946; rev:1;)
alert tcp $HOME_NET any -> [94.156.144.79] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281947; rev:1;)
alert tcp $HOME_NET any -> [209.141.59.55] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281942; rev:1;)
alert tcp $HOME_NET any -> [51.79.55.3] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281943; rev:1;)
alert tcp $HOME_NET any -> [157.230.173.29] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281944; rev:1;)
alert tcp $HOME_NET any -> [46.29.167.53] 27  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281939; rev:1;)
alert tcp $HOME_NET any -> [192.99.167.213] 420  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281940; rev:1;)
alert tcp $HOME_NET any -> [107.172.195.181] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281941; rev:1;)
alert tcp $HOME_NET any -> [199.38.243.9] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281936; rev:1;)
alert tcp $HOME_NET any -> [107.175.240.121] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281937; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.216] 8052  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281938; rev:1;)
alert tcp $HOME_NET any -> [185.35.138.173] 9999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281933; rev:1;)
alert tcp $HOME_NET any -> [68.183.126.172] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281934; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.92] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281935; rev:1;)
alert tcp $HOME_NET any -> [174.138.53.91] 252  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281931; rev:1;)
alert tcp $HOME_NET any -> [51.254.176.77] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281932; rev:1;)
alert tcp $HOME_NET any -> [94.177.187.66] 38883  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281928; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.48] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281929; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.145] 840  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281930; rev:1;)
alert tcp $HOME_NET any -> [68.183.156.139] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281925; rev:1;)
alert tcp $HOME_NET any -> [45.95.147.24] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281926; rev:1;)
alert tcp $HOME_NET any -> [71.19.148.92] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281927; rev:1;)
alert tcp $HOME_NET any -> [157.230.62.160] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281922; rev:1;)
alert tcp $HOME_NET any -> [134.209.13.51] 1028  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281923; rev:1;)
alert tcp $HOME_NET any -> [146.71.76.136] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281924; rev:1;)
alert tcp $HOME_NET any -> [178.128.43.76] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281919; rev:1;)
alert tcp $HOME_NET any -> [107.182.225.125] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281920; rev:1;)
alert tcp $HOME_NET any -> [51.79.55.3] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281921; rev:1;)
alert tcp $HOME_NET any -> [142.11.212.47] 808  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281916; rev:1;)
alert tcp $HOME_NET any -> [205.185.121.51] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281917; rev:1;)
alert tcp $HOME_NET any -> [172.98.199.121] 64  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281918; rev:1;)
alert tcp $HOME_NET any -> [46.29.166.33] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281913; rev:1;)
alert tcp $HOME_NET any -> [87.236.212.240] 444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281914; rev:1;)
alert tcp $HOME_NET any -> [217.61.16.74] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281915; rev:1;)
alert tcp $HOME_NET any -> [194.147.32.206] 505  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281910; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.205] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281911; rev:1;)
alert tcp $HOME_NET any -> [178.128.109.190] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281912; rev:1;)
alert tcp $HOME_NET any -> [107.172.141.115] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281906; rev:1;)
alert tcp $HOME_NET any -> [107.175.17.147] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281907; rev:1;)
alert tcp $HOME_NET any -> [178.62.109.206] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281908; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.215] 3074  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281909; rev:1;)
alert tcp $HOME_NET any -> [172.245.52.170] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281903; rev:1;)
alert tcp $HOME_NET any -> [194.37.82.252] 281  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281904; rev:1;)
alert tcp $HOME_NET any -> [138.197.215.81] 13  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281905; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.109] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281900; rev:1;)
alert tcp $HOME_NET any -> [209.141.50.57] 3312  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281901; rev:1;)
alert tcp $HOME_NET any -> [206.189.131.31] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281902; rev:1;)
alert tcp $HOME_NET any -> [209.141.56.13] 871  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281897; rev:1;)
alert tcp $HOME_NET any -> [142.93.102.204] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281898; rev:1;)
alert tcp $HOME_NET any -> [107.174.13.128] 444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281899; rev:1;)
alert tcp $HOME_NET any -> [165.227.68.28] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281895; rev:1;)
alert tcp $HOME_NET any -> [112.213.32.109] 46216  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281896; rev:1;)
alert tcp $HOME_NET any -> [195.231.4.214] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281892; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.229] 8013  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281893; rev:1;)
alert tcp $HOME_NET any -> [178.33.181.19] 850  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281894; rev:1;)
alert tcp $HOME_NET any -> [104.207.130.67] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281889; rev:1;)
alert tcp $HOME_NET any -> [185.22.154.112] 917  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281890; rev:1;)
alert tcp $HOME_NET any -> [68.183.147.224] 9175  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281891; rev:1;)
alert tcp $HOME_NET any -> [178.62.67.250] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281887; rev:1;)
alert tcp $HOME_NET any -> [185.132.53.222] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281888; rev:1;)
alert tcp $HOME_NET any -> [178.128.7.76] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281884; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.111] 8888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281885; rev:1;)
alert tcp $HOME_NET any -> [207.154.220.45] 1749  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281886; rev:1;)
alert tcp $HOME_NET any -> [142.11.212.167] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281881; rev:1;)
alert tcp $HOME_NET any -> [103.214.6.199] 36363  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281882; rev:1;)
alert tcp $HOME_NET any -> [185.17.27.112] 57162  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281883; rev:1;)
alert tcp $HOME_NET any -> [194.147.35.56] 29  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281879; rev:1;)
alert tcp $HOME_NET any -> [23.254.215.52] 80  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281880; rev:1;)
alert tcp $HOME_NET any -> [85.239.34.70] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281876; rev:1;)
alert tcp $HOME_NET any -> [80.211.6.4] 53883  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281877; rev:1;)
alert tcp $HOME_NET any -> [5.196.159.52] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281878; rev:1;)
alert tcp $HOME_NET any -> [103.60.13.195] 7070  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281873; rev:1;)
alert tcp $HOME_NET any -> [206.189.167.81] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281874; rev:1;)
alert tcp $HOME_NET any -> [157.230.152.211] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281875; rev:1;)
alert tcp $HOME_NET any -> [2.57.122.214] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281870; rev:1;)
alert tcp $HOME_NET any -> [134.209.125.4] 1352  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281871; rev:1;)
alert tcp $HOME_NET any -> [23.160.193.184] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281872; rev:1;)
alert tcp $HOME_NET any -> [51.91.111.198] 920  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281867; rev:1;)
alert tcp $HOME_NET any -> [107.172.248.172] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281868; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.216] 1946  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281869; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.232] 12345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281864; rev:1;)
alert tcp $HOME_NET any -> [167.99.154.195] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281865; rev:1;)
alert tcp $HOME_NET any -> [188.138.100.8] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281866; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.189] 443  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281861; rev:1;)
alert tcp $HOME_NET any -> [198.46.160.136] 99  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281862; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.149] 777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281863; rev:1;)
alert tcp $HOME_NET any -> [168.235.103.65] 691  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281858; rev:1;)
alert tcp $HOME_NET any -> [138.197.1.64] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281859; rev:1;)
alert tcp $HOME_NET any -> [80.211.82.185] 61271  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281860; rev:1;)
alert tcp $HOME_NET any -> [78.128.114.66] 8888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281855; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.129] 420  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281856; rev:1;)
alert tcp $HOME_NET any -> [80.211.59.125] 424  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281857; rev:1;)
alert tcp $HOME_NET any -> [104.244.76.190] 671  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281851; rev:1;)
alert tcp $HOME_NET any -> [185.83.215.73] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281852; rev:1;)
alert tcp $HOME_NET any -> [173.82.168.101] 88  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281853; rev:1;)
alert tcp $HOME_NET any -> [54.39.151.1] 100  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281854; rev:1;)
alert tcp $HOME_NET any -> [185.132.53.213] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281849; rev:1;)
alert tcp $HOME_NET any -> [161.97.162.103] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281850; rev:1;)
alert tcp $HOME_NET any -> [80.211.172.24] 818  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281846; rev:1;)
alert tcp $HOME_NET any -> [80.211.48.128] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281847; rev:1;)
alert tcp $HOME_NET any -> [172.105.36.168] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281848; rev:1;)
alert tcp $HOME_NET any -> [104.168.102.194] 787  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281843; rev:1;)
alert tcp $HOME_NET any -> [46.166.151.88] 432  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281844; rev:1;)
alert tcp $HOME_NET any -> [142.93.188.49] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281845; rev:1;)
alert tcp $HOME_NET any -> [205.185.124.211] 1994  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281840; rev:1;)
alert tcp $HOME_NET any -> [23.94.70.112] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281841; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.130] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281842; rev:1;)
alert tcp $HOME_NET any -> [149.91.89.105] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281838; rev:1;)
alert tcp $HOME_NET any -> [91.209.70.120] 115  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281839; rev:1;)
alert tcp $HOME_NET any -> [84.54.49.50] 760  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281834; rev:1;)
alert tcp $HOME_NET any -> [66.172.11.120] 45645  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281835; rev:1;)
alert tcp $HOME_NET any -> [45.129.3.105] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281836; rev:1;)
alert tcp $HOME_NET any -> [68.183.28.70] 5888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281831; rev:1;)
alert tcp $HOME_NET any -> [31.210.20.69] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281832; rev:1;)
alert tcp $HOME_NET any -> [139.59.215.189] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281833; rev:1;)
alert tcp $HOME_NET any -> [104.168.57.119] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281828; rev:1;)
alert tcp $HOME_NET any -> [68.183.26.74] 5888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281829; rev:1;)
alert tcp $HOME_NET any -> [68.183.47.77] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281830; rev:1;)
alert tcp $HOME_NET any -> [89.34.26.123] 576  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281825; rev:1;)
alert tcp $HOME_NET any -> [83.97.20.165] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281826; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.189] 10293  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281827; rev:1;)
alert tcp $HOME_NET any -> [94.177.238.164] 555  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281822; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.141] 6700  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281823; rev:1;)
alert tcp $HOME_NET any -> [62.171.138.253] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281824; rev:1;)
alert tcp $HOME_NET any -> [104.248.32.222] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281819; rev:1;)
alert tcp $HOME_NET any -> [167.99.202.160] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281820; rev:1;)
alert tcp $HOME_NET any -> [157.230.50.242] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281821; rev:1;)
alert tcp $HOME_NET any -> [54.38.213.78] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281816; rev:1;)
alert tcp $HOME_NET any -> [192.241.144.221] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281817; rev:1;)
alert tcp $HOME_NET any -> [107.172.89.15] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281818; rev:1;)
alert tcp $HOME_NET any -> [78.142.19.81] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281813; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.2] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281814; rev:1;)
alert tcp $HOME_NET any -> [51.75.74.22] 8888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281815; rev:1;)
alert tcp $HOME_NET any -> [198.98.58.235] 42630  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281810; rev:1;)
alert tcp $HOME_NET any -> [178.128.177.162] 374  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281811; rev:1;)
alert tcp $HOME_NET any -> [80.211.172.24] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281812; rev:1;)
alert tcp $HOME_NET any -> [178.33.181.23] 3731  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281806; rev:1;)
alert tcp $HOME_NET any -> [185.132.53.128] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281807; rev:1;)
alert tcp $HOME_NET any -> [54.37.44.67] 1209  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281808; rev:1;)
alert tcp $HOME_NET any -> [91.134.252.221] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281809; rev:1;)
alert tcp $HOME_NET any -> [107.172.153.90] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281803; rev:1;)
alert tcp $HOME_NET any -> [104.168.102.14] 58380  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281804; rev:1;)
alert tcp $HOME_NET any -> [139.99.133.226] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281805; rev:1;)
alert tcp $HOME_NET any -> [195.58.39.232] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281801; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.170] 4444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281802; rev:1;)
alert tcp $HOME_NET any -> [46.101.74.107] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281798; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.150] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281799; rev:1;)
alert tcp $HOME_NET any -> [185.239.242.136] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281800; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.137] 60000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281795; rev:1;)
alert tcp $HOME_NET any -> [104.248.35.26] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281796; rev:1;)
alert tcp $HOME_NET any -> [54.38.213.78] 443  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281797; rev:1;)
alert tcp $HOME_NET any -> [80.211.235.153] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281792; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.228] 2545  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281793; rev:1;)
alert tcp $HOME_NET any -> [45.76.4.186] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281794; rev:1;)
alert tcp $HOME_NET any -> [51.75.160.175] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281788; rev:1;)
alert tcp $HOME_NET any -> [142.93.193.198] 2545  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281789; rev:1;)
alert tcp $HOME_NET any -> [104.248.113.246] 52468  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281790; rev:1;)
alert tcp $HOME_NET any -> [142.11.241.222] 1859  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281791; rev:1;)
alert tcp $HOME_NET any -> [205.185.113.210] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281786; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.75] 5873  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281787; rev:1;)
alert tcp $HOME_NET any -> [142.11.217.88] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281783; rev:1;)
alert tcp $HOME_NET any -> [103.3.246.123] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281784; rev:1;)
alert tcp $HOME_NET any -> [81.17.30.198] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281785; rev:1;)
alert tcp $HOME_NET any -> [78.128.114.66] 4849  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281780; rev:1;)
alert tcp $HOME_NET any -> [46.29.165.143] 626  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281781; rev:1;)
alert tcp $HOME_NET any -> [199.231.185.10] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281782; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.180] 4554  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281778; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.253] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281779; rev:1;)
alert tcp $HOME_NET any -> [80.66.88.49] 7777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281776; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.206] 100  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281777; rev:1;)
alert tcp $HOME_NET any -> [173.249.51.121] 6667  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281773; rev:1;)
alert tcp $HOME_NET any -> [107.173.251.132] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281774; rev:1;)
alert tcp $HOME_NET any -> [68.183.99.201] 31337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281775; rev:1;)
alert tcp $HOME_NET any -> [167.114.98.153] 62434  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281771; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.165] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281772; rev:1;)
alert tcp $HOME_NET any -> [209.38.228.110] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281769; rev:1;)
alert tcp $HOME_NET any -> [139.59.139.165] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281770; rev:1;)
alert tcp $HOME_NET any -> [137.74.237.194] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281767; rev:1;)
alert tcp $HOME_NET any -> [107.172.168.143] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281768; rev:1;)
alert tcp $HOME_NET any -> [104.237.255.248] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281766; rev:1;)
alert tcp $HOME_NET any -> [23.94.190.101] 888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281764; rev:1;)
alert tcp $HOME_NET any -> [103.153.69.151] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281765; rev:1;)
alert tcp $HOME_NET any -> [51.250.72.163] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281763; rev:1;)
alert tcp $HOME_NET any -> [67.205.128.131] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281762; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.147] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281761; rev:1;)
alert tcp $HOME_NET any -> [164.90.138.15] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281759; rev:1;)
alert tcp $HOME_NET any -> [165.227.72.10] 55  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281760; rev:1;)
alert tcp $HOME_NET any -> [51.38.244.38] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281758; rev:1;)
alert tcp $HOME_NET any -> [46.17.43.75] 602  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281757; rev:1;)
alert tcp $HOME_NET any -> [192.3.155.10] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281756; rev:1;)
alert tcp $HOME_NET any -> [192.3.155.14] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281755; rev:1;)
alert tcp $HOME_NET any -> [104.248.234.122] 40  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281753; rev:1;)
alert tcp $HOME_NET any -> [185.164.72.111] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281754; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.222] 100  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281752; rev:1;)
alert tcp $HOME_NET any -> [195.58.38.73] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281751; rev:1;)
alert tcp $HOME_NET any -> [209.141.49.76] 48263  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281750; rev:1;)
alert tcp $HOME_NET any -> [46.101.213.240] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281749; rev:1;)
alert tcp $HOME_NET any -> [206.189.230.110] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281747; rev:1;)
alert tcp $HOME_NET any -> [185.233.186.130] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281748; rev:1;)
alert tcp $HOME_NET any -> [157.230.54.252] 13  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281744; rev:1;)
alert tcp $HOME_NET any -> [167.99.78.58] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281745; rev:1;)
alert tcp $HOME_NET any -> [205.185.113.127] 17769  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281746; rev:1;)
alert tcp $HOME_NET any -> [206.189.21.255] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281741; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.174] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281742; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.112] 4789  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281743; rev:1;)
alert tcp $HOME_NET any -> [51.79.71.170] 62434  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281737; rev:1;)
alert tcp $HOME_NET any -> [194.182.66.134] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281738; rev:1;)
alert tcp $HOME_NET any -> [217.147.169.56] 545  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281739; rev:1;)
alert tcp $HOME_NET any -> [142.93.234.128] 760  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281740; rev:1;)
alert tcp $HOME_NET any -> [51.178.225.200] 8560  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281734; rev:1;)
alert tcp $HOME_NET any -> [198.98.62.146] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281735; rev:1;)
alert tcp $HOME_NET any -> [107.173.114.12] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281736; rev:1;)
alert tcp $HOME_NET any -> [89.34.26.149] 6963  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281731; rev:1;)
alert tcp $HOME_NET any -> [142.93.134.253] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281732; rev:1;)
alert tcp $HOME_NET any -> [78.40.117.227] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281733; rev:1;)
alert tcp $HOME_NET any -> [37.44.238.66] 2342  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281728; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.213] 51029  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281729; rev:1;)
alert tcp $HOME_NET any -> [138.197.206.217] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281730; rev:1;)
alert tcp $HOME_NET any -> [51.255.16.202] 421  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281725; rev:1;)
alert tcp $HOME_NET any -> [38.39.192.14] 89  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281726; rev:1;)
alert tcp $HOME_NET any -> [91.121.226.122] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281727; rev:1;)
alert tcp $HOME_NET any -> [146.71.76.19] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281722; rev:1;)
alert tcp $HOME_NET any -> [45.67.14.165] 1446  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281723; rev:1;)
alert tcp $HOME_NET any -> [174.138.1.149] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281724; rev:1;)
alert tcp $HOME_NET any -> [198.50.236.92] 212  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281719; rev:1;)
alert tcp $HOME_NET any -> [45.8.159.7] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281720; rev:1;)
alert tcp $HOME_NET any -> [142.11.217.230] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281721; rev:1;)
alert tcp $HOME_NET any -> [99.106.146.200] 6969  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281716; rev:1;)
alert tcp $HOME_NET any -> [51.79.71.170] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281717; rev:1;)
alert tcp $HOME_NET any -> [104.248.173.96] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281718; rev:1;)
alert tcp $HOME_NET any -> [45.77.207.51] 13  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281714; rev:1;)
alert tcp $HOME_NET any -> [46.101.128.74] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281715; rev:1;)
alert tcp $HOME_NET any -> [171.22.25.97] 7894  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281711; rev:1;)
alert tcp $HOME_NET any -> [159.65.65.255] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281712; rev:1;)
alert tcp $HOME_NET any -> [93.104.209.253] 3543  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281713; rev:1;)
alert tcp $HOME_NET any -> [178.128.161.0] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281709; rev:1;)
alert tcp $HOME_NET any -> [23.254.224.213] 544  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281710; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.148] 111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281706; rev:1;)
alert tcp $HOME_NET any -> [159.203.163.171] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281707; rev:1;)
alert tcp $HOME_NET any -> [194.147.35.118] 333  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281708; rev:1;)
alert tcp $HOME_NET any -> [68.183.208.195] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281702; rev:1;)
alert tcp $HOME_NET any -> [68.183.108.236] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281703; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.242] 620  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281704; rev:1;)
alert tcp $HOME_NET any -> [198.211.109.4] 626  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281705; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.212] 594  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281699; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.153] 420  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281700; rev:1;)
alert tcp $HOME_NET any -> [103.109.37.155] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281701; rev:1;)
alert tcp $HOME_NET any -> [64.227.188.134] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281696; rev:1;)
alert tcp $HOME_NET any -> [31.192.106.240] 1209  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281697; rev:1;)
alert tcp $HOME_NET any -> [80.211.5.210] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281698; rev:1;)
alert tcp $HOME_NET any -> [37.49.224.155] 40345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281694; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.129] 174  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281695; rev:1;)
alert tcp $HOME_NET any -> [147.135.99.147] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281691; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.233] 60000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281692; rev:1;)
alert tcp $HOME_NET any -> [192.3.41.116] 6666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281693; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 30455  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281688; rev:1;)
alert tcp $HOME_NET any -> [71.19.150.93] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281689; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.213] 12345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281690; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.147] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281685; rev:1;)
alert tcp $HOME_NET any -> [157.230.30.10] 444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281686; rev:1;)
alert tcp $HOME_NET any -> [109.201.143.182] 9175  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281687; rev:1;)
alert tcp $HOME_NET any -> [74.91.125.176] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281682; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.75] 1148  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281683; rev:1;)
alert tcp $HOME_NET any -> [206.189.167.201] 2222  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281684; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.143] 2737  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281679; rev:1;)
alert tcp $HOME_NET any -> [185.22.152.182] 8888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281680; rev:1;)
alert tcp $HOME_NET any -> [142.93.67.223] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281681; rev:1;)
alert tcp $HOME_NET any -> [157.230.165.111] 2930  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281676; rev:1;)
alert tcp $HOME_NET any -> [51.79.66.236] 87  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281677; rev:1;)
alert tcp $HOME_NET any -> [142.93.184.108] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281678; rev:1;)
alert tcp $HOME_NET any -> [78.142.19.171] 1738  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281673; rev:1;)
alert tcp $HOME_NET any -> [66.70.225.220] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281674; rev:1;)
alert tcp $HOME_NET any -> [192.3.12.113] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281675; rev:1;)
alert tcp $HOME_NET any -> [168.235.67.246] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281669; rev:1;)
alert tcp $HOME_NET any -> [134.209.156.65] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281670; rev:1;)
alert tcp $HOME_NET any -> [45.67.14.165] 4414  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281671; rev:1;)
alert tcp $HOME_NET any -> [68.183.97.132] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281672; rev:1;)
alert tcp $HOME_NET any -> [176.223.132.161] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281667; rev:1;)
alert tcp $HOME_NET any -> [205.185.123.217] 998  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281668; rev:1;)
alert tcp $HOME_NET any -> [185.165.29.47] 444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281666; rev:1;)
alert tcp $HOME_NET any -> [45.84.196.253] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281664; rev:1;)
alert tcp $HOME_NET any -> [91.121.226.126] 252  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281665; rev:1;)
alert tcp $HOME_NET any -> [157.90.231.69] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281660; rev:1;)
alert tcp $HOME_NET any -> [134.19.188.108] 123  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281661; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.123] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281662; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.152] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281663; rev:1;)
alert tcp $HOME_NET any -> [209.141.50.55] 984  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281658; rev:1;)
alert tcp $HOME_NET any -> [91.188.223.158] 717  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281659; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.188] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281655; rev:1;)
alert tcp $HOME_NET any -> [176.32.33.25] 818  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281656; rev:1;)
alert tcp $HOME_NET any -> [192.3.182.220] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281657; rev:1;)
alert tcp $HOME_NET any -> [68.183.166.199] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281652; rev:1;)
alert tcp $HOME_NET any -> [89.34.26.155] 879  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281653; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.253] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281654; rev:1;)
alert tcp $HOME_NET any -> [185.165.29.41] 444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281649; rev:1;)
alert tcp $HOME_NET any -> [80.211.103.184] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281650; rev:1;)
alert tcp $HOME_NET any -> [167.99.107.136] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281651; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.143] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281646; rev:1;)
alert tcp $HOME_NET any -> [45.9.148.35] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281647; rev:1;)
alert tcp $HOME_NET any -> [142.93.46.170] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281648; rev:1;)
alert tcp $HOME_NET any -> [157.230.91.126] 61271  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281642; rev:1;)
alert tcp $HOME_NET any -> [209.97.187.164] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281643; rev:1;)
alert tcp $HOME_NET any -> [80.211.91.145] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281644; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.5] 12345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281645; rev:1;)
alert tcp $HOME_NET any -> [192.236.161.84] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281639; rev:1;)
alert tcp $HOME_NET any -> [51.77.213.109] 620  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281640; rev:1;)
alert tcp $HOME_NET any -> [46.101.159.88] 777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281641; rev:1;)
alert tcp $HOME_NET any -> [185.132.53.7] 12345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281636; rev:1;)
alert tcp $HOME_NET any -> [217.182.177.96] 420  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281637; rev:1;)
alert tcp $HOME_NET any -> [46.36.40.66] 415  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281638; rev:1;)
alert tcp $HOME_NET any -> [185.244.39.147] 9005  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281633; rev:1;)
alert tcp $HOME_NET any -> [142.11.214.46] 62434  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281634; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.211] 51029  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281635; rev:1;)
alert tcp $HOME_NET any -> [46.101.63.5] 2545  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281630; rev:1;)
alert tcp $HOME_NET any -> [5.2.76.197] 10476  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281631; rev:1;)
alert tcp $HOME_NET any -> [120.55.76.1] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281632; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.227] 20159  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281627; rev:1;)
alert tcp $HOME_NET any -> [205.185.113.44] 6636  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281628; rev:1;)
alert tcp $HOME_NET any -> [167.99.7.113] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281629; rev:1;)
alert tcp $HOME_NET any -> [194.87.138.103] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281624; rev:1;)
alert tcp $HOME_NET any -> [164.68.116.122] 65535  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281625; rev:1;)
alert tcp $HOME_NET any -> [185.62.190.159] 13  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281626; rev:1;)
alert tcp $HOME_NET any -> [107.174.14.12] 1863  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281621; rev:1;)
alert tcp $HOME_NET any -> [142.93.205.254] 61271  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281622; rev:1;)
alert tcp $HOME_NET any -> [142.11.210.100] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281623; rev:1;)
alert tcp $HOME_NET any -> [205.185.120.241] 987  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281618; rev:1;)
alert tcp $HOME_NET any -> [206.189.196.216] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281619; rev:1;)
alert tcp $HOME_NET any -> [46.17.47.73] 935  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281620; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.135] 100  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281615; rev:1;)
alert tcp $HOME_NET any -> [54.38.220.94] 50  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281616; rev:1;)
alert tcp $HOME_NET any -> [134.209.172.118] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281617; rev:1;)
alert tcp $HOME_NET any -> [134.209.107.87] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281612; rev:1;)
alert tcp $HOME_NET any -> [46.17.40.224] 139  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281613; rev:1;)
alert tcp $HOME_NET any -> [167.71.75.37] 1209  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281614; rev:1;)
alert tcp $HOME_NET any -> [185.165.29.39] 444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281609; rev:1;)
alert tcp $HOME_NET any -> [78.135.81.61] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281610; rev:1;)
alert tcp $HOME_NET any -> [80.211.34.102] 41179  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281611; rev:1;)
alert tcp $HOME_NET any -> [107.174.14.12] 1995  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281605; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.141] 747  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281606; rev:1;)
alert tcp $HOME_NET any -> [194.15.36.31] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281607; rev:1;)
alert tcp $HOME_NET any -> [157.230.175.134] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281608; rev:1;)
alert tcp $HOME_NET any -> [185.172.110.230] 191  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281602; rev:1;)
alert tcp $HOME_NET any -> [104.206.252.66] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281603; rev:1;)
alert tcp $HOME_NET any -> [185.132.53.229] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281604; rev:1;)
alert tcp $HOME_NET any -> [46.36.40.171] 1749  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281599; rev:1;)
alert tcp $HOME_NET any -> [185.233.186.144] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281600; rev:1;)
alert tcp $HOME_NET any -> [54.38.213.78] 231  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281601; rev:1;)
alert tcp $HOME_NET any -> [209.141.42.145] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281596; rev:1;)
alert tcp $HOME_NET any -> [79.56.208.137] 5062  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281597; rev:1;)
alert tcp $HOME_NET any -> [206.189.183.53] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281598; rev:1;)
alert tcp $HOME_NET any -> [81.4.103.152] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281593; rev:1;)
alert tcp $HOME_NET any -> [147.135.76.202] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281594; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.164] 1994  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281595; rev:1;)
alert tcp $HOME_NET any -> [67.205.154.43] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281590; rev:1;)
alert tcp $HOME_NET any -> [45.32.214.246] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281591; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.242] 660  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281592; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.166] 341  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281586; rev:1;)
alert tcp $HOME_NET any -> [188.166.62.237] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281587; rev:1;)
alert tcp $HOME_NET any -> [207.154.200.125] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281588; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.101] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281589; rev:1;)
alert tcp $HOME_NET any -> [167.88.161.145] 28713  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281583; rev:1;)
alert tcp $HOME_NET any -> [50.115.166.132] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281584; rev:1;)
alert tcp $HOME_NET any -> [23.254.211.250] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281585; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.151] 52  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281580; rev:1;)
alert tcp $HOME_NET any -> [51.68.197.215] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281581; rev:1;)
alert tcp $HOME_NET any -> [165.22.69.255] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281582; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.192] 873  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281577; rev:1;)
alert tcp $HOME_NET any -> [157.230.15.90] 13  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281578; rev:1;)
alert tcp $HOME_NET any -> [185.22.154.234] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281579; rev:1;)
alert tcp $HOME_NET any -> [45.76.127.2] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281574; rev:1;)
alert tcp $HOME_NET any -> [46.29.165.131] 17769  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281575; rev:1;)
alert tcp $HOME_NET any -> [198.167.140.181] 232  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281576; rev:1;)
alert tcp $HOME_NET any -> [206.189.181.143] 6666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281571; rev:1;)
alert tcp $HOME_NET any -> [14.1.29.67] 5888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281572; rev:1;)
alert tcp $HOME_NET any -> [51.68.213.103] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281573; rev:1;)
alert tcp $HOME_NET any -> [194.15.36.43] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281569; rev:1;)
alert tcp $HOME_NET any -> [104.248.165.108] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281570; rev:1;)
alert tcp $HOME_NET any -> [65.21.186.30] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281566; rev:1;)
alert tcp $HOME_NET any -> [199.19.224.245] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281567; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.156] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281568; rev:1;)
alert tcp $HOME_NET any -> [185.132.53.159] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281562; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.233] 667  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281563; rev:1;)
alert tcp $HOME_NET any -> [185.172.110.214] 20  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281564; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.9] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281565; rev:1;)
alert tcp $HOME_NET any -> [206.189.180.152] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281559; rev:1;)
alert tcp $HOME_NET any -> [89.46.223.213] 213  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281560; rev:1;)
alert tcp $HOME_NET any -> [104.168.99.220] 1341  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281561; rev:1;)
alert tcp $HOME_NET any -> [142.93.243.117] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281557; rev:1;)
alert tcp $HOME_NET any -> [137.74.55.6] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281558; rev:1;)
alert tcp $HOME_NET any -> [167.71.107.219] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281554; rev:1;)
alert tcp $HOME_NET any -> [185.52.1.235] 4599  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281555; rev:1;)
alert tcp $HOME_NET any -> [165.227.221.72] 674  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281556; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.216] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281551; rev:1;)
alert tcp $HOME_NET any -> [80.211.75.35] 1324  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281552; rev:1;)
alert tcp $HOME_NET any -> [89.32.41.227] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281553; rev:1;)
alert tcp $HOME_NET any -> [194.147.32.11] 626  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281549; rev:1;)
alert tcp $HOME_NET any -> [203.159.80.40] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281550; rev:1;)
alert tcp $HOME_NET any -> [46.101.185.54] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281545; rev:1;)
alert tcp $HOME_NET any -> [207.180.237.101] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281546; rev:1;)
alert tcp $HOME_NET any -> [185.195.236.165] 7415  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281547; rev:1;)
alert tcp $HOME_NET any -> [68.183.79.5] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281548; rev:1;)
alert tcp $HOME_NET any -> [185.22.152.239] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281542; rev:1;)
alert tcp $HOME_NET any -> [142.93.119.243] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281543; rev:1;)
alert tcp $HOME_NET any -> [46.101.15.84] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281544; rev:1;)
alert tcp $HOME_NET any -> [139.59.165.167] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281539; rev:1;)
alert tcp $HOME_NET any -> [216.218.192.170] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281540; rev:1;)
alert tcp $HOME_NET any -> [185.52.1.232] 920  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281541; rev:1;)
alert tcp $HOME_NET any -> [209.141.35.230] 777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281537; rev:1;)
alert tcp $HOME_NET any -> [185.239.242.247] 33333  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281538; rev:1;)
alert tcp $HOME_NET any -> [107.174.144.155] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281534; rev:1;)
alert tcp $HOME_NET any -> [205.185.114.87] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281535; rev:1;)
alert tcp $HOME_NET any -> [91.209.70.120] 20  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281536; rev:1;)
alert tcp $HOME_NET any -> [185.172.110.224] 993  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281531; rev:1;)
alert tcp $HOME_NET any -> [209.141.49.76] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281532; rev:1;)
alert tcp $HOME_NET any -> [142.93.251.82] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281533; rev:1;)
alert tcp $HOME_NET any -> [198.211.116.132] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281527; rev:1;)
alert tcp $HOME_NET any -> [68.183.106.233] 54  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281528; rev:1;)
alert tcp $HOME_NET any -> [104.244.77.36] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281529; rev:1;)
alert tcp $HOME_NET any -> [159.65.80.188] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281530; rev:1;)
alert tcp $HOME_NET any -> [51.75.81.238] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281524; rev:1;)
alert tcp $HOME_NET any -> [45.84.196.147] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281525; rev:1;)
alert tcp $HOME_NET any -> [176.32.33.134] 523  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281526; rev:1;)
alert tcp $HOME_NET any -> [188.165.58.128] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281521; rev:1;)
alert tcp $HOME_NET any -> [91.209.70.108] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281522; rev:1;)
alert tcp $HOME_NET any -> [193.228.91.105] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281523; rev:1;)
alert tcp $HOME_NET any -> [68.183.71.182] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281518; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.119] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281519; rev:1;)
alert tcp $HOME_NET any -> [68.183.71.128] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281520; rev:1;)
alert tcp $HOME_NET any -> [178.128.185.89] 739  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281515; rev:1;)
alert tcp $HOME_NET any -> [5.252.177.70] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281516; rev:1;)
alert tcp $HOME_NET any -> [144.217.12.66] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281517; rev:1;)
alert tcp $HOME_NET any -> [5.2.70.50] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281512; rev:1;)
alert tcp $HOME_NET any -> [183.81.33.153] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281513; rev:1;)
alert tcp $HOME_NET any -> [42.192.172.230] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281514; rev:1;)
alert tcp $HOME_NET any -> [198.98.56.196] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281509; rev:1;)
alert tcp $HOME_NET any -> [198.199.81.90] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281510; rev:1;)
alert tcp $HOME_NET any -> [198.98.58.97] 476  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281511; rev:1;)
alert tcp $HOME_NET any -> [107.189.10.171] 38221  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281506; rev:1;)
alert tcp $HOME_NET any -> [209.141.62.119] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281507; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.227] 101  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281508; rev:1;)
alert tcp $HOME_NET any -> [206.189.229.119] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281504; rev:1;)
alert tcp $HOME_NET any -> [65.181.124.222] 987  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281505; rev:1;)
alert tcp $HOME_NET any -> [83.97.20.147] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281501; rev:1;)
alert tcp $HOME_NET any -> [104.168.215.223] 8888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281502; rev:1;)
alert tcp $HOME_NET any -> [107.175.217.226] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281503; rev:1;)
alert tcp $HOME_NET any -> [143.198.218.116] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281498; rev:1;)
alert tcp $HOME_NET any -> [142.93.219.170] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281499; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.244] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281500; rev:1;)
alert tcp $HOME_NET any -> [161.35.49.47] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281495; rev:1;)
alert tcp $HOME_NET any -> [134.19.188.108] 1212  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281496; rev:1;)
alert tcp $HOME_NET any -> [81.4.106.148] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281497; rev:1;)
alert tcp $HOME_NET any -> [209.97.155.76] 562  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281491; rev:1;)
alert tcp $HOME_NET any -> [185.22.154.125] 310  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281492; rev:1;)
alert tcp $HOME_NET any -> [50.115.165.107] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281493; rev:1;)
alert tcp $HOME_NET any -> [46.101.243.231] 61271  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281494; rev:1;)
alert tcp $HOME_NET any -> [206.189.167.201] 9999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281488; rev:1;)
alert tcp $HOME_NET any -> [104.236.224.5] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281489; rev:1;)
alert tcp $HOME_NET any -> [51.255.16.202] 413  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281490; rev:1;)
alert tcp $HOME_NET any -> [15.204.245.61] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281485; rev:1;)
alert tcp $HOME_NET any -> [185.81.154.208] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281486; rev:1;)
alert tcp $HOME_NET any -> [185.126.179.154] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281487; rev:1;)
alert tcp $HOME_NET any -> [104.248.25.174] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281482; rev:1;)
alert tcp $HOME_NET any -> [142.93.218.157] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281483; rev:1;)
alert tcp $HOME_NET any -> [188.166.55.213] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281484; rev:1;)
alert tcp $HOME_NET any -> [159.65.217.254] 5445  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281479; rev:1;)
alert tcp $HOME_NET any -> [173.0.52.108] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281481; rev:1;)
alert tcp $HOME_NET any -> [80.211.66.35] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281476; rev:1;)
alert tcp $HOME_NET any -> [195.231.4.166] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281477; rev:1;)
alert tcp $HOME_NET any -> [185.52.1.235] 3951  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281478; rev:1;)
alert tcp $HOME_NET any -> [147.135.99.137] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281472; rev:1;)
alert tcp $HOME_NET any -> [37.221.65.177] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281473; rev:1;)
alert tcp $HOME_NET any -> [185.186.244.186] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281474; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.148] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281475; rev:1;)
alert tcp $HOME_NET any -> [62.210.144.185] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281470; rev:1;)
alert tcp $HOME_NET any -> [142.93.202.209] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281471; rev:1;)
alert tcp $HOME_NET any -> [46.29.166.74] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281468; rev:1;)
alert tcp $HOME_NET any -> [172.245.211.58] 123  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281469; rev:1;)
alert tcp $HOME_NET any -> [45.32.245.156] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281465; rev:1;)
alert tcp $HOME_NET any -> [198.98.61.169] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281466; rev:1;)
alert tcp $HOME_NET any -> [198.167.140.166] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281467; rev:1;)
alert tcp $HOME_NET any -> [167.99.198.11] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281464; rev:1;)
alert tcp $HOME_NET any -> [209.141.39.153] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281460; rev:1;)
alert tcp $HOME_NET any -> [89.46.223.236] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281461; rev:1;)
alert tcp $HOME_NET any -> [82.64.183.22] 8080  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281462; rev:1;)
alert tcp $HOME_NET any -> [144.217.34.147] 60002  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281463; rev:1;)
alert tcp $HOME_NET any -> [104.244.75.25] 813  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281457; rev:1;)
alert tcp $HOME_NET any -> [68.183.79.93] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281458; rev:1;)
alert tcp $HOME_NET any -> [87.236.212.240] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281459; rev:1;)
alert tcp $HOME_NET any -> [205.185.116.94] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281454; rev:1;)
alert tcp $HOME_NET any -> [142.93.18.16] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281455; rev:1;)
alert tcp $HOME_NET any -> [51.15.228.132] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281456; rev:1;)
alert tcp $HOME_NET any -> [206.189.118.223] 777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281451; rev:1;)
alert tcp $HOME_NET any -> [149.56.122.12] 2545  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281452; rev:1;)
alert tcp $HOME_NET any -> [45.144.165.227] 22  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281453; rev:1;)
alert tcp $HOME_NET any -> [107.174.14.79] 1098  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281448; rev:1;)
alert tcp $HOME_NET any -> [178.128.204.249] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281449; rev:1;)
alert tcp $HOME_NET any -> [104.248.54.3] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281450; rev:1;)
alert tcp $HOME_NET any -> [80.211.28.172] 61271  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281445; rev:1;)
alert tcp $HOME_NET any -> [37.49.224.138] 998  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281446; rev:1;)
alert tcp $HOME_NET any -> [142.93.89.55] 979  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281447; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.254] 6667  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281442; rev:1;)
alert tcp $HOME_NET any -> [176.56.237.44] 660  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281443; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.144] 2222  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281444; rev:1;)
alert tcp $HOME_NET any -> [163.172.233.78] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281439; rev:1;)
alert tcp $HOME_NET any -> [46.29.166.40] 534  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281440; rev:1;)
alert tcp $HOME_NET any -> [139.162.183.77] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281441; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.154] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281436; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.10] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281437; rev:1;)
alert tcp $HOME_NET any -> [207.148.19.82] 1558  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281438; rev:1;)
alert tcp $HOME_NET any -> [103.82.20.50] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281433; rev:1;)
alert tcp $HOME_NET any -> [138.197.153.211] 9235  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281434; rev:1;)
alert tcp $HOME_NET any -> [51.178.225.200] 3224  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281435; rev:1;)
alert tcp $HOME_NET any -> [185.62.189.64] 48263  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281432; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.86] 2222  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281429; rev:1;)
alert tcp $HOME_NET any -> [104.168.102.145] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281430; rev:1;)
alert tcp $HOME_NET any -> [14.1.29.67] 1234  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281431; rev:1;)
alert tcp $HOME_NET any -> [205.185.119.101] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281427; rev:1;)
alert tcp $HOME_NET any -> [68.183.22.42] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281428; rev:1;)
alert tcp $HOME_NET any -> [80.211.61.21] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281424; rev:1;)
alert tcp $HOME_NET any -> [104.248.214.131] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281425; rev:1;)
alert tcp $HOME_NET any -> [167.114.13.156] 765  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281426; rev:1;)
alert tcp $HOME_NET any -> [159.89.185.209] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281422; rev:1;)
alert tcp $HOME_NET any -> [198.98.59.57] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281423; rev:1;)
alert tcp $HOME_NET any -> [103.60.13.195] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281420; rev:1;)
alert tcp $HOME_NET any -> [198.98.55.87] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281421; rev:1;)
alert tcp $HOME_NET any -> [139.99.113.2] 800  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281417; rev:1;)
alert tcp $HOME_NET any -> [178.128.207.74] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281418; rev:1;)
alert tcp $HOME_NET any -> [185.231.68.60] 1024  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281419; rev:1;)
alert tcp $HOME_NET any -> [37.46.150.72] 42  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281415; rev:1;)
alert tcp $HOME_NET any -> [178.33.14.208] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281416; rev:1;)
alert tcp $HOME_NET any -> [89.46.223.213] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281413; rev:1;)
alert tcp $HOME_NET any -> [104.168.163.95] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281414; rev:1;)
alert tcp $HOME_NET any -> [142.93.126.147] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281412; rev:1;)
alert tcp $HOME_NET any -> [104.238.235.186] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281409; rev:1;)
alert tcp $HOME_NET any -> [188.166.1.47] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281410; rev:1;)
alert tcp $HOME_NET any -> [45.156.185.182] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281411; rev:1;)
alert tcp $HOME_NET any -> [178.33.181.23] 964  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281406; rev:1;)
alert tcp $HOME_NET any -> [151.80.209.229] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281407; rev:1;)
alert tcp $HOME_NET any -> [194.147.34.63] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281408; rev:1;)
alert tcp $HOME_NET any -> [167.99.206.96] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281405; rev:1;)
alert tcp $HOME_NET any -> [68.183.111.11] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281402; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.153] 33  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281403; rev:1;)
alert tcp $HOME_NET any -> [51.89.115.83] 6744  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281404; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.137] 100  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281399; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.233] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281400; rev:1;)
alert tcp $HOME_NET any -> [31.7.62.115] 65000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281401; rev:1;)
alert tcp $HOME_NET any -> [198.199.68.142] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281397; rev:1;)
alert tcp $HOME_NET any -> [193.239.147.90] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281398; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.230] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281395; rev:1;)
alert tcp $HOME_NET any -> [178.62.27.198] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281396; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.154] 2006  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281392; rev:1;)
alert tcp $HOME_NET any -> [46.29.163.204] 323  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281393; rev:1;)
alert tcp $HOME_NET any -> [104.248.229.149] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281394; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.31] 67  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281389; rev:1;)
alert tcp $HOME_NET any -> [89.34.237.211] 982  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281390; rev:1;)
alert tcp $HOME_NET any -> [45.84.196.43] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281391; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.168] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281386; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.229] 8015  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281387; rev:1;)
alert tcp $HOME_NET any -> [194.48.152.122] 60000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281388; rev:1;)
alert tcp $HOME_NET any -> [199.19.226.178] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281382; rev:1;)
alert tcp $HOME_NET any -> [185.52.1.235] 1026  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281383; rev:1;)
alert tcp $HOME_NET any -> [45.61.185.83] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281384; rev:1;)
alert tcp $HOME_NET any -> [168.235.91.153] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281385; rev:1;)
alert tcp $HOME_NET any -> [104.248.63.86] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281379; rev:1;)
alert tcp $HOME_NET any -> [167.114.124.76] 112  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281380; rev:1;)
alert tcp $HOME_NET any -> [51.255.16.207] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281381; rev:1;)
alert tcp $HOME_NET any -> [198.98.53.130] 83  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281376; rev:1;)
alert tcp $HOME_NET any -> [51.75.156.134] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281377; rev:1;)
alert tcp $HOME_NET any -> [205.185.125.213] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281378; rev:1;)
alert tcp $HOME_NET any -> [157.230.23.235] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281374; rev:1;)
alert tcp $HOME_NET any -> [46.101.226.118] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281375; rev:1;)
alert tcp $HOME_NET any -> [147.135.23.231] 1722  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281371; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.233] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281372; rev:1;)
alert tcp $HOME_NET any -> [185.22.153.71] 626  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281373; rev:1;)
alert tcp $HOME_NET any -> [185.10.68.191] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281368; rev:1;)
alert tcp $HOME_NET any -> [185.164.72.135] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281369; rev:1;)
alert tcp $HOME_NET any -> [94.103.124.162] 158  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281370; rev:1;)
alert tcp $HOME_NET any -> [145.239.139.22] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281364; rev:1;)
alert tcp $HOME_NET any -> [192.3.131.25] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281365; rev:1;)
alert tcp $HOME_NET any -> [104.168.102.14] 360  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281366; rev:1;)
alert tcp $HOME_NET any -> [167.114.97.208] 38465  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281367; rev:1;)
alert tcp $HOME_NET any -> [62.210.189.131] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281361; rev:1;)
alert tcp $HOME_NET any -> [174.128.226.101] 411  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281362; rev:1;)
alert tcp $HOME_NET any -> [158.69.103.149] 3456  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281363; rev:1;)
alert tcp $HOME_NET any -> [107.173.2.141] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281359; rev:1;)
alert tcp $HOME_NET any -> [194.48.152.17] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281360; rev:1;)
alert tcp $HOME_NET any -> [5.34.179.99] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281356; rev:1;)
alert tcp $HOME_NET any -> [51.255.4.54] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281357; rev:1;)
alert tcp $HOME_NET any -> [185.38.142.103] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281358; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.207] 3485  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281354; rev:1;)
alert tcp $HOME_NET any -> [23.254.211.227] 656  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281355; rev:1;)
alert tcp $HOME_NET any -> [89.34.237.191] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281351; rev:1;)
alert tcp $HOME_NET any -> [178.128.152.57] 6669  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281352; rev:1;)
alert tcp $HOME_NET any -> [46.29.165.33] 626  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281353; rev:1;)
alert tcp $HOME_NET any -> [89.190.159.181] 1863  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281348; rev:1;)
alert tcp $HOME_NET any -> [45.32.170.190] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281349; rev:1;)
alert tcp $HOME_NET any -> [46.166.133.165] 620  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281350; rev:1;)
alert tcp $HOME_NET any -> [206.189.120.242] 2545  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281345; rev:1;)
alert tcp $HOME_NET any -> [192.210.239.10] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281346; rev:1;)
alert tcp $HOME_NET any -> [142.93.123.195] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281347; rev:1;)
alert tcp $HOME_NET any -> [23.254.226.31] 60000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281343; rev:1;)
alert tcp $HOME_NET any -> [194.15.36.246] 6149  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281344; rev:1;)
alert tcp $HOME_NET any -> [51.75.161.114] 48263  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281340; rev:1;)
alert tcp $HOME_NET any -> [107.191.110.161] 777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281341; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.216] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281342; rev:1;)
alert tcp $HOME_NET any -> [199.19.225.161] 1994  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281337; rev:1;)
alert tcp $HOME_NET any -> [23.94.21.90] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281338; rev:1;)
alert tcp $HOME_NET any -> [37.49.224.132] 60000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281339; rev:1;)
alert tcp $HOME_NET any -> [46.17.41.41] 8888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281334; rev:1;)
alert tcp $HOME_NET any -> [46.17.46.22] 983  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281335; rev:1;)
alert tcp $HOME_NET any -> [142.11.212.47] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281336; rev:1;)
alert tcp $HOME_NET any -> [157.230.94.197] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281331; rev:1;)
alert tcp $HOME_NET any -> [103.173.255.143] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281332; rev:1;)
alert tcp $HOME_NET any -> [147.182.181.206] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281333; rev:1;)
alert tcp $HOME_NET any -> [185.232.64.168] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281327; rev:1;)
alert tcp $HOME_NET any -> [157.230.165.111] 2698  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281328; rev:1;)
alert tcp $HOME_NET any -> [80.211.139.209] 123  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281329; rev:1;)
alert tcp $HOME_NET any -> [5.2.64.99] 717  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281330; rev:1;)
alert tcp $HOME_NET any -> [50.115.166.165] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281324; rev:1;)
alert tcp $HOME_NET any -> [205.185.120.141] 3137  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281325; rev:1;)
alert tcp $HOME_NET any -> [194.147.34.79] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281321; rev:1;)
alert tcp $HOME_NET any -> [102.165.48.81] 17769  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281322; rev:1;)
alert tcp $HOME_NET any -> [103.1.186.242] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281323; rev:1;)
alert tcp $HOME_NET any -> [80.211.167.8] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281318; rev:1;)
alert tcp $HOME_NET any -> [51.75.30.207] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281319; rev:1;)
alert tcp $HOME_NET any -> [51.158.109.239] 379  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281320; rev:1;)
alert tcp $HOME_NET any -> [185.224.131.155] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281315; rev:1;)
alert tcp $HOME_NET any -> [54.38.210.102] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281316; rev:1;)
alert tcp $HOME_NET any -> [135.125.27.200] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281317; rev:1;)
alert tcp $HOME_NET any -> [45.84.196.248] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281312; rev:1;)
alert tcp $HOME_NET any -> [46.29.164.93] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281313; rev:1;)
alert tcp $HOME_NET any -> [194.15.36.246] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281314; rev:1;)
alert tcp $HOME_NET any -> [149.56.122.12] 5888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281309; rev:1;)
alert tcp $HOME_NET any -> [2.58.95.76] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281310; rev:1;)
alert tcp $HOME_NET any -> [23.254.132.124] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281311; rev:1;)
alert tcp $HOME_NET any -> [46.29.160.102] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281307; rev:1;)
alert tcp $HOME_NET any -> [157.230.60.248] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281308; rev:1;)
alert tcp $HOME_NET any -> [107.173.176.160] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281304; rev:1;)
alert tcp $HOME_NET any -> [2.56.241.218] 8014  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281305; rev:1;)
alert tcp $HOME_NET any -> [92.249.48.166] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281306; rev:1;)
alert tcp $HOME_NET any -> [45.148.121.98] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281301; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.222] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281302; rev:1;)
alert tcp $HOME_NET any -> [66.70.225.223] 47  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281303; rev:1;)
alert tcp $HOME_NET any -> [185.22.154.181] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281298; rev:1;)
alert tcp $HOME_NET any -> [46.29.167.55] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281299; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.141] 54356  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281300; rev:1;)
alert tcp $HOME_NET any -> [37.46.150.37] 7113  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281296; rev:1;)
alert tcp $HOME_NET any -> [205.185.127.155] 1994  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281297; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.87] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281292; rev:1;)
alert tcp $HOME_NET any -> [107.175.189.41] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281293; rev:1;)
alert tcp $HOME_NET any -> [138.197.99.186] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281294; rev:1;)
alert tcp $HOME_NET any -> [95.174.91.180] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281295; rev:1;)
alert tcp $HOME_NET any -> [91.209.70.120] 113  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281290; rev:1;)
alert tcp $HOME_NET any -> [157.230.169.189] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281291; rev:1;)
alert tcp $HOME_NET any -> [142.93.164.211] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281287; rev:1;)
alert tcp $HOME_NET any -> [107.155.153.179] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281288; rev:1;)
alert tcp $HOME_NET any -> [68.183.66.143] 1994  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281289; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.189] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281284; rev:1;)
alert tcp $HOME_NET any -> [68.183.21.143] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281285; rev:1;)
alert tcp $HOME_NET any -> [107.172.137.175] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281286; rev:1;)
alert tcp $HOME_NET any -> [163.172.185.153] 322  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281282; rev:1;)
alert tcp $HOME_NET any -> [165.227.161.65] 1028  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281283; rev:1;)
alert tcp $HOME_NET any -> [92.249.48.38] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281279; rev:1;)
alert tcp $HOME_NET any -> [138.68.103.230] 987  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281280; rev:1;)
alert tcp $HOME_NET any -> [142.93.68.129] 562  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281281; rev:1;)
alert tcp $HOME_NET any -> [89.34.237.189] 75  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281276; rev:1;)
alert tcp $HOME_NET any -> [172.245.210.174] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281277; rev:1;)
alert tcp $HOME_NET any -> [205.185.124.211] 12  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281278; rev:1;)
alert tcp $HOME_NET any -> [142.11.205.100] 43  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281274; rev:1;)
alert tcp $HOME_NET any -> [209.141.61.187] 20  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281275; rev:1;)
alert tcp $HOME_NET any -> [145.239.41.199] 4501  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281271; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.227] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281272; rev:1;)
alert tcp $HOME_NET any -> [37.44.238.66] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281273; rev:1;)
alert tcp $HOME_NET any -> [185.110.190.125] 3333  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281268; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.168] 52  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281269; rev:1;)
alert tcp $HOME_NET any -> [68.183.172.32] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281270; rev:1;)
alert tcp $HOME_NET any -> [107.174.24.161] 248  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281266; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.153] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281267; rev:1;)
alert tcp $HOME_NET any -> [103.195.7.71] 1863  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281264; rev:1;)
alert tcp $HOME_NET any -> [45.15.143.253] 44444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281265; rev:1;)
alert tcp $HOME_NET any -> [164.90.187.153] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281260; rev:1;)
alert tcp $HOME_NET any -> [195.154.77.155] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281261; rev:1;)
alert tcp $HOME_NET any -> [203.159.80.150] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281262; rev:1;)
alert tcp $HOME_NET any -> [51.89.115.83] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281263; rev:1;)
alert tcp $HOME_NET any -> [109.201.143.178] 9175  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281258; rev:1;)
alert tcp $HOME_NET any -> [205.185.120.140] 923  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281259; rev:1;)
alert tcp $HOME_NET any -> [159.89.85.81] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281255; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.141] 737  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281256; rev:1;)
alert tcp $HOME_NET any -> [185.172.110.230] 13337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281257; rev:1;)
alert tcp $HOME_NET any -> [206.189.138.82] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281252; rev:1;)
alert tcp $HOME_NET any -> [79.124.40.47] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281253; rev:1;)
alert tcp $HOME_NET any -> [46.36.37.121] 415  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281254; rev:1;)
alert tcp $HOME_NET any -> [104.244.77.36] 871  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281249; rev:1;)
alert tcp $HOME_NET any -> [31.13.195.251] 3453  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281250; rev:1;)
alert tcp $HOME_NET any -> [31.42.177.104] 10235  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281251; rev:1;)
alert tcp $HOME_NET any -> [173.212.234.54] 2545  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281246; rev:1;)
alert tcp $HOME_NET any -> [198.23.239.166] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281247; rev:1;)
alert tcp $HOME_NET any -> [198.211.113.55] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281248; rev:1;)
alert tcp $HOME_NET any -> [198.98.62.146] 922  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281243; rev:1;)
alert tcp $HOME_NET any -> [185.132.53.229] 18  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281244; rev:1;)
alert tcp $HOME_NET any -> [91.209.70.120] 177  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281245; rev:1;)
alert tcp $HOME_NET any -> [194.147.35.134] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281240; rev:1;)
alert tcp $HOME_NET any -> [185.244.39.107] 17769  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281241; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.153] 422  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281242; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.232] 60000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281238; rev:1;)
alert tcp $HOME_NET any -> [167.114.115.119] 87  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281235; rev:1;)
alert tcp $HOME_NET any -> [69.55.54.213] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281236; rev:1;)
alert tcp $HOME_NET any -> [51.91.202.137] 8811  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281237; rev:1;)
alert tcp $HOME_NET any -> [142.93.63.144] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281234; rev:1;)
alert tcp $HOME_NET any -> [165.22.144.189] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281232; rev:1;)
alert tcp $HOME_NET any -> [185.172.110.203] 52  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281233; rev:1;)
alert tcp $HOME_NET any -> [5.2.77.227] 4849  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281229; rev:1;)
alert tcp $HOME_NET any -> [68.183.71.182] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281230; rev:1;)
alert tcp $HOME_NET any -> [193.239.147.75] 617  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281231; rev:1;)
alert tcp $HOME_NET any -> [45.151.68.222] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281225; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.84] 8010  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281226; rev:1;)
alert tcp $HOME_NET any -> [165.22.128.163] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281227; rev:1;)
alert tcp $HOME_NET any -> [198.98.53.194] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281228; rev:1;)
alert tcp $HOME_NET any -> [104.248.6.196] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281223; rev:1;)
alert tcp $HOME_NET any -> [107.174.39.102] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281224; rev:1;)
alert tcp $HOME_NET any -> [206.189.17.155] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281220; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.201] 4444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281221; rev:1;)
alert tcp $HOME_NET any -> [209.141.54.253] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281222; rev:1;)
alert tcp $HOME_NET any -> [45.84.196.211] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281217; rev:1;)
alert tcp $HOME_NET any -> [81.171.3.228] 982  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281218; rev:1;)
alert tcp $HOME_NET any -> [2.59.116.62] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281219; rev:1;)
alert tcp $HOME_NET any -> [151.80.209.229] 8888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281214; rev:1;)
alert tcp $HOME_NET any -> [142.93.108.170] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281215; rev:1;)
alert tcp $HOME_NET any -> [165.22.80.158] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281216; rev:1;)
alert tcp $HOME_NET any -> [159.89.229.38] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281211; rev:1;)
alert tcp $HOME_NET any -> [45.84.196.209] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281212; rev:1;)
alert tcp $HOME_NET any -> [45.80.37.125] 2245  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281213; rev:1;)
alert tcp $HOME_NET any -> [104.248.231.103] 52468  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281208; rev:1;)
alert tcp $HOME_NET any -> [68.183.140.225] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281209; rev:1;)
alert tcp $HOME_NET any -> [138.197.5.39] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281210; rev:1;)
alert tcp $HOME_NET any -> [185.246.116.179] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281205; rev:1;)
alert tcp $HOME_NET any -> [185.172.110.224] 777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281206; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.117] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281207; rev:1;)
alert tcp $HOME_NET any -> [205.185.126.201] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281202; rev:1;)
alert tcp $HOME_NET any -> [157.230.92.196] 420  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281203; rev:1;)
alert tcp $HOME_NET any -> [89.34.237.210] 922  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281204; rev:1;)
alert tcp $HOME_NET any -> [209.141.54.9] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281199; rev:1;)
alert tcp $HOME_NET any -> [69.172.229.174] 10000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281200; rev:1;)
alert tcp $HOME_NET any -> [198.98.58.235] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281201; rev:1;)
alert tcp $HOME_NET any -> [157.230.221.85] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281196; rev:1;)
alert tcp $HOME_NET any -> [192.99.167.75] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281197; rev:1;)
alert tcp $HOME_NET any -> [199.38.245.231] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281198; rev:1;)
alert tcp $HOME_NET any -> [183.81.33.153] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281193; rev:1;)
alert tcp $HOME_NET any -> [134.209.156.105] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281194; rev:1;)
alert tcp $HOME_NET any -> [198.12.76.151] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281195; rev:1;)
alert tcp $HOME_NET any -> [212.237.29.81] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281191; rev:1;)
alert tcp $HOME_NET any -> [185.239.242.208] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281192; rev:1;)
alert tcp $HOME_NET any -> [50.115.170.108] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281188; rev:1;)
alert tcp $HOME_NET any -> [104.248.223.216] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281189; rev:1;)
alert tcp $HOME_NET any -> [185.172.110.224] 5515  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281190; rev:1;)
alert tcp $HOME_NET any -> [172.245.112.72] 1234  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281185; rev:1;)
alert tcp $HOME_NET any -> [194.87.138.44] 6780  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281186; rev:1;)
alert tcp $HOME_NET any -> [185.132.53.191] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281187; rev:1;)
alert tcp $HOME_NET any -> [198.98.58.235] 53600  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281182; rev:1;)
alert tcp $HOME_NET any -> [51.77.213.109] 9004  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281183; rev:1;)
alert tcp $HOME_NET any -> [46.17.46.22] 8014  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281184; rev:1;)
alert tcp $HOME_NET any -> [23.95.226.153] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281179; rev:1;)
alert tcp $HOME_NET any -> [188.166.25.58] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281180; rev:1;)
alert tcp $HOME_NET any -> [209.141.41.58] 4532  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281181; rev:1;)
alert tcp $HOME_NET any -> [92.249.48.140] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281176; rev:1;)
alert tcp $HOME_NET any -> [107.174.241.143] 311  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281177; rev:1;)
alert tcp $HOME_NET any -> [104.248.132.154] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281178; rev:1;)
alert tcp $HOME_NET any -> [137.74.237.195] 1330  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281173; rev:1;)
alert tcp $HOME_NET any -> [167.99.225.112] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281174; rev:1;)
alert tcp $HOME_NET any -> [87.107.146.227] 3391  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281175; rev:1;)
alert tcp $HOME_NET any -> [45.95.147.78] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281169; rev:1;)
alert tcp $HOME_NET any -> [45.156.22.230] 1881  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281170; rev:1;)
alert tcp $HOME_NET any -> [206.189.221.52] 626  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281171; rev:1;)
alert tcp $HOME_NET any -> [185.165.29.111] 444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281172; rev:1;)
alert tcp $HOME_NET any -> [45.14.224.244] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281166; rev:1;)
alert tcp $HOME_NET any -> [198.98.52.167] 444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281167; rev:1;)
alert tcp $HOME_NET any -> [144.172.73.41] 713  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281168; rev:1;)
alert tcp $HOME_NET any -> [178.128.125.114] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281163; rev:1;)
alert tcp $HOME_NET any -> [108.39.19.20] 2829  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281164; rev:1;)
alert tcp $HOME_NET any -> [185.112.249.122] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281165; rev:1;)
alert tcp $HOME_NET any -> [107.173.213.43] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281160; rev:1;)
alert tcp $HOME_NET any -> [46.29.167.56] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281161; rev:1;)
alert tcp $HOME_NET any -> [173.232.146.170] 4849  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281162; rev:1;)
alert tcp $HOME_NET any -> [217.61.125.227] 979  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281157; rev:1;)
alert tcp $HOME_NET any -> [192.3.194.124] 717  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281158; rev:1;)
alert tcp $HOME_NET any -> [108.61.215.176] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281159; rev:1;)
alert tcp $HOME_NET any -> [104.248.231.250] 13  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281154; rev:1;)
alert tcp $HOME_NET any -> [198.46.160.136] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281155; rev:1;)
alert tcp $HOME_NET any -> [185.10.68.191] 420  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281156; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.140] 777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281151; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.93] 52160  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281152; rev:1;)
alert tcp $HOME_NET any -> [209.141.34.113] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281153; rev:1;)
alert tcp $HOME_NET any -> [103.153.69.150] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281148; rev:1;)
alert tcp $HOME_NET any -> [46.17.44.44] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281149; rev:1;)
alert tcp $HOME_NET any -> [142.44.251.105] 65535  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281150; rev:1;)
alert tcp $HOME_NET any -> [80.211.28.43] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281145; rev:1;)
alert tcp $HOME_NET any -> [213.32.95.48] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281146; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.121] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281147; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.103] 158  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281142; rev:1;)
alert tcp $HOME_NET any -> [83.97.20.90] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281143; rev:1;)
alert tcp $HOME_NET any -> [206.189.157.235] 1991  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281139; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.141] 6536  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281140; rev:1;)
alert tcp $HOME_NET any -> [80.211.184.72] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281141; rev:1;)
alert tcp $HOME_NET any -> [178.128.121.145] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281136; rev:1;)
alert tcp $HOME_NET any -> [142.93.153.19] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281137; rev:1;)
alert tcp $HOME_NET any -> [185.165.29.25] 444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281138; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.126] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281133; rev:1;)
alert tcp $HOME_NET any -> [94.177.224.200] 247  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281134; rev:1;)
alert tcp $HOME_NET any -> [162.243.167.162] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281135; rev:1;)
alert tcp $HOME_NET any -> [142.11.227.63] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281130; rev:1;)
alert tcp $HOME_NET any -> [37.49.227.109] 60001  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281131; rev:1;)
alert tcp $HOME_NET any -> [216.218.192.170] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281132; rev:1;)
alert tcp $HOME_NET any -> [46.166.133.165] 456  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281127; rev:1;)
alert tcp $HOME_NET any -> [185.112.248.29] 7777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281128; rev:1;)
alert tcp $HOME_NET any -> [167.99.164.140] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281129; rev:1;)
alert tcp $HOME_NET any -> [45.141.58.180] 8888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281124; rev:1;)
alert tcp $HOME_NET any -> [37.49.225.241] 58215  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281125; rev:1;)
alert tcp $HOME_NET any -> [137.74.237.193] 151  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281126; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.119] 12345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281121; rev:1;)
alert tcp $HOME_NET any -> [143.198.50.169] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281122; rev:1;)
alert tcp $HOME_NET any -> [103.159.188.34] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281123; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.45] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281118; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.139] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281119; rev:1;)
alert tcp $HOME_NET any -> [5.2.65.150] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281120; rev:1;)
alert tcp $HOME_NET any -> [159.89.239.212] 54  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281115; rev:1;)
alert tcp $HOME_NET any -> [138.197.165.239] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281116; rev:1;)
alert tcp $HOME_NET any -> [67.21.68.148] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281117; rev:1;)
alert tcp $HOME_NET any -> [198.167.140.146] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281112; rev:1;)
alert tcp $HOME_NET any -> [51.77.245.82] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281113; rev:1;)
alert tcp $HOME_NET any -> [78.135.81.84] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281114; rev:1;)
alert tcp $HOME_NET any -> [209.97.136.123] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281109; rev:1;)
alert tcp $HOME_NET any -> [195.88.208.161] 872  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281110; rev:1;)
alert tcp $HOME_NET any -> [192.241.136.213] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281111; rev:1;)
alert tcp $HOME_NET any -> [46.29.163.200] 871  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281106; rev:1;)
alert tcp $HOME_NET any -> [104.248.231.103] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281107; rev:1;)
alert tcp $HOME_NET any -> [78.128.114.66] 353  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281108; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.43] 888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281102; rev:1;)
alert tcp $HOME_NET any -> [178.62.240.123] 1749  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281103; rev:1;)
alert tcp $HOME_NET any -> [192.129.175.148] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281104; rev:1;)
alert tcp $HOME_NET any -> [206.189.140.181] 18184  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281105; rev:1;)
alert tcp $HOME_NET any -> [178.128.195.57] 8346  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281099; rev:1;)
alert tcp $HOME_NET any -> [142.93.5.233] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281100; rev:1;)
alert tcp $HOME_NET any -> [87.251.64.208] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281101; rev:1;)
alert tcp $HOME_NET any -> [68.183.30.66] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281096; rev:1;)
alert tcp $HOME_NET any -> [80.211.184.72] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281097; rev:1;)
alert tcp $HOME_NET any -> [107.172.141.115] 6969  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281098; rev:1;)
alert tcp $HOME_NET any -> [192.241.151.14] 374  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281093; rev:1;)
alert tcp $HOME_NET any -> [45.84.196.166] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281094; rev:1;)
alert tcp $HOME_NET any -> [188.166.41.194] 80  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281095; rev:1;)
alert tcp $HOME_NET any -> [80.211.40.217] 13  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281090; rev:1;)
alert tcp $HOME_NET any -> [23.254.226.242] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281091; rev:1;)
alert tcp $HOME_NET any -> [46.166.151.88] 453  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281092; rev:1;)
alert tcp $HOME_NET any -> [80.211.234.123] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281087; rev:1;)
alert tcp $HOME_NET any -> [185.52.2.140] 9175  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281088; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.156] 8899  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281089; rev:1;)
alert tcp $HOME_NET any -> [206.189.194.182] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281084; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.242] 9175  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281085; rev:1;)
alert tcp $HOME_NET any -> [209.141.57.94] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281086; rev:1;)
alert tcp $HOME_NET any -> [178.128.178.70] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281081; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.161] 4444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281082; rev:1;)
alert tcp $HOME_NET any -> [198.98.61.186] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281083; rev:1;)
alert tcp $HOME_NET any -> [209.141.39.153] 11000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281078; rev:1;)
alert tcp $HOME_NET any -> [159.65.159.83] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281079; rev:1;)
alert tcp $HOME_NET any -> [159.89.222.5] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281080; rev:1;)
alert tcp $HOME_NET any -> [178.128.161.154] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281075; rev:1;)
alert tcp $HOME_NET any -> [51.79.55.3] 48263  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281076; rev:1;)
alert tcp $HOME_NET any -> [50.115.174.102] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281077; rev:1;)
alert tcp $HOME_NET any -> [185.63.253.201] 801  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281072; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.167] 444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281073; rev:1;)
alert tcp $HOME_NET any -> [104.248.63.168] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281074; rev:1;)
alert tcp $HOME_NET any -> [45.84.196.164] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281069; rev:1;)
alert tcp $HOME_NET any -> [68.183.99.35] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281070; rev:1;)
alert tcp $HOME_NET any -> [23.254.202.208] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281071; rev:1;)
alert tcp $HOME_NET any -> [70.185.41.153] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281067; rev:1;)
alert tcp $HOME_NET any -> [37.49.224.101] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281068; rev:1;)
alert tcp $HOME_NET any -> [159.89.143.217] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281065; rev:1;)
alert tcp $HOME_NET any -> [205.185.126.14] 3074  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281066; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.189] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281063; rev:1;)
alert tcp $HOME_NET any -> [212.237.58.51] 979  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281064; rev:1;)
alert tcp $HOME_NET any -> [192.243.101.212] 444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281060; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.121] 671  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281061; rev:1;)
alert tcp $HOME_NET any -> [134.209.115.74] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281062; rev:1;)
alert tcp $HOME_NET any -> [157.230.125.121] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281058; rev:1;)
alert tcp $HOME_NET any -> [192.3.131.23] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281059; rev:1;)
alert tcp $HOME_NET any -> [157.230.243.41] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281055; rev:1;)
alert tcp $HOME_NET any -> [46.29.167.181] 2545  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281056; rev:1;)
alert tcp $HOME_NET any -> [92.156.79.152] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281057; rev:1;)
alert tcp $HOME_NET any -> [157.230.220.41] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281053; rev:1;)
alert tcp $HOME_NET any -> [46.36.41.247] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281054; rev:1;)
alert tcp $HOME_NET any -> [78.135.81.84] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281051; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.142] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281052; rev:1;)
alert tcp $HOME_NET any -> [45.143.223.42] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281048; rev:1;)
alert tcp $HOME_NET any -> [50.115.172.117] 423  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281049; rev:1;)
alert tcp $HOME_NET any -> [185.101.107.236] 562  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281050; rev:1;)
alert tcp $HOME_NET any -> [185.244.219.116] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281045; rev:1;)
alert tcp $HOME_NET any -> [91.196.149.73] 211  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281046; rev:1;)
alert tcp $HOME_NET any -> [173.82.168.101] 98  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281047; rev:1;)
alert tcp $HOME_NET any -> [135.148.55.139] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281043; rev:1;)
alert tcp $HOME_NET any -> [45.89.230.8] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281044; rev:1;)
alert tcp $HOME_NET any -> [51.254.176.79] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281041; rev:1;)
alert tcp $HOME_NET any -> [194.147.35.199] 310  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281042; rev:1;)
alert tcp $HOME_NET any -> [172.245.153.123] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281039; rev:1;)
alert tcp $HOME_NET any -> [165.227.36.38] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281040; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.149] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281036; rev:1;)
alert tcp $HOME_NET any -> [185.150.26.223] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281037; rev:1;)
alert tcp $HOME_NET any -> [45.131.108.174] 44  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281038; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.173] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281034; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.145] 9175  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281035; rev:1;)
alert tcp $HOME_NET any -> [104.168.44.166] 3485  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281031; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.166] 888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281032; rev:1;)
alert tcp $HOME_NET any -> [23.254.224.66] 2545  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281033; rev:1;)
alert tcp $HOME_NET any -> [46.101.54.107] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281030; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.138] 879  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281028; rev:1;)
alert tcp $HOME_NET any -> [80.211.142.26] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281029; rev:1;)
alert tcp $HOME_NET any -> [178.62.63.52] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281027; rev:1;)
alert tcp $HOME_NET any -> [157.230.209.246] 66  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281025; rev:1;)
alert tcp $HOME_NET any -> [159.203.84.111] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281026; rev:1;)
alert tcp $HOME_NET any -> [165.22.185.127] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281024; rev:1;)
alert tcp $HOME_NET any -> [206.189.189.14] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281022; rev:1;)
alert tcp $HOME_NET any -> [107.173.91.168] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281023; rev:1;)
alert tcp $HOME_NET any -> [172.105.68.51] 345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281020; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.251] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281021; rev:1;)
alert tcp $HOME_NET any -> [142.11.212.47] 123  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281018; rev:1;)
alert tcp $HOME_NET any -> [188.166.58.42] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281019; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.149] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281017; rev:1;)
alert tcp $HOME_NET any -> [46.29.164.93] 626  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281016; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.179] 671  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281015; rev:1;)
alert tcp $HOME_NET any -> [209.97.183.24] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281014; rev:1;)
alert tcp $HOME_NET any -> [198.98.56.156] 12345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281012; rev:1;)
alert tcp $HOME_NET any -> [155.138.206.237] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281013; rev:1;)
alert tcp $HOME_NET any -> [194.147.35.186] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281011; rev:1;)
alert tcp $HOME_NET any -> [138.197.215.81] 911  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281010; rev:1;)
alert tcp $HOME_NET any -> [104.168.102.194] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281009; rev:1;)
alert tcp $HOME_NET any -> [46.36.41.197] 1749  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281008; rev:1;)
alert tcp $HOME_NET any -> [51.79.65.49] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281007; rev:1;)
alert tcp $HOME_NET any -> [199.19.225.2] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281006; rev:1;)
alert tcp $HOME_NET any -> [185.22.152.249] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281005; rev:1;)
alert tcp $HOME_NET any -> [46.29.163.77] 415  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281004; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.91] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281003; rev:1;)
alert tcp $HOME_NET any -> [185.172.111.199] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281002; rev:1;)
alert tcp $HOME_NET any -> [206.189.207.175] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281001; rev:1;)
alert tcp $HOME_NET any -> [207.246.123.143] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280999; rev:1;)
alert tcp $HOME_NET any -> [51.178.81.75] 9004  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1281000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91281000; rev:1;)
alert tcp $HOME_NET any -> [194.147.32.226] 935  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280998; rev:1;)
alert tcp $HOME_NET any -> [194.87.138.10] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280997; rev:1;)
alert tcp $HOME_NET any -> [37.49.227.202] 35678  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280996; rev:1;)
alert tcp $HOME_NET any -> [193.70.81.236] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280995; rev:1;)
alert tcp $HOME_NET any -> [193.233.252.242] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280994; rev:1;)
alert tcp $HOME_NET any -> [178.33.181.23] 924  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280993; rev:1;)
alert tcp $HOME_NET any -> [159.65.227.17] 64  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280992; rev:1;)
alert tcp $HOME_NET any -> [76.74.170.204] 45645  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280991; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.106] 1722  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280990; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.170] 26586  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280989; rev:1;)
alert tcp $HOME_NET any -> [195.231.9.122] 5062  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280987; rev:1;)
alert tcp $HOME_NET any -> [139.59.95.206] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280988; rev:1;)
alert tcp $HOME_NET any -> [185.232.64.168] 888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280985; rev:1;)
alert tcp $HOME_NET any -> [185.172.110.224] 65531  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280986; rev:1;)
alert tcp $HOME_NET any -> [46.101.144.161] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280984; rev:1;)
alert tcp $HOME_NET any -> [206.189.188.17] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280982; rev:1;)
alert tcp $HOME_NET any -> [45.153.203.204] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280983; rev:1;)
alert tcp $HOME_NET any -> [188.227.19.18] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280980; rev:1;)
alert tcp $HOME_NET any -> [159.89.34.227] 252  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280981; rev:1;)
alert tcp $HOME_NET any -> [142.93.152.64] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280978; rev:1;)
alert tcp $HOME_NET any -> [157.230.219.6] 554  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280979; rev:1;)
alert tcp $HOME_NET any -> [185.158.249.147] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280977; rev:1;)
alert tcp $HOME_NET any -> [206.189.167.201] 6665  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280974; rev:1;)
alert tcp $HOME_NET any -> [46.173.219.118] 415  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280975; rev:1;)
alert tcp $HOME_NET any -> [151.236.38.234] 745  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280976; rev:1;)
alert tcp $HOME_NET any -> [167.88.124.204] 223  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280971; rev:1;)
alert tcp $HOME_NET any -> [199.195.252.101] 28713  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280972; rev:1;)
alert tcp $HOME_NET any -> [198.12.97.72] 60001  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280973; rev:1;)
alert tcp $HOME_NET any -> [51.38.83.30] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280969; rev:1;)
alert tcp $HOME_NET any -> [194.147.32.75] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280970; rev:1;)
alert tcp $HOME_NET any -> [194.15.36.4] 4849  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280968; rev:1;)
alert tcp $HOME_NET any -> [80.211.44.61] 48884  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280965; rev:1;)
alert tcp $HOME_NET any -> [46.29.161.247] 838  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280966; rev:1;)
alert tcp $HOME_NET any -> [159.65.185.61] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280967; rev:1;)
alert tcp $HOME_NET any -> [147.182.249.167] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280963; rev:1;)
alert tcp $HOME_NET any -> [45.32.59.173] 52468  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280964; rev:1;)
alert tcp $HOME_NET any -> [68.183.141.219] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280961; rev:1;)
alert tcp $HOME_NET any -> [46.29.166.95] 985  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280962; rev:1;)
alert tcp $HOME_NET any -> [163.172.133.10] 544  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280958; rev:1;)
alert tcp $HOME_NET any -> [46.29.163.68] 13  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280959; rev:1;)
alert tcp $HOME_NET any -> [178.128.7.177] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280960; rev:1;)
alert tcp $HOME_NET any -> [205.185.114.87] 671  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280955; rev:1;)
alert tcp $HOME_NET any -> [91.208.127.128] 1024  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280956; rev:1;)
alert tcp $HOME_NET any -> [68.183.98.153] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280957; rev:1;)
alert tcp $HOME_NET any -> [157.230.48.173] 13  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280953; rev:1;)
alert tcp $HOME_NET any -> [198.46.249.213] 6666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280954; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.123] 80  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280950; rev:1;)
alert tcp $HOME_NET any -> [77.83.117.225] 158  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280951; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.75] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280952; rev:1;)
alert tcp $HOME_NET any -> [120.89.61.187] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280947; rev:1;)
alert tcp $HOME_NET any -> [185.239.242.119] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280948; rev:1;)
alert tcp $HOME_NET any -> [89.34.26.123] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280949; rev:1;)
alert tcp $HOME_NET any -> [51.75.74.22] 87  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280946; rev:1;)
alert tcp $HOME_NET any -> [46.17.47.250] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280943; rev:1;)
alert tcp $HOME_NET any -> [81.4.106.148] 374  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280944; rev:1;)
alert tcp $HOME_NET any -> [165.227.63.145] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280945; rev:1;)
alert tcp $HOME_NET any -> [23.94.136.122] 1738  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280941; rev:1;)
alert tcp $HOME_NET any -> [149.28.116.14] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280942; rev:1;)
alert tcp $HOME_NET any -> [103.82.20.7] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280938; rev:1;)
alert tcp $HOME_NET any -> [198.144.190.22] 7777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280939; rev:1;)
alert tcp $HOME_NET any -> [205.185.114.87] 760  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280940; rev:1;)
alert tcp $HOME_NET any -> [209.141.37.251] 48263  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280936; rev:1;)
alert tcp $HOME_NET any -> [206.189.68.108] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280937; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.141] 420  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280933; rev:1;)
alert tcp $HOME_NET any -> [172.245.135.186] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280934; rev:1;)
alert tcp $HOME_NET any -> [178.128.227.2] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280935; rev:1;)
alert tcp $HOME_NET any -> [46.36.41.247] 415  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280931; rev:1;)
alert tcp $HOME_NET any -> [108.174.199.188] 60000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280932; rev:1;)
alert tcp $HOME_NET any -> [138.68.238.104] 1749  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280928; rev:1;)
alert tcp $HOME_NET any -> [149.56.228.32] 1411  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280929; rev:1;)
alert tcp $HOME_NET any -> [45.153.243.219] 9999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280930; rev:1;)
alert tcp $HOME_NET any -> [104.168.102.14] 38221  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280927; rev:1;)
alert tcp $HOME_NET any -> [209.141.41.227] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280924; rev:1;)
alert tcp $HOME_NET any -> [205.185.127.94] 6258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280925; rev:1;)
alert tcp $HOME_NET any -> [174.138.13.156] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280926; rev:1;)
alert tcp $HOME_NET any -> [195.123.245.205] 987  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280922; rev:1;)
alert tcp $HOME_NET any -> [185.232.64.140] 8010  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280923; rev:1;)
alert tcp $HOME_NET any -> [37.49.227.120] 60001  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280920; rev:1;)
alert tcp $HOME_NET any -> [142.93.13.73] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280921; rev:1;)
alert tcp $HOME_NET any -> [168.235.66.17] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280918; rev:1;)
alert tcp $HOME_NET any -> [185.172.110.224] 13337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280919; rev:1;)
alert tcp $HOME_NET any -> [178.62.9.232] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280915; rev:1;)
alert tcp $HOME_NET any -> [178.62.215.86] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280916; rev:1;)
alert tcp $HOME_NET any -> [136.144.200.209] 4599  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280917; rev:1;)
alert tcp $HOME_NET any -> [164.90.191.187] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280913; rev:1;)
alert tcp $HOME_NET any -> [223.252.60.83] 4444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280914; rev:1;)
alert tcp $HOME_NET any -> [198.167.140.121] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280911; rev:1;)
alert tcp $HOME_NET any -> [207.154.249.73] 626  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280912; rev:1;)
alert tcp $HOME_NET any -> [68.183.222.39] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280908; rev:1;)
alert tcp $HOME_NET any -> [2.57.122.213] 6969  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280909; rev:1;)
alert tcp $HOME_NET any -> [66.23.201.227] 656  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280910; rev:1;)
alert tcp $HOME_NET any -> [43.224.29.49] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280906; rev:1;)
alert tcp $HOME_NET any -> [107.175.215.10] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280907; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.222] 52  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280904; rev:1;)
alert tcp $HOME_NET any -> [142.11.219.202] 60000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280905; rev:1;)
alert tcp $HOME_NET any -> [167.99.215.155] 777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280901; rev:1;)
alert tcp $HOME_NET any -> [185.172.110.214] 888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280902; rev:1;)
alert tcp $HOME_NET any -> [5.83.163.78] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280903; rev:1;)
alert tcp $HOME_NET any -> [142.93.237.185] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280899; rev:1;)
alert tcp $HOME_NET any -> [34.122.44.188] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280900; rev:1;)
alert tcp $HOME_NET any -> [128.199.197.79] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280897; rev:1;)
alert tcp $HOME_NET any -> [209.97.191.100] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280898; rev:1;)
alert tcp $HOME_NET any -> [107.152.35.182] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280894; rev:1;)
alert tcp $HOME_NET any -> [23.95.221.126] 480  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280895; rev:1;)
alert tcp $HOME_NET any -> [199.180.134.125] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280896; rev:1;)
alert tcp $HOME_NET any -> [23.254.244.138] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280891; rev:1;)
alert tcp $HOME_NET any -> [94.140.125.9] 60000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280892; rev:1;)
alert tcp $HOME_NET any -> [199.195.248.68] 7113  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280893; rev:1;)
alert tcp $HOME_NET any -> [94.103.124.89] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280889; rev:1;)
alert tcp $HOME_NET any -> [80.211.223.70] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280890; rev:1;)
alert tcp $HOME_NET any -> [209.141.48.246] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280886; rev:1;)
alert tcp $HOME_NET any -> [51.195.236.169] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280887; rev:1;)
alert tcp $HOME_NET any -> [107.172.141.163] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280888; rev:1;)
alert tcp $HOME_NET any -> [83.166.249.119] 1263  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280884; rev:1;)
alert tcp $HOME_NET any -> [89.190.159.181] 1192  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280885; rev:1;)
alert tcp $HOME_NET any -> [156.96.46.21] 17769  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280882; rev:1;)
alert tcp $HOME_NET any -> [45.95.147.28] 1863  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280883; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.130] 158  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280880; rev:1;)
alert tcp $HOME_NET any -> [167.99.91.177] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280881; rev:1;)
alert tcp $HOME_NET any -> [104.248.162.109] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280877; rev:1;)
alert tcp $HOME_NET any -> [107.172.196.116] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280878; rev:1;)
alert tcp $HOME_NET any -> [80.211.51.24] 60000  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280879; rev:1;)
alert tcp $HOME_NET any -> [198.98.49.8] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280874; rev:1;)
alert tcp $HOME_NET any -> [159.65.170.5] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280875; rev:1;)
alert tcp $HOME_NET any -> [94.102.63.74] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280876; rev:1;)
alert tcp $HOME_NET any -> [85.255.1.93] 252  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280872; rev:1;)
alert tcp $HOME_NET any -> [209.141.42.145] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280873; rev:1;)
alert tcp $HOME_NET any -> [23.95.94.228] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280869; rev:1;)
alert tcp $HOME_NET any -> [134.209.39.38] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280870; rev:1;)
alert tcp $HOME_NET any -> [45.95.168.227] 12345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280871; rev:1;)
alert tcp $HOME_NET any -> [23.95.55.45] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280867; rev:1;)
alert tcp $HOME_NET any -> [185.34.219.113] 620  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280868; rev:1;)
alert tcp $HOME_NET any -> [142.93.185.187] 562  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280865; rev:1;)
alert tcp $HOME_NET any -> [45.77.97.75] 158  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280866; rev:1;)
alert tcp $HOME_NET any -> [51.79.74.171] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280862; rev:1;)
alert tcp $HOME_NET any -> [46.101.173.113] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280863; rev:1;)
alert tcp $HOME_NET any -> [193.37.212.20] 6149  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280864; rev:1;)
alert tcp $HOME_NET any -> [104.168.144.8] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280860; rev:1;)
alert tcp $HOME_NET any -> [104.168.149.180] 89  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280861; rev:1;)
alert tcp $HOME_NET any -> [107.173.42.115] 140  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280858; rev:1;)
alert tcp $HOME_NET any -> [142.93.232.131] 52614  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280859; rev:1;)
alert tcp $HOME_NET any -> [198.199.88.186] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280856; rev:1;)
alert tcp $HOME_NET any -> [5.252.192.51] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280857; rev:1;)
alert tcp $HOME_NET any -> [103.54.153.94] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280855; rev:1;)
alert tcp $HOME_NET any -> [157.230.11.49] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280853; rev:1;)
alert tcp $HOME_NET any -> [178.128.225.101] 987  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280854; rev:1;)
alert tcp $HOME_NET any -> [185.132.53.161] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280850; rev:1;)
alert tcp $HOME_NET any -> [94.103.124.162] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280851; rev:1;)
alert tcp $HOME_NET any -> [95.214.52.33] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280852; rev:1;)
alert tcp $HOME_NET any -> [185.62.190.159] 1336  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280848; rev:1;)
alert tcp $HOME_NET any -> [103.163.214.145] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280849; rev:1;)
alert tcp $HOME_NET any -> [167.99.145.134] 52468  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280846; rev:1;)
alert tcp $HOME_NET any -> [159.65.170.120] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280847; rev:1;)
alert tcp $HOME_NET any -> [159.203.177.38] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280843; rev:1;)
alert tcp $HOME_NET any -> [206.72.202.212] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280844; rev:1;)
alert tcp $HOME_NET any -> [139.59.139.52] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280845; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.160] 9706  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280841; rev:1;)
alert tcp $HOME_NET any -> [142.93.156.161] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280842; rev:1;)
alert tcp $HOME_NET any -> [192.54.57.69] 1749  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280839; rev:1;)
alert tcp $HOME_NET any -> [159.89.154.132] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280840; rev:1;)
alert tcp $HOME_NET any -> [142.93.245.37] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280837; rev:1;)
alert tcp $HOME_NET any -> [194.180.224.118] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280838; rev:1;)
alert tcp $HOME_NET any -> [107.189.10.171] 2219  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280836; rev:1;)
alert tcp $HOME_NET any -> [68.183.104.27] 1749  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280834; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.4] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280835; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.73] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280832; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.206] 9706  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280833; rev:1;)
alert tcp $HOME_NET any -> [167.99.226.22] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280830; rev:1;)
alert tcp $HOME_NET any -> [209.141.37.193] 871  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280831; rev:1;)
alert tcp $HOME_NET any -> [167.71.73.146] 321  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280828; rev:1;)
alert tcp $HOME_NET any -> [128.199.59.41] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280829; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.216] 59314  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280826; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.155] 443  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280827; rev:1;)
alert tcp $HOME_NET any -> [45.85.90.203] 3478  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280824; rev:1;)
alert tcp $HOME_NET any -> [103.153.69.151] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280825; rev:1;)
alert tcp $HOME_NET any -> [185.22.154.112] 925  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280823; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.130] 505  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280821; rev:1;)
alert tcp $HOME_NET any -> [103.214.111.121] 5888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280822; rev:1;)
alert tcp $HOME_NET any -> [45.63.2.149] 13  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280819; rev:1;)
alert tcp $HOME_NET any -> [46.29.160.252] 871  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280820; rev:1;)
alert tcp $HOME_NET any -> [159.89.114.171] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280816; rev:1;)
alert tcp $HOME_NET any -> [142.93.138.130] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280817; rev:1;)
alert tcp $HOME_NET any -> [178.62.109.153] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280818; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.11] 19302  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280814; rev:1;)
alert tcp $HOME_NET any -> [66.172.11.120] 13031  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280815; rev:1;)
alert tcp $HOME_NET any -> [167.172.233.67] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280812; rev:1;)
alert tcp $HOME_NET any -> [159.203.170.126] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280813; rev:1;)
alert tcp $HOME_NET any -> [178.128.63.99] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280810; rev:1;)
alert tcp $HOME_NET any -> [217.61.108.108] 415  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280811; rev:1;)
alert tcp $HOME_NET any -> [51.77.95.121] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280807; rev:1;)
alert tcp $HOME_NET any -> [23.226.231.5] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280808; rev:1;)
alert tcp $HOME_NET any -> [46.29.160.137] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280809; rev:1;)
alert tcp $HOME_NET any -> [80.211.48.128] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280805; rev:1;)
alert tcp $HOME_NET any -> [107.174.14.12] 6464  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280806; rev:1;)
alert tcp $HOME_NET any -> [80.211.37.146] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280803; rev:1;)
alert tcp $HOME_NET any -> [149.28.44.189] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280804; rev:1;)
alert tcp $HOME_NET any -> [192.227.121.140] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280800; rev:1;)
alert tcp $HOME_NET any -> [65.21.58.252] 809  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280801; rev:1;)
alert tcp $HOME_NET any -> [45.84.196.161] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280802; rev:1;)
alert tcp $HOME_NET any -> [142.93.183.131] 28  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280797; rev:1;)
alert tcp $HOME_NET any -> [46.101.11.245] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280798; rev:1;)
alert tcp $HOME_NET any -> [138.68.94.252] 807  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280799; rev:1;)
alert tcp $HOME_NET any -> [107.173.213.43] 2222  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280795; rev:1;)
alert tcp $HOME_NET any -> [142.93.46.170] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280796; rev:1;)
alert tcp $HOME_NET any -> [146.19.213.188] 137  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280793; rev:1;)
alert tcp $HOME_NET any -> [185.22.154.248] 626  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280794; rev:1;)
alert tcp $HOME_NET any -> [209.141.43.226] 600  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280791; rev:1;)
alert tcp $HOME_NET any -> [80.211.5.174] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280792; rev:1;)
alert tcp $HOME_NET any -> [194.147.34.126] 20178  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280788; rev:1;)
alert tcp $HOME_NET any -> [134.209.4.184] 53821  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280789; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.141] 24358  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280790; rev:1;)
alert tcp $HOME_NET any -> [198.199.74.43] 52468  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280785; rev:1;)
alert tcp $HOME_NET any -> [54.38.220.94] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280786; rev:1;)
alert tcp $HOME_NET any -> [167.86.113.89] 1028  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280787; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.145] 902  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280783; rev:1;)
alert tcp $HOME_NET any -> [23.254.230.38] 27  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280784; rev:1;)
alert tcp $HOME_NET any -> [78.142.29.118] 374  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280781; rev:1;)
alert tcp $HOME_NET any -> [170.130.172.42] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280782; rev:1;)
alert tcp $HOME_NET any -> [51.75.77.226] 523  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280778; rev:1;)
alert tcp $HOME_NET any -> [185.158.248.16] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280779; rev:1;)
alert tcp $HOME_NET any -> [68.183.192.227] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280780; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.154] 2985  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280776; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.119] 123  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280777; rev:1;)
alert tcp $HOME_NET any -> [107.174.26.55] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280775; rev:1;)
alert tcp $HOME_NET any -> [185.165.29.127] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280772; rev:1;)
alert tcp $HOME_NET any -> [199.195.253.77] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280773; rev:1;)
alert tcp $HOME_NET any -> [91.211.244.92] 13337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280774; rev:1;)
alert tcp $HOME_NET any -> [192.99.221.230] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280769; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.94] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280770; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.224] 935  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280771; rev:1;)
alert tcp $HOME_NET any -> [23.95.221.197] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280767; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.234] 139  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280768; rev:1;)
alert tcp $HOME_NET any -> [68.183.114.201] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280765; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.73] 25  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280766; rev:1;)
alert tcp $HOME_NET any -> [104.168.149.180] 500  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280763; rev:1;)
alert tcp $HOME_NET any -> [172.245.157.144] 6958  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280764; rev:1;)
alert tcp $HOME_NET any -> [157.230.140.145] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280760; rev:1;)
alert tcp $HOME_NET any -> [45.61.184.168] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280761; rev:1;)
alert tcp $HOME_NET any -> [158.69.103.149] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280762; rev:1;)
alert tcp $HOME_NET any -> [68.183.32.243] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280757; rev:1;)
alert tcp $HOME_NET any -> [178.128.36.178] 876  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280758; rev:1;)
alert tcp $HOME_NET any -> [209.141.43.226] 332  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280759; rev:1;)
alert tcp $HOME_NET any -> [80.82.67.226] 5888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280755; rev:1;)
alert tcp $HOME_NET any -> [185.244.30.141] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280756; rev:1;)
alert tcp $HOME_NET any -> [104.168.151.198] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280752; rev:1;)
alert tcp $HOME_NET any -> [54.37.196.166] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280753; rev:1;)
alert tcp $HOME_NET any -> [31.7.62.49] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280754; rev:1;)
alert tcp $HOME_NET any -> [198.167.140.181] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280750; rev:1;)
alert tcp $HOME_NET any -> [209.141.40.185] 641  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280751; rev:1;)
alert tcp $HOME_NET any -> [203.248.197.10] 22  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280748; rev:1;)
alert tcp $HOME_NET any -> [194.36.173.82] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280749; rev:1;)
alert tcp $HOME_NET any -> [142.11.237.148] 51351  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280747; rev:1;)
alert tcp $HOME_NET any -> [23.95.238.119] 6969  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280744; rev:1;)
alert tcp $HOME_NET any -> [167.88.124.204] 132  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280745; rev:1;)
alert tcp $HOME_NET any -> [178.33.83.75] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280746; rev:1;)
alert tcp $HOME_NET any -> [51.38.125.88] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280742; rev:1;)
alert tcp $HOME_NET any -> [198.167.140.31] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280743; rev:1;)
alert tcp $HOME_NET any -> [107.175.184.4] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280739; rev:1;)
alert tcp $HOME_NET any -> [212.147.209.211] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280740; rev:1;)
alert tcp $HOME_NET any -> [165.232.98.36] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280741; rev:1;)
alert tcp $HOME_NET any -> [188.166.168.170] 812  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280737; rev:1;)
alert tcp $HOME_NET any -> [51.178.166.165] 3333  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280738; rev:1;)
alert tcp $HOME_NET any -> [87.246.6.102] 1028  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280734; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.133] 46  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280735; rev:1;)
alert tcp $HOME_NET any -> [2.57.122.213] 3074  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280736; rev:1;)
alert tcp $HOME_NET any -> [178.33.83.74] 158  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280732; rev:1;)
alert tcp $HOME_NET any -> [167.99.87.204] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280733; rev:1;)
alert tcp $HOME_NET any -> [95.217.49.251] 2545  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280729; rev:1;)
alert tcp $HOME_NET any -> [107.175.197.135] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280730; rev:1;)
alert tcp $HOME_NET any -> [46.29.165.135] 2545  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280731; rev:1;)
alert tcp $HOME_NET any -> [103.153.69.114] 42516  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280726; rev:1;)
alert tcp $HOME_NET any -> [87.120.254.160] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280727; rev:1;)
alert tcp $HOME_NET any -> [80.211.223.70] 6666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280728; rev:1;)
alert tcp $HOME_NET any -> [165.227.125.239] 282  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280724; rev:1;)
alert tcp $HOME_NET any -> [80.211.8.182] 4554  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280725; rev:1;)
alert tcp $HOME_NET any -> [64.227.2.138] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280722; rev:1;)
alert tcp $HOME_NET any -> [165.227.107.90] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280723; rev:1;)
alert tcp $HOME_NET any -> [46.29.165.182] 626  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280720; rev:1;)
alert tcp $HOME_NET any -> [165.22.70.48] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280721; rev:1;)
alert tcp $HOME_NET any -> [159.89.5.152] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280718; rev:1;)
alert tcp $HOME_NET any -> [134.209.33.197] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280719; rev:1;)
alert tcp $HOME_NET any -> [193.111.248.44] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280715; rev:1;)
alert tcp $HOME_NET any -> [23.94.166.83] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280716; rev:1;)
alert tcp $HOME_NET any -> [80.211.6.4] 53884  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280717; rev:1;)
alert tcp $HOME_NET any -> [137.74.148.234] 433  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280713; rev:1;)
alert tcp $HOME_NET any -> [185.101.105.185] 4849  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280714; rev:1;)
alert tcp $HOME_NET any -> [144.217.131.227] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280711; rev:1;)
alert tcp $HOME_NET any -> [107.175.95.101] 2004  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280712; rev:1;)
alert tcp $HOME_NET any -> [178.128.198.202] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280709; rev:1;)
alert tcp $HOME_NET any -> [185.58.225.28] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280710; rev:1;)
alert tcp $HOME_NET any -> [206.189.114.159] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280707; rev:1;)
alert tcp $HOME_NET any -> [209.97.139.160] 987  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280708; rev:1;)
alert tcp $HOME_NET any -> [37.49.227.176] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280705; rev:1;)
alert tcp $HOME_NET any -> [109.201.143.179] 925  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280706; rev:1;)
alert tcp $HOME_NET any -> [198.46.205.89] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280703; rev:1;)
alert tcp $HOME_NET any -> [23.254.165.208] 89  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280704; rev:1;)
alert tcp $HOME_NET any -> [95.216.5.242] 1865  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280701; rev:1;)
alert tcp $HOME_NET any -> [134.209.206.162] 760  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280702; rev:1;)
alert tcp $HOME_NET any -> [51.79.66.236] 89  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280699; rev:1;)
alert tcp $HOME_NET any -> [68.66.233.69] 1847  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280700; rev:1;)
alert tcp $HOME_NET any -> [134.209.164.201] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280698; rev:1;)
alert tcp $HOME_NET any -> [209.141.39.50] 555  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280697; rev:1;)
alert tcp $HOME_NET any -> [93.104.209.253] 1542  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280695; rev:1;)
alert tcp $HOME_NET any -> [68.183.123.80] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280696; rev:1;)
alert tcp $HOME_NET any -> [159.65.136.187] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280692; rev:1;)
alert tcp $HOME_NET any -> [87.246.6.100] 8888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280693; rev:1;)
alert tcp $HOME_NET any -> [168.235.103.245] 1749  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280694; rev:1;)
alert tcp $HOME_NET any -> [68.183.208.152] 68  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280690; rev:1;)
alert tcp $HOME_NET any -> [165.22.130.136] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280691; rev:1;)
alert tcp $HOME_NET any -> [80.211.4.5] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280688; rev:1;)
alert tcp $HOME_NET any -> [194.37.80.141] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280689; rev:1;)
alert tcp $HOME_NET any -> [46.17.47.30] 626  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280685; rev:1;)
alert tcp $HOME_NET any -> [45.14.224.106] 45454  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280686; rev:1;)
alert tcp $HOME_NET any -> [84.54.49.50] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280687; rev:1;)
alert tcp $HOME_NET any -> [159.203.96.141] 28  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280683; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.75] 3185  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280684; rev:1;)
alert tcp $HOME_NET any -> [23.94.24.171] 9005  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280680; rev:1;)
alert tcp $HOME_NET any -> [185.101.107.127] 69  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280681; rev:1;)
alert tcp $HOME_NET any -> [51.15.225.204] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280682; rev:1;)
alert tcp $HOME_NET any -> [80.211.134.83] 605  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280678; rev:1;)
alert tcp $HOME_NET any -> [198.144.181.11] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280679; rev:1;)
alert tcp $HOME_NET any -> [137.74.55.0] 626  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280676; rev:1;)
alert tcp $HOME_NET any -> [192.227.209.32] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280677; rev:1;)
alert tcp $HOME_NET any -> [205.185.122.135] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280674; rev:1;)
alert tcp $HOME_NET any -> [185.244.25.189] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280675; rev:1;)
alert tcp $HOME_NET any -> [149.3.170.197] 548  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280673; rev:1;)
alert tcp $HOME_NET any -> [185.42.223.99] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1280672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280672; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ballsack.myftp.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280668; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"everything1lol.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280669; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayborg007.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280670; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdwirus.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280671; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crack.servemp3.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280661; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thisisreal.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280662; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aprendiz30.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280663; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkbou.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280664; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfcrewratsetup1337.no-ip.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280665; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alaloum.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280666; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratz.myftp.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280667; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shamoo.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280655; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"new3style.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280656; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mlx255.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280657; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcometadam.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280658; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergatecze.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280659; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lasthack.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280660; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wickeddick.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280648; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masteryodax.hopto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280649; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerbnc.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280650; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meh123rawr.hopto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280651; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuckmexicans.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280652; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paradoxsum.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280653; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abu-hssn.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280654; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"config-stats.servehttp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280642; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrelectrox.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kompis.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280644; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metaflz27.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280645; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergay1337.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280646; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masonthomascalvin.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280647; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ujozlesa.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280636; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jodg04.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280637; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lololol.dyndns.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280638; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quintonmoney.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280639; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alivecard.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280640; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pt-bit.tk"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280641; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daveinihost.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280630; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"curtis50.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280631; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alashe07ksa.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280632; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habboflooder.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280633; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tinkiwinki.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280634; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thisismyhost.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sh1kari0.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280623; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l3asel.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280624; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"invasor.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280625; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biztr-44844.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280626; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"decrypted.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280627; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qw7.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280628; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pozpoz.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280629; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hotsa.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280617; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nhnh21.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tim0.dyndns.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280619; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowsoriginal.vpndns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280620; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acbstyler.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280621; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"begazx.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280622; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suna93.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280610; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t2011.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280611; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wrawsec.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280612; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t3htazz.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280613; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joyn.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280614; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freakfile.myftp.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280615; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m1ster.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280616; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lainter.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280604; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"odnnrrhrh.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280605; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"killerblademaster.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280606; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"priiohack.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280607; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devlin.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280608; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auracraft.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280609; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"no.no-ip1414.tk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280597; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xuladas1.myftp.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280598; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haxing.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280599; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dsfser1337.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280600; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingzaib.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280601; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arenagods.servegame.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280602; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ajmosad.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280603; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mussolini1995.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280591; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slayerhost.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280592; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"balek93.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280593; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m7mad.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280594; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"invisiblehacker.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280595; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zehdi.sytes.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280596; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m11m.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280584; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trok2008.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280585; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facilmen.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280586; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackhackv4.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280587; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maxilife.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280588; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tctwarlock.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280589; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mzagy-mncy.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280590; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alimohor.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280578; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omg0nlyh3ks.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280579; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assasintroy.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280580; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"barbar3131.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280581; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pickstyle.serveblog.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280582; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angkung.dyndns.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280583; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tirohacking.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280571; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kjrub.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280572; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hirochimasdu45.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280573; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wassimderbel.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280574; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogi.ip-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280575; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plaunsito.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280576; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacking500.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280577; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matrex0-0hacker.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280565; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kafooooo.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280566; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kita2011.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280567; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bajbaj02.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280568; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zsecsqasd.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280569; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lindi001.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280570; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skinnytrini.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280559; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jinidz.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280560; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moresat.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280561; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"makingdents.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280562; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"refresher.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280563; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"melody.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280564; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osamax55.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280552; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spy991.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280553; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enculator.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280554; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naser1naser1.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280555; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allahouakbar.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280556; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dannyredfish.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280557; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"razoredwrist.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280558; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmtr.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280546; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t411.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280547; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bayci.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280548; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynet-rat3.dyndns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280549; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zeke-peke.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280550; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notspposetobehur.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280551; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackmemate.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280539; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monkeyishere.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280540; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polohacker.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280541; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piratiava.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280542; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myvictims2012.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280543; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacback.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280544; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swan.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280545; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infosfenix.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280533; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqwx995.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280534; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sparrowmanique.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280535; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thementor3.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280536; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"almsup2.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280537; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nasaki.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280538; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lreznovl.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280526; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bradwibbs.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280527; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratmenow.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280528; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"connecting.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280529; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dplom2010.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280530; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pisliick.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280531; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ciberhack.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280532; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autonomousigwe.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280520; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"195.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280521; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mihajlovo.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280522; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crowzz.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280523; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zufuric.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280524; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manmystery.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280525; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luquita.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280513; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"someone78s.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280514; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"havefun123.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280515; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"priyagoshi.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280516; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"op2.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280517; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iuy.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280518; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"igotbots.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280519; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cheats-brasil.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280507; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingzz.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280508; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ignorelist.dhis.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280509; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrtrojanm.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280510; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker13700.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280511; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rjpc1.hopto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280512; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kabch.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280500; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dawizman.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280501; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whoiswho100.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280502; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"norman2011.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280503; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pssst.servemp3.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280504; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zabagate.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280505; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notebookmen.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280506; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0x16host.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280494; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"projectapril.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280495; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slashxxxx.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280496; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helbertvm.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280497; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingz.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280498; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noregret.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280499; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spybruxinho.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280487; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mslulz.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280488; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imexhack.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280489; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thezero.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280490; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msninfo.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280491; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tieuphu91.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280492; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mylimy1.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280493; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r3b8-1415.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280481; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veremosqueago.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280482; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pmupdater.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280483; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teriaki.no.ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280484; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loginsystem.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280485; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logao500.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280486; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"machines123.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280474; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolxlolsasasasa.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280475; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test123.dontexist.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280476; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tutodereaperdark.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meltemyaren.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"urinalmints.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"itsfifa.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280480; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nabihxp2.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a2b123.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280468; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a3tyhom.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280469; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jda1992.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280470; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dom.servemp3.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anas12.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280472; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"operspicaz.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280473; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brujot.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280461; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hasansratting.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280462; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emma2882.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280463; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"datacredito.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280464; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"turkojan440.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280465; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dasdasdas.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280466; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lovetoto.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280454; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"henualdofus.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280455; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freedomtech.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280456; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mnnww.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280457; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laylaylom.no-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280458; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"analista2014.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280459; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haso.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280460; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worldofdecay.servegame.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280448; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigballinthemix.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280449; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bifrost.dyndns.tv"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280450; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t9m.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280451; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hell0updat3.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280452; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srspynet.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280453; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bidness.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280441; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wookys.homeip.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280442; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x0xhackx0x.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280443; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tommaso.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280444; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pgsb.no.ip-org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280445; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aktrom.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280446; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pure4pro.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280447; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amendobobo.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280435; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poky.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280436; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laforcedz.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280437; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biztr.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280438; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratisgreat.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280439; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"240620111500.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280440; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hahababy.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280428; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrkira.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280429; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kliurkius.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280430; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p0rn.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280431; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uzmanwbh.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280432; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"you4you.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280433; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myli.mine.nu"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280434; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devilhacker12.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280421; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alsiraqaad.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280422; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7mode.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280423; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mi3a.hopto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280424; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerbypass.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280425; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"janio.servecounterstrike.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280426; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e.godforums.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280427; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yass123.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280415; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infosystem.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280416; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"143fadwa.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280417; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heyklenenheykir.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280418; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"james77.dyndns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280419; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bithacker.dyndns.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280420; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rsnrhys.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280408; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hurricane.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280409; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ashraf1975.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280410; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kernel32.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280411; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spikeee32.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280412; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pumpkinz.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280413; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fallenpeace.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280414; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tugceee.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280402; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amadey88.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280403; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mfvfmava.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280404; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lepirateur.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280405; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alinh0.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280406; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pandorum.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280407; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adixx.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280395; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rattest25.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280396; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adnanpk.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280397; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gilegileremaja.hopto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280398; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c4tnt.myftp.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280399; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noreply2014.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280400; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipnoip.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280401; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxdnsxx.serveftp.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280388; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fml.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hashemrnen.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dz-crypter.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280391; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tom69.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280392; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaareez.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280393; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"livemesenger.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280394; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buscape.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280385; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyonepepsico.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280386; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rshc.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280387; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kongrem.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280379; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sexionzone.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280380; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magicpro.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280381; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shs2011.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280382; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aidsvlek.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280383; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"takymusic.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280384; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joj.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eminvergil.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280373; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bolundu2.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280374; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bboycent.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280375; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ieatpussy.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280376; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unflamedlogz3.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280377; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"patriphone.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280378; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmad94.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280366; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antonio130.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280367; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lion007.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280368; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilovehacking.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280369; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"selec-only.hopto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280370; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peneloppe.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280371; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jesuelchupachules.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280359; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darknessinthelight.no-ip.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280360; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ver.zapto.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280361; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gozgoz.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280362; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loucoservegame.no-ip.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280363; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fabinhohk.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280364; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facebookappli.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280365; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axiaxi.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280353; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"delinquente.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280354; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smokn.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280355; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"decohex2010.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280356; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xdarkcoder.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280357; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voltatronics.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280358; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helpinfo.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280346; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ranoosh.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280347; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meyk90.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280348; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"isra-scape.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280349; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pepo201000.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280350; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fenerli1907.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280351; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"undernet-hacker.no-ip.info"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280352; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sanderb12.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280340; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whyzzz.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280341; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raymond1992.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280342; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mayihacker.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280343; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slashxxx.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280344; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w122.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280345; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meziane10.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280333; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6networm.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280334; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soos.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280335; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pinoyhax.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280336; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"landdjoskull.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280337; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbp.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280338; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lionelle.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280339; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aph.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280326; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thorrat.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280327; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superxtremehacker.zapto.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280328; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nzm.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280329; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hockid.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280330; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wakawaka.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280331; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"udic.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280332; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ledodu.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280319; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hosting123.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280320; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spy-netester.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280321; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"camaleao-h.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280322; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securytbr4455.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280323; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s8c.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280324; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moti.myftp.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280325; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wheredidyougo.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280313; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soo1oos.linkpc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280314; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"koenig.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280315; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuevobifrost.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280316; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gntdaniel.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280317; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badrnr1428.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280318; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackersgratis.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280306; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bno0.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280307; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habibaa.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280308; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prozess2.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280309; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hothifah.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280310; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crypto234.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280311; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"system32.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280312; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kod098.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280299; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sentidos.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280300; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"benzys-server.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280301; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metus.redirectme.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280302; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"steaven.dyndns.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280303; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"killy1.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280304; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tunisia4ever.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280305; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server-ht.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280293; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackshades.dyndns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280294; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rosenbaum.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280295; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"julianveloso.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280296; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freestuffz.dyndns-ip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280297; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hassank.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280298; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilyessdu69.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280286; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rotca.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280287; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackandbots.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280288; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdu.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280289; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vinkyman.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280290; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wdf.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280291; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zippo.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280292; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jrcraft.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280279; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"starman.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280280; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"truehack.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280281; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whois-server.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axf.no-ip.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280283; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quickupload1.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"csshost.servecounterstrike.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280285; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssigs.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280273; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyberexample.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280274; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"johntravolta.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280275; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kekenooblol.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280276; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vittimareturn11.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280277; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"novrat2.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280278; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apaixonado.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280266; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xdarkcoder.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280267; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qa06.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280268; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pcfaker-g.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280269; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayanora6.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280270; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"google-analytics.3utilities.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280271; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mensajes-facebook.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280272; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trollfacelol.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280260; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testet123.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280261; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"casus.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280262; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soufou1982.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"codecub.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280264; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weedman.servegame.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280265; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smaz145.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280254; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thepanserver.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280255; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geheim.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mazika.servemp3.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280257; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dodol.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280258; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate35700.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280259; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theboyz.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280248; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yournameonyourhost.myftp.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280249; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"basss.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280250; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sellitbuy.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280251; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kurubaglama.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280252; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"looloo.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280253; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wellerson1.sytes.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280241; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microf.servegame.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280242; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c4.no-ip.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280243; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hot-theme.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280244; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"creditoshabbo.hopto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280245; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jodg.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280246; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ladyzman.bounceme.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280247; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abcqwerty.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280234; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fatah.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280235; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freeforfree.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280236; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lun420.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280237; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfh54gdhfj5j122.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280238; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akuhostsdn.sytes.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280239; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"watchyou.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280240; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok-ok.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280228; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matrixxx35.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280229; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"44uu.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280230; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sysdll.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280231; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mexico-city.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280232; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"princejide.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280233; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergatecoldfire.zapto.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280221; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9999996.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280222; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neorix.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280223; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wherethehoodat.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280224; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"capracammello.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280225; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wawouchette.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280226; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"videoaula.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280227; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wailfaraj.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280214; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hftw-crew.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280215; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"niushiwen88.3322.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280216; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sunon.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280217; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bruxinhospy.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280218; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sss2.podzone.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280219; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brotm.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280220; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kavalye2.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280208; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exploere24.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280209; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ganas.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280210; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aqw123.myftp.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280211; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackeradminsoftwar.no-ip.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280212; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samer77.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280213; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns2.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280201; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servidor.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280202; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimkhan1.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bmw320ci.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280204; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"midomido.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280205; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l00pb4ck.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280206; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guinaa.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280207; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"franders37.dyndns.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280194; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"discoeder.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280195; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"singed.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280196; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epicloot.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280197; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test22.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280198; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xsstrema.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280199; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testhostir.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280200; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolazoz.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280188; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoel123456.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280189; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"558.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280190; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m0ftares1.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280191; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theshit.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280192; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ooo.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280193; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigpimpinsjm09.hopto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280181; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acehax.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280182; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostname33.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280183; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyzer4.dyndns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280184; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamza22.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280185; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxdnsxx.serveirc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280186; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackers.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280187; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bifrost-2011.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280174; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pablohacker.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280175; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratts123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280176; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdjf.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280177; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evaltiere.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280178; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sarahblogdns.bounceme.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280179; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexpepito13.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280180; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackers3.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280168; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"summontank.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280169; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toritoguay.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280170; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interrupt.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280171; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conectorzero.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280172; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thiosulfate.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280173; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackcomethost.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280161; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rampy.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280162; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyt.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280163; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inor.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280164; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aline.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280165; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asylulz.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280166; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"filopeti.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280167; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4dc.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280155; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okulto.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280156; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghaith.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280157; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cheaterboy519.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280158; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morenita.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280159; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghraba.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280160; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bangalows.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280149; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacker.gearup.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280150; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doubbleassxasx.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280151; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wownp.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280152; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3bood.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280153; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft11a.serveftp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280154; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jajejijoju.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280142; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guillemix.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280143; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"esneyder21.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280144; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"by77.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280145; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malabata.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280146; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nohya6.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280147; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hamodeh1993.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280148; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxl.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280136; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"longinos007.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280137; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"absolut-spynet.zapto.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280138; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xneonkingx.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280139; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackstar001.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280140; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feardox.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280141; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foryou1.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280129; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2179.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280130; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trok2008.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280131; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"first1.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280132; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gotoel.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280133; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack-impact.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280134; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"victimas2012.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280135; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cxpride.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280123; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plaugereborn.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280124; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"199.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280125; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p41n1337.dyndns-ip.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280126; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"torfc.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280127; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skateeah.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280128; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moon2009us.linkpc.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280117; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mecamaniaco.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280118; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moenmek.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280119; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foward.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280120; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iboothostz.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280121; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spyrat.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280122; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"terer.servebeer.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280110; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mahsencoder.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280111; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jomeka.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280112; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbam.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280113; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"torsm.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280114; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fhoo111.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280115; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybercrimearea51.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280116; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h4rrypott3r.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280104; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miyachung.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280105; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test17903.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280106; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spybruxinho.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280107; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alideretour.redirectme.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280108; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goal88.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280109; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcmisto.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280098; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sagemfat.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280099; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getstonedat420.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280100; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"battlebudy.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280101; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"megadaddy.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280102; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"projectredemption.servegame.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280103; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"780.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280091; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jomeka.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280092; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tej-hamdi.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280093; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abodeeg.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280094; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miste.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280095; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aktifdns.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280096; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"56292.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280097; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"synaptics.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280085; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intra.hopto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280086; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biztr1.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280087; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kyrajack.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280088; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninhgiangbs.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"besnik.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280090; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luchito00.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280079; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"premiumtesting.redirectme.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280080; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"parlakilic.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280081; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"floconvar.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280082; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"underdos.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280083; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sajbergejt.myftp.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280084; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"curtis123.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280073; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samt.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280074; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wsb52000.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280075; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nzz.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280076; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blast3r.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280077; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hishamreda.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280078; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msharinono.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280067; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imthegod.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280068; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynet2000.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280069; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eragondaboss.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280070; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alsa7er123.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280071; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipwnedx81.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280072; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p0w3rzz.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280061; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hack3751.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280062; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gueto.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280063; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abdodo.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280064; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azooz-hacker.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mlbhouse.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280066; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mathewrat.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280054; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soulkiller21.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280055; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feiz.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280056; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slashxxxxx.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280057; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rached171.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280058; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"exex.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280059; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xrjr.vicp.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280060; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spider32.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280048; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"g61.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280049; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eewr.dyndns-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280050; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pegxus.myftp.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280051; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"echelon.myftp.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280052; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"promagic.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280053; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"harly.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280042; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test312.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280043; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spynet23.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280044; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackingrs.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280045; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.statscounter.com.ua"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280046; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trojanshacker.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280047; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xdsxx.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280035; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ironsoilder.hopto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280036; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280037; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"i8y.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280038; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msprotocolstsv.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280039; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"norky1337.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280040; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sanalpusu.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280041; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"binladen1337.dyndns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280029; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stinkbal.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280030; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dddddd.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280031; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"perfect-hacker.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280032; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mofkneaglez.sytes.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280033; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fimdomundo.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280034; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fairs.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280023; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serialmenace.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280024; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahmetkara.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piratikvh.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280026; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mouadvilla.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280027; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackanerd.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280028; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kyriospro.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280017; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diecob.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280018; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erooio.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280019; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lol77.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280020; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arnold0515.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280021; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fox3li.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280022; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"insidetm.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280011; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxcarpion.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280012; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"provement.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280013; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amoli.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280014; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"null.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280015; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o5q.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280016; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toxicisleet.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280004; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theslam.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280005; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"forum159.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280006; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m3toh.dyndns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280007; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manstar111.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280008; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"razor1991.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280009; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"benzwitich.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280010; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roxfox2.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279998; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hexrut.dlinkddns.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279999; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y32.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280000; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adamsnipple.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280001; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aboodybgd.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280002; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yotshi.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1280003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91280003; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"toxigon.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279994; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackedasm.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279995; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smellycatfish.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279996; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matz.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279997; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"captainherp.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279988; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mikrox.servegame.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279989; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mand0.sytes.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279990; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"only-security.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279991; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j49.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279992; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d34d60x.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279993; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lovewest.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279982; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftdnsserver.no-ip.biz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279983; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buseyorulmaz2.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279984; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gotyoucunty.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279985; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bt12345.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279986; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angkung.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279987; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jonevansphotography.co.uk"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279975; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teks.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279976; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ynx.ath.cx"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279977; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mohmd444.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279978; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"primaq.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279979; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zry0pwn.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279980; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hh3.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279981; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skyblog.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279968; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dangerlevel.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279969; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srsoor.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279970; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woaxpgm.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279971; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oommrr.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279972; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spy-net-update.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279973; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0o0o.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279974; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mxintra.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279962; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hakersbg.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279963; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crazyspies.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279964; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyenz.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279965; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cr3dotw.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279966; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noteasy.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279967; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrbassm.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279956; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jonahjameson.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279957; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abovegodz.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279958; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moustapha123.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279959; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smr2.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279960; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trae.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279961; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thesilentassassin.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279949; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ax0.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279950; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddosingz.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279951; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b3nd.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279952; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyber1495.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279953; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mastertester.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279954; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r3x3rbot.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279955; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ciz8jx.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279943; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crackers.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279944; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"versalife.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279945; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badmash.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279946; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dreamhacker.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279947; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silenthkold1.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279948; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asd22.no-ip.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279936; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmc-jny.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279937; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"050420122037.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279938; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"illmatic.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279939; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"desthorr123gate.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279940; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sadw12345.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279941; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secretos505.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279942; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"al7rby.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279929; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xrsantoronlyforxr.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279930; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agoraestouaqui2.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279931; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate.dyndns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279932; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"originaldotroll.dnns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279933; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faisl05531.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279934; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ineedwin.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279935; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"svchost-net.serveblog.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279923; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zoomnationserver.no-ip.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279924; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kamikazgang.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279925; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dannygm11.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abode80.linkpc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279927; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mobidik80.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279928; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asdd.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279916; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"altagoor.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279917; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cocox.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279918; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zipred.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279919; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverturko.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279920; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tinycam.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279921; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"key1925hacks.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279922; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bilelnet2.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279909; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obaaa65.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279910; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agraw.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279911; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kc5.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279912; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"menorhak.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279913; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackwahid.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279914; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"six17.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279915; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkddoser.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279903; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marques444.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279904; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ali15.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279905; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sybreed.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279906; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"houssamreckless.zapto.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279907; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hakimpower.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279908; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guinaa13.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279896; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otommyv.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279897; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"happysoap.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279898; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axo.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279899; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seesaw.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279900; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samuraix.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279901; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"areindigo.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279902; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"christian1995.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279889; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"breeman1.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279890; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freewaybong.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279891; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"endlessilusions.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279892; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spy2281.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279893; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrace.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279894; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fatomnan.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279895; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mikele.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279882; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vardeath.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279883; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giftigeschlange.sytes.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279884; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"splash2010.bounceme.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279885; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7ammo1.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279886; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"barulay1.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279887; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmere.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279888; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weww.sytes.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279876; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hellothere123234.zapto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279877; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mystersatan.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279878; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tijiuo.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279879; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hhbros.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279880; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"walid562.servebeer.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279881; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tdd.zapto.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279870; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b3480748.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279871; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obsec.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279872; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"telsec.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279873; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tj888.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279874; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wrocha000.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279875; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eltahan.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279865; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liquidised.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279866; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mierda.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279867; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nikkel.changeip.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279868; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hacktrust.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279869; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lol12345678.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279859; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"homexbox.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279860; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spawn007.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279861; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noobs123.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279862; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matrix-hacker.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279863; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gareeh.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279864; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wkdw1ll1ams.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279853; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spike16.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279854; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"systematiq313131.dyndns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279855; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smnn.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279856; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kabala-532.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279857; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kanuks.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279858; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xdarkcoder.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279847; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonymousx.no-ip.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279848; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h2ss.dyndns.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279849; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"downloadsite.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279850; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ksamapepito.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279851; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winsmith.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279852; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zipper.sytes.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279840; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myhost.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279841; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fish24.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279842; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bobparkinson.myftp.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279843; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"keygoal.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279844; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mysticdream.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279845; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akon934.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279846; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3r9-hak.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279834; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"curisco04.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279835; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihaxyocomputernga.no-ip.biz"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279836; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rustyshackleford.no-ip.biz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279837; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"albertiq4.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279838; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estoesunaputanoip.no-ip.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279839; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghostman1.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279828; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xxphantomxx.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279829; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corehacker.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279830; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wintwint.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279831; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xddoser.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279832; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kooparat.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279833; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hasn.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279821; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lordnikon2012.zapto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279822; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shoman22.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279823; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"limtred1.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279824; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wtfemail.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279825; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"christinaginns.servepics.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279826; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bruxinhospy.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279827; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teamxrat.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279814; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"penisgrandegrosso.no-ip.info"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279815; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"majskolv.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279816; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abokkhaled.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279817; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teddypause.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279818; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"volkancan.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279819; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modam3r.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279820; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkcomet33.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279808; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fearrusty.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279809; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asil.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghostsquads.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279811; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ykjfh.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"balonmd.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279813; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"divineflame.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279801; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hhy554.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279802; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rewqeeqw.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279803; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bilelstil.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279804; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackforumsjake.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279805; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karimsol.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279806; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestdesigns.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279807; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mursutaistelija.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279795; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yougotowned2333.no-ip.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279796; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antivir.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279797; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nicolas69.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279798; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baloch123.no-ip.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279799; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deubomberalbania.zapto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279800; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimissard.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279788; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b4p.dyndns.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279789; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"op9.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279790; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"talalm.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279791; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juliobian.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279792; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayfforza.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279793; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"noun1.wowip.kr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279794; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spoolsv.servehttp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279782; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"topcompte.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279783; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stockholm.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279784; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"silentdownloads.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279785; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paebac.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279786; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gunitx55.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279787; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"realrat517012.no-ip.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279775; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omarkam24.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279776; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuckedupdns.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279777; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shouky.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279778; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eren.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279779; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ossseeant-16.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279780; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rice-owl.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279781; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x1222.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279769; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yop111.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279770; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magicfuny12.publicvm.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279771; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testneptune.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279772; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybertest.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279773; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thephantom.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279774; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kettaval.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279762; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deneme05.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279763; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iveshack.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279764; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conhecimento2.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279765; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vamdos1.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279766; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fluttershy.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279767; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zerut.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279768; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tonnes.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279755; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"algeny0.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279756; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snofex.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279757; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testseyho.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279758; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beykozbelam.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279759; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rustyslaves.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279760; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolol.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279761; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingzaib.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279750; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipconfig3.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279751; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grilo123123.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279752; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worldhacker20.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279753; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"habbofanz.sytes.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279754; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sandboxing.no-ip.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279743; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server-1.servebeer.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279744; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7r0.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279745; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wouterafca.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279746; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"terimt.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279747; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getrolled.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279748; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chacha.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279749; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergateepic.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279737; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tunisie.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279738; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meri.no-ip.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279739; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cheesepuffmguff.no-ip.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279740; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sadece.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279741; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aw.no-ip.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279742; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crsi88.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279730; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bilelweb.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279731; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seondesk.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279732; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjadmin.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279733; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rappakhan.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279734; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anonymous101.serveblog.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279735; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bott.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279736; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xcxz.no-ip.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279724; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naturis1979.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279725; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftusers.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279726; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sambax.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279727; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.ematome.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279728; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ouedzami2011.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279729; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azoz-arar.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279717; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfrat.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279718; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otech.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279719; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quantumcyber.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279720; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"country.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279721; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skyline1.serveftp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279722; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jrshacker.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279723; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solitario1.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279711; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rizkrisk.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279712; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moof1.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279713; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wxw-wxw.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279714; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"team-mediabox.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279715; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"charfy.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279716; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ragebo.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279704; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerquito.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279705; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"damsjeli.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279706; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowslauncher.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279707; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testbomb.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279708; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bornwild321.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279709; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maom1.no-ip.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279710; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bradleyftwlol.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279697; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abajoy.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279698; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackdarkcomet.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279699; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft11a.dyndns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279700; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sameerhacker.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279701; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quexlo.servehttp.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279702; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pkurls.myftp.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279703; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"me2.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279691; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sky92130.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279692; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modikana.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279693; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kabuntuhacker.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279694; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"svchostt.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279695; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hookserver.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279696; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sofiamurcia1.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279684; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subertje.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279685; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shoppal.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279686; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maom.dyndns.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279687; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackers2.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279688; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"debacle.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279689; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sataredsliid.bounceme.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279690; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taayyaabb.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279677; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sickman.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279678; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"love.myftp.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279679; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hgyvdf.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279680; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enterkinq2.dyndns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279681; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cgseb.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279682; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"martimtoni.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279683; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stx-team.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279671; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1234host.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279672; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xkingx.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279673; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faridbang.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279674; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freemembership.no-ip.biz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279675; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pi-on.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279676; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boubou39.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279664; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.statscounter.com.ua"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279665; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rastafare9090.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279666; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morenita.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279667; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darbexteam.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279668; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tyfnanl.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279669; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erhabix.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279670; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"computertech.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279657; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foolhardy.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279658; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rk-jose17-x4.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279659; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rattest.no-ip.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279660; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1000keder.no-ip.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279661; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chemdog.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279662; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mixlolz.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279663; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drhzn.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279651; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"az3ar-sweet.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279652; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mitarbeiter.zapto.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279653; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abbreviate.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279654; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manga123.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279655; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magic09.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279656; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"algamde.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279644; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lawliet.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279645; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxpn12345.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279646; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iwillkillyou.no-ip.biz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279647; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat321.dyndns.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279648; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pepebotella.no-ip.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279649; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zazohoster.no-ip.biz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279650; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sp6.no-ip.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279637; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cybergate333.no-ip.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279638; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d4ffs.no-ip.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279639; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsi.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279640; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zxf6x6qx.no-ip.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279641; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bjzacjb123.3322.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279642; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrtrojann.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mhacks.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279631; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p2p4me.no-ip.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279632; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r70.no-ip.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279633; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"byatmaca.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279634; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devious.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abbc.no-ip.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279636; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"030420112218.no-ip.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279624; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msconfig.sytes.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279625; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fahad-vip.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279626; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servercheck.no-ip.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279627; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shadowsun.no-ip.biz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279628; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trollton.no-ip.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279629; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spuelmittel.kicks-ass.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279630; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irune.zapto.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bikini.no-ip.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279619; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dsv.sytes.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279620; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nnwz.zapto.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279621; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woodstock1969.no-ip.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279622; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratsystem32.no-ip.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279623; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pendexxx.no-ip.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279614; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dizniggahavok.no-ip.biz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279615; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muffin.no-ip.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279616; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sexyina.no-ip.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279617; rev:1;)
alert tcp $HOME_NET any -> [99.172.6.198] 80  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279606; rev:1;)
alert tcp $HOME_NET any -> [109.95.210.166] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279607; rev:1;)
alert tcp $HOME_NET any -> [92.241.164.86] 1732  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279608; rev:1;)
alert tcp $HOME_NET any -> [5.112.170.98] 100  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279609; rev:1;)
alert tcp $HOME_NET any -> [109.110.98.3] 1704  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279610; rev:1;)
alert tcp $HOME_NET any -> [5.187.78.241] 1600  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279611; rev:1;)
alert tcp $HOME_NET any -> [173.0.0.107] 999  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279612; rev:1;)
alert tcp $HOME_NET any -> [173.254.223.102] 1000  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279613; rev:1;)
alert tcp $HOME_NET any -> [189.81.208.153] 2000  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279593; rev:1;)
alert tcp $HOME_NET any -> [109.236.61.60] 120  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279594; rev:1;)
alert tcp $HOME_NET any -> [173.0.5.104] 998  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279595; rev:1;)
alert tcp $HOME_NET any -> [83.202.245.223] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279596; rev:1;)
alert tcp $HOME_NET any -> [178.162.47.28] 59065  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279597; rev:1;)
alert tcp $HOME_NET any -> [82.242.250.193] 83  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279598; rev:1;)
alert tcp $HOME_NET any -> [82.242.250.193] 82  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279599; rev:1;)
alert tcp $HOME_NET any -> [92.54.209.12] 3085  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279600; rev:1;)
alert tcp $HOME_NET any -> [109.236.61.60] 80  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279601; rev:1;)
alert tcp $HOME_NET any -> [109.169.17.194] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279602; rev:1;)
alert tcp $HOME_NET any -> [5.2.166.137] 288  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279603; rev:1;)
alert tcp $HOME_NET any -> [77.64.84.132] 288  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279604; rev:1;)
alert tcp $HOME_NET any -> [91.200.201.108] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279605; rev:1;)
alert tcp $HOME_NET any -> [5.245.29.177] 288  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279577; rev:1;)
alert tcp $HOME_NET any -> [122.3.6.9] 9667  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279578; rev:1;)
alert tcp $HOME_NET any -> [109.95.210.166] 5253  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279579; rev:1;)
alert tcp $HOME_NET any -> [192.162.100.209] 3128  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279580; rev:1;)
alert tcp $HOME_NET any -> [64.27.3.109] 6666  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279581; rev:1;)
alert tcp $HOME_NET any -> [189.5.87.27] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279582; rev:1;)
alert tcp $HOME_NET any -> [85.104.6.37] 587  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279583; rev:1;)
alert tcp $HOME_NET any -> [79.132.181.169] 100  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279584; rev:1;)
alert tcp $HOME_NET any -> [88.181.34.80] 1776  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279585; rev:1;)
alert tcp $HOME_NET any -> [5.98.48.197] 82  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279586; rev:1;)
alert tcp $HOME_NET any -> [88.191.93.39] 16590  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279587; rev:1;)
alert tcp $HOME_NET any -> [109.236.61.60] 800  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279588; rev:1;)
alert tcp $HOME_NET any -> [50.41.149.212] 75  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279589; rev:1;)
alert tcp $HOME_NET any -> [188.86.123.141] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279590; rev:1;)
alert tcp $HOME_NET any -> [46.118.186.231] 1600  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279591; rev:1;)
alert tcp $HOME_NET any -> [98.242.110.116] 100  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279592; rev:1;)
alert tcp $HOME_NET any -> [94.43.161.71] 900  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279560; rev:1;)
alert tcp $HOME_NET any -> [79.87.14.23] 999  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279561; rev:1;)
alert tcp $HOME_NET any -> [62.176.21.49] 82  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279562; rev:1;)
alert tcp $HOME_NET any -> [71.128.69.86] 1337  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279563; rev:1;)
alert tcp $HOME_NET any -> [94.170.208.173] 5151  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279564; rev:1;)
alert tcp $HOME_NET any -> [69.143.17.87] 5050  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279565; rev:1;)
alert tcp $HOME_NET any -> [5.9.255.80] 1604  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279566; rev:1;)
alert tcp $HOME_NET any -> [5.2.151.76] 288  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279567; rev:1;)
alert tcp $HOME_NET any -> [187.67.209.111] 2000  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279568; rev:1;)
alert tcp $HOME_NET any -> [81.221.161.147] 83  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279569; rev:1;)
alert tcp $HOME_NET any -> [196.202.69.234] 11772  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279570; rev:1;)
alert tcp $HOME_NET any -> [5.135.69.89] 82  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279571; rev:1;)
alert tcp $HOME_NET any -> [5.2.164.19] 80  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279572; rev:1;)
alert tcp $HOME_NET any -> [186.107.8.198] 80  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279573; rev:1;)
alert tcp $HOME_NET any -> [200.77.77.235] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279574; rev:1;)
alert tcp $HOME_NET any -> [122.6.3.5] 9800  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279575; rev:1;)
alert tcp $HOME_NET any -> [94.25.205.106] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279576; rev:1;)
alert tcp $HOME_NET any -> [74.141.121.202] 100  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279547; rev:1;)
alert tcp $HOME_NET any -> [198.168.1.25] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279548; rev:1;)
alert tcp $HOME_NET any -> [109.95.210.166] 8188  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279549; rev:1;)
alert tcp $HOME_NET any -> [78.90.25.193] 100  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279550; rev:1;)
alert tcp $HOME_NET any -> [188.162.83.119] 82  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279551; rev:1;)
alert tcp $HOME_NET any -> [184.91.113.121] 187  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279552; rev:1;)
alert tcp $HOME_NET any -> [5.135.69.89] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279553; rev:1;)
alert tcp $HOME_NET any -> [217.23.3.45] 741  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279554; rev:1;)
alert tcp $HOME_NET any -> [50.41.149.212] 85  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279555; rev:1;)
alert tcp $HOME_NET any -> [82.242.250.193] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279556; rev:1;)
alert tcp $HOME_NET any -> [25.81.16.132] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279557; rev:1;)
alert tcp $HOME_NET any -> [81.56.84.181] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279558; rev:1;)
alert tcp $HOME_NET any -> [188.162.83.119] 8080  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279559; rev:1;)
alert tcp $HOME_NET any -> [83.254.238.175] 81  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279542; rev:1;)
alert tcp $HOME_NET any -> [109.95.210.166] 3128  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279543; rev:1;)
alert tcp $HOME_NET any -> [77.78.83.203] 206  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279544; rev:1;)
alert tcp $HOME_NET any -> [74.55.40.227] 433  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279545; rev:1;)
alert tcp $HOME_NET any -> [46.37.180.197] 2300  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279546; rev:1;)
alert tcp $HOME_NET any -> [165.154.220.237] 8808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279541; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offices365.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"offices365.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"45.144.30.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279537; rev:1;)
alert tcp $HOME_NET any -> [45.144.30.253] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279538; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7ix5nfolcp4ta4mk2dtihev73rw7d2edpbd5tp7sf7zgmpv66fpxnwqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279531; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madehamozza.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279532; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mybtrpub.dynuddns.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279533; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uccqm6p3b2uqka6elyimvq7hiancgmhymprzgrxd6i6u3ovwentsolqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279534; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blackid-51579.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279535; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"postal-23.ioomoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279536; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.113] 1234  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279527; rev:1;)
alert tcp $HOME_NET any -> [158.58.168.61] 1337  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279528; rev:1;)
alert tcp $HOME_NET any -> [93.115.35.146] 9887  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279529; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.193] 100  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279530; rev:1;)
alert tcp $HOME_NET any -> [136.144.41.26] 4444  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279524; rev:1;)
alert tcp $HOME_NET any -> [106.69.2.59] 6637  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279525; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.136] 4404  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279526; rev:1;)
alert tcp $HOME_NET any -> [185.250.148.54] 4898  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279522; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.220] 4898  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279521; rev:1;)
alert tcp $HOME_NET any -> [3.133.149.211] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279520; rev:1;)
alert tcp $HOME_NET any -> [52.70.77.94] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279519; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.bimnall.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.127.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.33"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.190.18"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279515; rev:1;)
alert tcp $HOME_NET any -> [95.217.28.33] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279513; rev:1;)
alert tcp $HOME_NET any -> [88.99.127.107] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279514; rev:1;)
alert tcp $HOME_NET any -> [116.202.190.18] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279512; rev:1;)
alert tcp $HOME_NET any -> [95.216.24.238] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279511; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.40] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279510; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.233] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279509; rev:1;)
alert tcp $HOME_NET any -> [47.120.19.56] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279508; rev:1;)
alert tcp $HOME_NET any -> [101.42.4.160] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279507; rev:1;)
alert tcp $HOME_NET any -> [46.17.44.94] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279506/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279506; rev:1;)
alert tcp $HOME_NET any -> [81.70.93.58] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279505; rev:1;)
alert tcp $HOME_NET any -> [129.211.221.211] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279504; rev:1;)
alert tcp $HOME_NET any -> [38.147.171.208] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279503; rev:1;)
alert tcp $HOME_NET any -> [23.224.89.118] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279502; rev:1;)
alert tcp $HOME_NET any -> [67.71.30.199] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279501; rev:1;)
alert tcp $HOME_NET any -> [85.99.31.113] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279500; rev:1;)
alert tcp $HOME_NET any -> [71.79.177.75] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279499; rev:1;)
alert tcp $HOME_NET any -> [92.99.50.242] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279498; rev:1;)
alert tcp $HOME_NET any -> [172.206.49.104] 8443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279497; rev:1;)
alert tcp $HOME_NET any -> [74.235.204.9] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279496; rev:1;)
alert tcp $HOME_NET any -> [63.250.56.156] 8088  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279495; rev:1;)
alert tcp $HOME_NET any -> [91.245.255.64] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279494; rev:1;)
alert tcp $HOME_NET any -> [86.104.72.20] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279493; rev:1;)
alert tcp $HOME_NET any -> [43.134.38.211] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279492; rev:1;)
alert tcp $HOME_NET any -> [172.104.157.108] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279491; rev:1;)
alert tcp $HOME_NET any -> [94.198.216.204] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279490; rev:1;)
alert tcp $HOME_NET any -> [31.27.187.236] 9002  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279489; rev:1;)
alert tcp $HOME_NET any -> [136.144.162.237] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279488; rev:1;)
alert tcp $HOME_NET any -> [136.144.162.237] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279487; rev:1;)
alert tcp $HOME_NET any -> [192.121.87.111] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"152.136.100.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"64.7.199.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279480; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrpolka.casa"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279469; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrstar.casa"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279470; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sipmptomsledy.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrspace.casa"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279472; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrphound.casa"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279473; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrpeso.casa"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279474; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrshekel.casa"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279475; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allpikoloserdzwe.cyou"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279476; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"americansoldat.link"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ldrruble.casa"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loadwe4.casa"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aiac.f3322.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279461; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nnmz.e3.luyouxia.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279462; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhangkedong.u1.luyouxia.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279463; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newyk5.e3.luyouxia.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279464; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"post.f2pool.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279465; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kinh.xmcxmr.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279466; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"12123das.f3322.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jjjj7371.e1.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279468; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"honchengkeji.f3322.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279450; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerinvasion.f3322.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279451; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"q596110.3322.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279452; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fwq.kuai-go.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279453; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"12512.e3.luyouxia.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279454; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xisafjasfjip.u1.luyouxia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279455; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cf1549064127.f3322.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279456; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"24365426.e3.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279457; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zxww.e3.luyouxia.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279458; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.twrata.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279459; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dgz.se1f.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279460; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"u22.zgwl.eu.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279446; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bj.caobibibi.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279447; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftel.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279448; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sy12311.e3.luyouxia.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279449; rev:1;)
alert tcp $HOME_NET any -> [123.57.51.44] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279445; rev:1;)
alert tcp $HOME_NET any -> [8.147.114.220] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279442; rev:1;)
alert tcp $HOME_NET any -> [124.71.8.94] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279443; rev:1;)
alert tcp $HOME_NET any -> [101.200.228.27] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279444; rev:1;)
alert tcp $HOME_NET any -> [123.57.184.42] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279439; rev:1;)
alert tcp $HOME_NET any -> [39.106.155.56] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279440; rev:1;)
alert tcp $HOME_NET any -> [182.92.123.99] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279441; rev:1;)
alert tcp $HOME_NET any -> [47.108.142.100] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279436/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279436; rev:1;)
alert tcp $HOME_NET any -> [139.196.200.80] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279437; rev:1;)
alert tcp $HOME_NET any -> [47.106.165.142] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279438; rev:1;)
alert tcp $HOME_NET any -> [8.147.107.117] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279433; rev:1;)
alert tcp $HOME_NET any -> [123.57.154.171] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279434/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279434; rev:1;)
alert tcp $HOME_NET any -> [39.106.47.128] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279435/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279435; rev:1;)
alert tcp $HOME_NET any -> [121.40.79.201] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279430/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279430; rev:1;)
alert tcp $HOME_NET any -> [39.96.177.84] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279431; rev:1;)
alert tcp $HOME_NET any -> [8.138.149.110] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279432; rev:1;)
alert tcp $HOME_NET any -> [39.106.50.206] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279427; rev:1;)
alert tcp $HOME_NET any -> [8.141.9.64] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279428; rev:1;)
alert tcp $HOME_NET any -> [60.205.176.230] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279429; rev:1;)
alert tcp $HOME_NET any -> [8.138.111.32] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279423; rev:1;)
alert tcp $HOME_NET any -> [39.104.60.160] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279424; rev:1;)
alert tcp $HOME_NET any -> [60.205.124.33] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279425; rev:1;)
alert tcp $HOME_NET any -> [39.105.204.46] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279426; rev:1;)
alert tcp $HOME_NET any -> [107.173.248.41] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279420; rev:1;)
alert tcp $HOME_NET any -> [182.92.21.95] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279421; rev:1;)
alert tcp $HOME_NET any -> [8.138.0.214] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279422; rev:1;)
alert tcp $HOME_NET any -> [123.56.110.20] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279417; rev:1;)
alert tcp $HOME_NET any -> [123.57.90.198] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279418; rev:1;)
alert tcp $HOME_NET any -> [101.200.78.167] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279419; rev:1;)
alert tcp $HOME_NET any -> [8.147.108.206] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279413; rev:1;)
alert tcp $HOME_NET any -> [139.9.48.177] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279414; rev:1;)
alert tcp $HOME_NET any -> [101.201.72.126] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279415; rev:1;)
alert tcp $HOME_NET any -> [82.156.184.108] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279416; rev:1;)
alert tcp $HOME_NET any -> [123.56.226.32] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279410; rev:1;)
alert tcp $HOME_NET any -> [8.147.119.99] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279411; rev:1;)
alert tcp $HOME_NET any -> [182.92.189.66] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279412; rev:1;)
alert tcp $HOME_NET any -> [47.94.234.19] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279407; rev:1;)
alert tcp $HOME_NET any -> [8.147.113.111] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279408; rev:1;)
alert tcp $HOME_NET any -> [112.126.85.225] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279409; rev:1;)
alert tcp $HOME_NET any -> [47.94.104.161] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279405; rev:1;)
alert tcp $HOME_NET any -> [47.94.227.173] 443  (msg:"ThreatFox DoomedLoader botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279406; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cede04.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279401; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vvz01.pro"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279402; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biss01.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279403; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veotyc21.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279404; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haiusm13.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279384; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veorfg11.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279385; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oct5m.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279386; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bube01.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279387; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"verf02.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279388; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cemnek45.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rifat05.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cemujq44.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279391; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nife04.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279392; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaqly46.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279393; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pacdpo22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279394; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haijys18.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279395; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oct5e.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279396; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"verf01.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279397; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyspoh51.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279398; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cede01.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279399; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moreil02.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279400; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hbv01.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"masterokrwh.duckdns.org"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1279382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"46.183.223.73"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"wwsh427.duckdns.org"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1279380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"paulrdp02.duckdns.org"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1279379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.79.116"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.62"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.150"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1279200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.23.103.159"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.170"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1279196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.161.191.146"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.88.79.153"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.76"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.198.59"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.161.203.102"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.79.32"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"147.45.47.150"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.212.166.50"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.198.253"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.23"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.111"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1279186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.79.164"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.11.92.124"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.39"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.88"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"80.66.84.6"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1279182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"192.121.87.173"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.198.116"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"okkolus.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1279177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.88.106.134"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.151"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1279175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"haveastory.info"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1279176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"49.13.229.86"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.198.134"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.82"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1279173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"62.133.60.205"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"top-adobe.site"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1279169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.23.103.129"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1279170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.164.2.59"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1279168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/"; depth:11; nocase; http.host; content:"www.saveinfoval.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"lab.damianobeducci.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"lab.damianobeducci.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279162; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"modernwebframework.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279160; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"webapidevelopment.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-hcwhjzdb-1316933071.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279163; rev:1;)
alert tcp $HOME_NET any -> [176.56.237.211] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"176.56.237.211"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279157; rev:1;)
alert tcp $HOME_NET any -> [185.52.1.46] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"185.52.1.46"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279155; rev:1;)
alert tcp $HOME_NET any -> [84.46.22.158] 7000  (msg:"ThreatFox Monero Miner botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279150/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_05; classtype:trojan-activity; sid:91279150; rev:1;)
alert tcp $HOME_NET any -> [46.59.214.14] 7000  (msg:"ThreatFox Monero Miner botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279151/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_05; classtype:trojan-activity; sid:91279151; rev:1;)
alert tcp $HOME_NET any -> [46.59.210.69] 7000  (msg:"ThreatFox Monero Miner botnet C2 traffic (ip:port - confidence level: 49%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279152/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_05; classtype:trojan-activity; sid:91279152; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.67] 46629  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279154; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.219] 61995  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/read-agreement-of-being-gay-for-30-days/"; depth:41; nocase; http.host; content:"exotours.in"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"kfzsoeder.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279149; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hcwhjzdb-1316933071.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-hcwhjzdb-1316933071.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"120.48.124.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"23.94.202.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279143; rev:1;)
alert tcp $HOME_NET any -> [23.94.202.223] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.70.99.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279142; rev:1;)
alert tcp $HOME_NET any -> [118.195.216.54] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"118.195.216.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279140; rev:1;)
alert tcp $HOME_NET any -> [106.54.42.56] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/getdata"; depth:15; nocase; http.host; content:"damousese.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279137; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"damousese.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279138; rev:1;)
alert tcp $HOME_NET any -> [43.155.31.253] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.155.31.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"18.219.156.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"23.94.202.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279131; rev:1;)
alert tcp $HOME_NET any -> [23.94.202.223] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279132; rev:1;)
alert tcp $HOME_NET any -> [106.54.42.56] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/getdata"; depth:15; nocase; http.host; content:"106.54.42.56"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"119.45.251.182"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279128; rev:1;)
alert tcp $HOME_NET any -> [182.92.154.226] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"182.92.154.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"47.120.65.94"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279125; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 43028  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279104/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91279104; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"an-taxi.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279105/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91279105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"kampermazury.pl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"meetlak.link"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"60.204.220.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.99.194.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"106.55.181.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"101.33.198.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.136.40.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279116; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llxl.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279115; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llpl.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279112; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llml.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279113; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llnl.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"106.55.181.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"zakat.dompetdhuaafa.biz.id"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279109; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zakat.dompetdhuaafa.biz.id"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"zakat.dompetdhuaafa.biz.id"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"baznas.dompetdhuaafa.biz.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279106; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqueryupdate1.housereynoldsfaust.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"jqueryupdate1.housereynoldsfaust.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279102; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"progressivewebappsdev.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279096; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"alphadex.io"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279097; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"labs.plutonians.tech"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"justinpgrier.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279098; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remcoss2024feb.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279101; rev:1;)
alert tcp $HOME_NET any -> [190.123.44.254] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279095; rev:1;)
alert tcp $HOME_NET any -> [89.23.107.39] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279094; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.11] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279093/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279093; rev:1;)
alert tcp $HOME_NET any -> [110.41.17.183] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279092/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279092; rev:1;)
alert tcp $HOME_NET any -> [111.229.128.243] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279091/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279091; rev:1;)
alert tcp $HOME_NET any -> [117.72.74.197] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279090/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279090; rev:1;)
alert tcp $HOME_NET any -> [8.130.175.231] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279089/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279089; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.19] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279088/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279088; rev:1;)
alert tcp $HOME_NET any -> [135.148.144.97] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279087; rev:1;)
alert tcp $HOME_NET any -> [35.87.11.232] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279086; rev:1;)
alert tcp $HOME_NET any -> [62.234.162.181] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279085; rev:1;)
alert tcp $HOME_NET any -> [79.137.117.24] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279084; rev:1;)
alert tcp $HOME_NET any -> [158.160.64.178] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279083; rev:1;)
alert tcp $HOME_NET any -> [97.64.33.33] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279082; rev:1;)
alert tcp $HOME_NET any -> [74.207.229.59] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279081/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~eric/wp/masterddl/2023/03/05/agreement-sayings/"; depth:49; nocase; http.host; content:"experimentation.univ-littoral.fr"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ictnieuws.nl"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/breach-contract-law/"; depth:21; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"goodferry.pl"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"mamajekisrecording.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278806; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mamajekisrecording.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"mamajekisrecording.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"mamajekisrecording.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278809; rev:1;)
alert tcp $HOME_NET any -> [3.64.4.198] 15212  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278811/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91278811; rev:1;)
alert tcp $HOME_NET any -> [18.158.58.205] 15212  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278810/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91278810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"iantucker.ca"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/tt"; depth:6; nocase; http.host; content:"fufug.enterprisedownloads.ltd"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279045; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fufug.enterprisedownloads.ltd"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"intellectualpirates.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279059; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"giampaolidolciaria.cfd"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279070/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91279070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"izj.unsa.ba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279074; rev:1;)
alert tcp $HOME_NET any -> [31.192.235.208] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279077/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91279077; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mtuogioanis.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_05; classtype:trojan-activity; sid:91279078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"jensenauto.no"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279080; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 54989  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278802; rev:1;)
alert tcp $HOME_NET any -> [84.38.182.217] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91278803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mad/fre.php"; depth:12; nocase; http.host; content:"mtuogioanis.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_05; classtype:trojan-activity; sid:91279076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"41.143.84.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279075/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_05; classtype:trojan-activity; sid:91279075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dv2/pws/fre.php"; depth:16; nocase; http.host; content:"giampaolidolciaria.cfd"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279068; rev:1;)
alert tcp $HOME_NET any -> [42.194.249.150] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"42.194.249.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279066; rev:1;)
alert tcp $HOME_NET any -> [45.144.137.45] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-62fercq6-1314780031.nj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"service-62fercq6-1314780031.nj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279063; rev:1;)
alert tcp $HOME_NET any -> [23.94.203.122] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279062; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-owedaeao-1304783326.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1279061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-owedaeao-1304783326.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.166.11"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.167.34"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.185"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.2.129"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r8z0l"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199698764354"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1279052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279052; rev:1;)
alert tcp $HOME_NET any -> [116.203.166.11] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279051; rev:1;)
alert tcp $HOME_NET any -> [116.203.2.129] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279047; rev:1;)
alert tcp $HOME_NET any -> [65.109.241.185] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279048; rev:1;)
alert tcp $HOME_NET any -> [5.75.212.114] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279049; rev:1;)
alert tcp $HOME_NET any -> [116.203.167.34] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91279050; rev:1;)
alert tcp $HOME_NET any -> [165.22.122.24] 4433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279044; rev:1;)
alert tcp $HOME_NET any -> [107.172.157.40] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279043; rev:1;)
alert tcp $HOME_NET any -> [49.113.75.152] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279042; rev:1;)
alert tcp $HOME_NET any -> [107.172.191.253] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279041; rev:1;)
alert tcp $HOME_NET any -> [2.88.147.93] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279040; rev:1;)
alert tcp $HOME_NET any -> [23.177.56.78] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279039; rev:1;)
alert tcp $HOME_NET any -> [111.123.53.96] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279038; rev:1;)
alert tcp $HOME_NET any -> [185.241.124.218] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1279037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91279037; rev:1;)
alert tcp $HOME_NET any -> [144.208.127.241] 1717  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278823/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_04; classtype:trojan-activity; sid:91278823; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.63] 14707  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.37.32.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278820; rev:1;)
alert tcp $HOME_NET any -> [154.83.13.161] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"service-6xro0ifb-1253442149.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278818; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-6xro0ifb-1253442149.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278816; rev:1;)
alert tcp $HOME_NET any -> [154.83.13.161] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"service-6xro0ifb-1253442149.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278815; rev:1;)
alert tcp $HOME_NET any -> [152.32.135.165] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"dns.163microsoft.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.163microsoft.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278813; rev:1;)
alert tcp $HOME_NET any -> [95.179.228.20] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"41.140.220.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278804/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278804; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 49%)"; dns_query; content:"goudieelectric.shop"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278769/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_04; classtype:trojan-activity; sid:91278769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/the-zero-residual-concept/products"; depth:35; nocase; http.host; content:"simonandschuster.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278771/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_04; classtype:trojan-activity; sid:91278771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/the-zero-residual-concept/sjj-solutions"; depth:40; nocase; http.host; content:"simonandschuster.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278772/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_04; classtype:trojan-activity; sid:91278772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold-harmless-agreement-car-accident"; depth:37; nocase; http.host; content:"bvp.ch"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278799; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"simonandschuster.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278770/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_04; classtype:trojan-activity; sid:91278770; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.160] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278800/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_04; classtype:trojan-activity; sid:91278800; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ulysse-cazabonne.cam"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278801/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_04; classtype:trojan-activity; sid:91278801; rev:1;)
alert tcp $HOME_NET any -> [185.43.220.45] 4001  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278798; rev:1;)
alert tcp $HOME_NET any -> [47.96.141.225] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278797; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-nshpe3hn-1303962289.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/destroy/v4.7/gxd7023e"; depth:22; nocase; http.host; content:"service-nshpe3hn-1303962289.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"103.116.245.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"82.157.78.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"221.227.232.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"61.170.44.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"111.6.56.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/v1_upload"; depth:20; nocase; http.host; content:"111.51.156.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"183.232.189.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"120.78.217.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"123.57.59.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"microsoftsoftwave.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; nocase; http.host; content:"150.109.103.16"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"3.145.83.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"106.52.130.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"175.178.99.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check"; depth:6; nocase; http.host; content:"150.109.103.16"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278773; rev:1;)
alert tcp $HOME_NET any -> [198.211.116.98] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278757; rev:1;)
alert tcp $HOME_NET any -> [115.0.0.5] 108  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278758; rev:1;)
alert tcp $HOME_NET any -> [80.0.65.0] 75  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278759; rev:1;)
alert tcp $HOME_NET any -> [70.0.71.0] 67  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278760; rev:1;)
alert tcp $HOME_NET any -> [187.1.0.0] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278761; rev:1;)
alert tcp $HOME_NET any -> [135.181.106.42] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278762; rev:1;)
alert tcp $HOME_NET any -> [89.0.101.0] 2304  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278763; rev:1;)
alert tcp $HOME_NET any -> [72.0.74.0] 66  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278764; rev:1;)
alert tcp $HOME_NET any -> [110.0.0.7] 768  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278765; rev:1;)
alert tcp $HOME_NET any -> [83.0.68.0] 90  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278766; rev:1;)
alert tcp $HOME_NET any -> [45.146.164.24] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278767; rev:1;)
alert tcp $HOME_NET any -> [111.0.119.0] 78  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278768; rev:1;)
alert tcp $HOME_NET any -> [175.178.109.66] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"175.178.109.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"keydian.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"149.28.222.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"206.238.115.243"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"123.249.33.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278752; rev:1;)
alert tcp $HOME_NET any -> [182.148.187.185] 8123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278751; rev:1;)
alert tcp $HOME_NET any -> [124.70.99.224] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.70.99.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278749; rev:1;)
alert tcp $HOME_NET any -> [101.37.32.248] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278748; rev:1;)
alert tcp $HOME_NET any -> [47.93.53.140] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.93.53.140"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.70.154.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"39.100.106.193"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278744; rev:1;)
alert tcp $HOME_NET any -> [185.235.242.76] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278743; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bc.hipool.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content"; depth:11; nocase; http.host; content:"bc.hipool.shop"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.37.32.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"34.92.137.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"64.226.98.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278737; rev:1;)
alert tcp $HOME_NET any -> [64.226.98.234] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"1.92.156.179"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.136.177.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.33.198.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278734; rev:1;)
alert tcp $HOME_NET any -> [106.53.207.158] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"106.53.207.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"106.53.193.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"45.43.37.219"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278729; rev:1;)
alert tcp $HOME_NET any -> [45.43.37.219] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278730; rev:1;)
alert tcp $HOME_NET any -> [150.158.36.17] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-47u9brah-1326578525.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278726; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-47u9brah-1326578525.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278727; rev:1;)
alert tcp $HOME_NET any -> [89.169.52.127] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278723; rev:1;)
alert tcp $HOME_NET any -> [43.139.163.17] 10088  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278722; rev:1;)
alert tcp $HOME_NET any -> [101.201.118.20] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278721; rev:1;)
alert tcp $HOME_NET any -> [101.35.235.109] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278720; rev:1;)
alert tcp $HOME_NET any -> [67.0.241.90] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278719; rev:1;)
alert tcp $HOME_NET any -> [67.0.229.208] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278718; rev:1;)
alert tcp $HOME_NET any -> [67.71.30.199] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278717; rev:1;)
alert tcp $HOME_NET any -> [107.175.115.91] 18189  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278716; rev:1;)
alert tcp $HOME_NET any -> [18.188.159.82] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278715; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.168] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278714; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.3] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278713; rev:1;)
alert tcp $HOME_NET any -> [116.204.167.161] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_04; classtype:trojan-activity; sid:91278712; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"languangjob.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278700; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voip.analytics-edges.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"jenn.jj"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278672; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.40] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278669; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wear626.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"kancelariakaluza.pl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278706; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"win32.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_04; classtype:trojan-activity; sid:91278707; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.20] 9426  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278708/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_04; classtype:trojan-activity; sid:91278708; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"so-taxi.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_04; classtype:trojan-activity; sid:91278709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.116.125.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278710; rev:1;)
alert tcp $HOME_NET any -> [47.116.125.180] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_04; classtype:trojan-activity; sid:91278711; rev:1;)
alert tcp $HOME_NET any -> [94.232.249.46] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_home.js"; depth:12; nocase; http.host; content:"94.232.249.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278697; rev:1;)
alert tcp $HOME_NET any -> [47.245.42.208] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"47.245.42.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278695; rev:1;)
alert tcp $HOME_NET any -> [47.99.194.96] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.99.194.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278693; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.17] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278692; rev:1;)
alert tcp $HOME_NET any -> [35.184.180.199] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278691; rev:1;)
alert tcp $HOME_NET any -> [8.138.119.106] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278690; rev:1;)
alert tcp $HOME_NET any -> [47.113.192.177] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278689/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278689; rev:1;)
alert tcp $HOME_NET any -> [106.75.75.24] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278688/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278688; rev:1;)
alert tcp $HOME_NET any -> [35.202.169.153] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278687; rev:1;)
alert tcp $HOME_NET any -> [217.165.157.202] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278686; rev:1;)
alert tcp $HOME_NET any -> [149.109.241.64] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278685/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278685; rev:1;)
alert tcp $HOME_NET any -> [39.40.161.183] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278684/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278684; rev:1;)
alert tcp $HOME_NET any -> [184.63.156.240] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278683; rev:1;)
alert tcp $HOME_NET any -> [45.92.9.110] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278682; rev:1;)
alert tcp $HOME_NET any -> [103.245.39.231] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278681/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278681; rev:1;)
alert tcp $HOME_NET any -> [43.143.170.206] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278680; rev:1;)
alert tcp $HOME_NET any -> [121.37.252.50] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278679/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278679; rev:1;)
alert tcp $HOME_NET any -> [140.249.32.175] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278678/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278678; rev:1;)
alert tcp $HOME_NET any -> [52.68.210.54] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278677; rev:1;)
alert tcp $HOME_NET any -> [86.104.72.20] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278676; rev:1;)
alert tcp $HOME_NET any -> [103.85.25.168] 80  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278675; rev:1;)
alert tcp $HOME_NET any -> [101.35.42.157] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.35.42.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278673; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.mirrorss.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278671; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upgrade.mirrorss.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278670; rev:1;)
alert tcp $HOME_NET any -> [103.179.189.111] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278467/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"theonelartist.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278463; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"theonelartist.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"theonelartist.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"theonelartist.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278466; rev:1;)
alert tcp $HOME_NET any -> [96.47.235.152] 2024  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278462/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.108.55.55"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1278458/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_03; classtype:trojan-activity; sid:91278458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 49%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.107.221.88"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1278459/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_03; classtype:trojan-activity; sid:91278459; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"load.memoryloader.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278460; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"memoryloader.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278461; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"baqebei1.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278450/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_03; classtype:trojan-activity; sid:91278450; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"d1x9q8w2e4.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278452/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_03; classtype:trojan-activity; sid:91278452; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 49%)"; dns_query; content:"cdnforfiles.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278451/; target:src_ip; metadata: confidence_level 49, first_seen 2024_06_03; classtype:trojan-activity; sid:91278451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hold-harmless-agreement-car-accident/"; depth:38; nocase; http.host; content:"bvp.ch"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"intermissionhostel.no"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278457; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.36] 27667  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"111.229.142.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"81.68.253.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278453; rev:1;)
alert tcp $HOME_NET any -> [114.132.87.9] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"114.132.87.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"139.196.191.50"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"106.53.207.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278446; rev:1;)
alert tcp $HOME_NET any -> [8.222.230.186] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.222.230.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/transfer-agreement-concept"; depth:27; nocase; http.host; content:"bvp.ch"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"inpersonakbh.dk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278443; rev:1;)
alert tcp $HOME_NET any -> [45.147.99.158] 8080  (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278438; rev:1;)
alert tcp $HOME_NET any -> [173.212.209.190] 4001  (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278437; rev:1;)
alert tcp $HOME_NET any -> [149.88.44.159] 80  (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278436; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lldl.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278433; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llcl.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278434; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"llal.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278435; rev:1;)
alert tcp $HOME_NET any -> [50.114.37.52] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278432; rev:1;)
alert tcp $HOME_NET any -> [91.151.89.217] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278431; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.131] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278430/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278430; rev:1;)
alert tcp $HOME_NET any -> [13.54.165.166] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278429; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.8] 3000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278428; rev:1;)
alert tcp $HOME_NET any -> [222.239.101.244] 8888  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278427; rev:1;)
alert tcp $HOME_NET any -> [105.154.220.55] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278426; rev:1;)
alert tcp $HOME_NET any -> [75.173.34.175] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278425; rev:1;)
alert tcp $HOME_NET any -> [77.126.87.47] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278424; rev:1;)
alert tcp $HOME_NET any -> [70.27.138.67] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278423; rev:1;)
alert tcp $HOME_NET any -> [159.100.29.70] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278422; rev:1;)
alert tcp $HOME_NET any -> [49.119.120.21] 10250  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278421; rev:1;)
alert tcp $HOME_NET any -> [117.139.140.7] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278420; rev:1;)
alert tcp $HOME_NET any -> [18.207.197.162] 9999  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ieshua.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278384; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 18801  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278396/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278396; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 18801  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278397/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278397; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 18801  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278398/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278398; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 16276  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"ingahanka.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278405; rev:1;)
alert tcp $HOME_NET any -> [3.134.125.175] 16424  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278407; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 44070  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278409/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278409; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.81] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278410/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278410; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pendarcc.ir"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278412/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278412; rev:1;)
alert tcp $HOME_NET any -> [212.114.52.163] 4044  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278416; rev:1;)
alert tcp $HOME_NET any -> [185.43.220.45] 4383  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278417; rev:1;)
alert tcp $HOME_NET any -> [110.42.248.7] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8zef"; depth:5; nocase; http.host; content:"124.71.81.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278415/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_03; classtype:trojan-activity; sid:91278415; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b35977a00ebd8086.safe1.lat"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"b35977a00ebd8086.safe1.lat"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_03; classtype:trojan-activity; sid:91278413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"221.15.22.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_03; classtype:trojan-activity; sid:91278406; rev:1;)
alert tcp $HOME_NET any -> [47.94.143.32] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"47.94.143.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"47.94.143.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278399; rev:1;)
alert tcp $HOME_NET any -> [45.13.199.69] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"45.13.199.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278394; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dasy.68chat11.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"dasy.68chat11.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278392; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colet.capsmono.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"colet.capsmono.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sera.capsmono.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sera.capsmono.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278388; rev:1;)
alert tcp $HOME_NET any -> [45.92.158.20] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"static.nvidiadrives.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278386; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"static.nvidiadrives.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278385/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_02; classtype:trojan-activity; sid:91278385; rev:1;)
alert tcp $HOME_NET any -> [194.26.141.80] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278383/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278383; rev:1;)
alert tcp $HOME_NET any -> [2.58.56.83] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278382/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278382; rev:1;)
alert tcp $HOME_NET any -> [147.45.152.159] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278381/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278381; rev:1;)
alert tcp $HOME_NET any -> [37.27.47.248] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278380/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278380; rev:1;)
alert tcp $HOME_NET any -> [5.188.86.231] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278379; rev:1;)
alert tcp $HOME_NET any -> [51.38.113.200] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278378; rev:1;)
alert tcp $HOME_NET any -> [160.176.174.24] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278218/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_02; classtype:trojan-activity; sid:91278218; rev:1;)
alert tcp $HOME_NET any -> [95.179.228.20] 5050  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278219/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_02; classtype:trojan-activity; sid:91278219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videotoprocesslinuxflowergeneratorlocalcentral.php"; depth:51; nocase; http.host; content:"333376cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278221; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"namex-na.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278220; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.204] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278217/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_02; classtype:trojan-activity; sid:91278217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"namex-na.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278216; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.126] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278215/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278215; rev:1;)
alert tcp $HOME_NET any -> [47.113.107.52] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.113.107.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.223.26.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278211; rev:1;)
alert tcp $HOME_NET any -> [111.231.140.197] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278212; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.040.red"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278209; rev:1;)
alert tcp $HOME_NET any -> [206.119.171.91] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"www.040.red"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278208; rev:1;)
alert tcp $HOME_NET any -> [158.160.169.50] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278207; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.126] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0988419.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0e36490e.php"; depth:13; nocase; http.host; content:"a0988327.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278204; rev:1;)
alert tcp $HOME_NET any -> [105.155.167.141] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"8.210.9.201"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"106.15.235.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.112.127.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.120.67.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278176; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lamayokohama.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/hyra2dh-3blkdyr7nwtfasg"; depth:41; nocase; http.host; content:"lamayokohama.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"119.91.209.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278173; rev:1;)
alert tcp $HOME_NET any -> [119.91.208.190] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278172; rev:1;)
alert tcp $HOME_NET any -> [104.194.133.83] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v8.6/z1hbha1y1"; depth:22; nocase; http.host; content:"104.194.133.83"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/how-to-sue-landlord-for-breach-of-contract-legal-guide/"; depth:61; nocase; http.host; content:"www.quantumsoftech.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hotelfonfreda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/tt"; depth:6; nocase; http.host; content:"drinkresources.rest"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278151; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"drinkresources.rest"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278152; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 7019  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278153; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haul.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1278154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"homedevice.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"hopgermany.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_02; classtype:trojan-activity; sid:91278160; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.248] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278167/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278167; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.70] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278166/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278166; rev:1;)
alert tcp $HOME_NET any -> [20.199.91.184] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278165; rev:1;)
alert tcp $HOME_NET any -> [185.23.253.150] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278164/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278164; rev:1;)
alert tcp $HOME_NET any -> [165.227.187.77] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278163; rev:1;)
alert tcp $HOME_NET any -> [185.130.44.166] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278162/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278162; rev:1;)
alert tcp $HOME_NET any -> [185.130.44.166] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278161/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_02; classtype:trojan-activity; sid:91278161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"h-port-s.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1278148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91278148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"android.manx7.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277953/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91277953; rev:1;)
alert tcp $HOME_NET any -> [31.220.1.98] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278147/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91278147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"162.120.71.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277951/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91277951; rev:1;)
alert tcp $HOME_NET any -> [114.130.36.119] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278146/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278146; rev:1;)
alert tcp $HOME_NET any -> [5.104.83.153] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278145/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278145; rev:1;)
alert tcp $HOME_NET any -> [84.32.44.156] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278144/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278144; rev:1;)
alert tcp $HOME_NET any -> [105.154.220.125] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278143/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278143; rev:1;)
alert tcp $HOME_NET any -> [83.110.222.242] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278142/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278142; rev:1;)
alert tcp $HOME_NET any -> [39.40.129.89] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278141/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278141; rev:1;)
alert tcp $HOME_NET any -> [172.207.80.170] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278140/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278140; rev:1;)
alert tcp $HOME_NET any -> [54.215.94.76] 57580  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278139/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91278139; rev:1;)
alert tcp $HOME_NET any -> [187.156.103.32] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278138/; target:src_ip; metadata: confidence_level 80, first_seen 2024_06_01; classtype:trojan-activity; sid:91278138; rev:1;)
alert tcp $HOME_NET any -> [5.42.67.10] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1278137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91278137; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.203] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277950/; target:src_ip; metadata: confidence_level 60, first_seen 2024_06_01; classtype:trojan-activity; sid:91277950; rev:1;)
alert tcp $HOME_NET any -> [94.232.249.90] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277949/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91277949; rev:1;)
alert tcp $HOME_NET any -> [13.60.40.107] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277948; rev:1;)
alert tcp $HOME_NET any -> [158.160.171.112] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"gps-football.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.70.99.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"47.109.69.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.106.153.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"42.194.199.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.120.61.134"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"206.233.133.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.221.76.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"47.109.69.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277936; rev:1;)
alert tcp $HOME_NET any -> [47.109.69.135] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"ghs.lidajun.lol"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"117.50.184.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"117.50.184.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"117.50.184.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.91.154.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.91.154.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"107.148.37.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277925; rev:1;)
alert tcp $HOME_NET any -> [124.71.81.174] 9998  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277918; rev:1;)
alert tcp $HOME_NET any -> [124.71.81.174] 9898  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ld6w"; depth:5; nocase; http.host; content:"124.71.81.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277920; rev:1;)
alert tcp $HOME_NET any -> [85.192.20.120] 9999  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"120.77.150.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277924; rev:1;)
alert tcp $HOME_NET any -> [172.245.240.166] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/v2.66/g6ebs8vjr0"; depth:25; nocase; http.host; content:"172.245.240.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5-comma-rules-a-guide-to-proper-punctuation-in-legal-writing/"; depth:62; nocase; http.host; content:"labonczfa.hu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"glasstheatre.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277894; rev:1;)
alert tcp $HOME_NET any -> [194.59.30.121] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/682e702a.php"; depth:13; nocase; http.host; content:"a0988934.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277916; rev:1;)
alert tcp $HOME_NET any -> [143.244.129.124] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277915/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277915; rev:1;)
alert tcp $HOME_NET any -> [45.88.79.152] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277914; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.82] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277913; rev:1;)
alert tcp $HOME_NET any -> [47.99.66.178] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277912; rev:1;)
alert tcp $HOME_NET any -> [146.190.20.6] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277911; rev:1;)
alert tcp $HOME_NET any -> [194.87.148.48] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277910; rev:1;)
alert tcp $HOME_NET any -> [165.227.187.77] 5060  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277909; rev:1;)
alert tcp $HOME_NET any -> [165.227.187.77] 1433  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277908; rev:1;)
alert tcp $HOME_NET any -> [51.91.209.109] 32455  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277907; rev:1;)
alert tcp $HOME_NET any -> [51.91.209.109] 31962  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277906; rev:1;)
alert tcp $HOME_NET any -> [51.91.209.109] 30674  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277905; rev:1;)
alert tcp $HOME_NET any -> [51.91.209.154] 32455  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277904; rev:1;)
alert tcp $HOME_NET any -> [51.91.209.154] 31962  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277903; rev:1;)
alert tcp $HOME_NET any -> [51.91.209.154] 30674  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277902; rev:1;)
alert tcp $HOME_NET any -> [51.91.208.69] 32455  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277901; rev:1;)
alert tcp $HOME_NET any -> [51.91.208.69] 31962  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277900; rev:1;)
alert tcp $HOME_NET any -> [51.91.208.69] 30674  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277899; rev:1;)
alert tcp $HOME_NET any -> [116.136.135.93] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277898; rev:1;)
alert tcp $HOME_NET any -> [101.226.27.179] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277897; rev:1;)
alert tcp $HOME_NET any -> [94.156.144.46] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277896; rev:1;)
alert tcp $HOME_NET any -> [143.244.162.77] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277895; rev:1;)
alert tcp $HOME_NET any -> [209.25.140.211] 23521  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277846/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91277846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"ranconimports.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277871; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ranconimports.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ranconimports.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"ranconimports.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277874; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"allbou.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277889/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91277889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"gantegh.agbubulgaria.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277886; rev:1;)
alert tcp $HOME_NET any -> [2.59.135.134] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277890/; target:src_ip; metadata: confidence_level 75, first_seen 2024_06_01; classtype:trojan-activity; sid:91277890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/04/20/will-dispute-lawyers-brisbane/"; depth:42; nocase; http.host; content:"www.casagaribaldi.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"gimnazjum6.zgo.pl"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_06_01; classtype:trojan-activity; sid:91277892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"58.178.116.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_06_01; classtype:trojan-activity; sid:91277887; rev:1;)
alert tcp $HOME_NET any -> [65.21.79.150] 27667  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.133.156.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277880; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sangfor.sanfor.club"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"sangfor.sanfor.club"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277878; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.117] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277877; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.117] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277876; rev:1;)
alert tcp $HOME_NET any -> [195.10.205.90] 4608  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277870; rev:1;)
alert tcp $HOME_NET any -> [13.92.183.218] 8443  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277869; rev:1;)
alert tcp $HOME_NET any -> [34.146.16.228] 2095  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277868; rev:1;)
alert tcp $HOME_NET any -> [116.62.125.203] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277867; rev:1;)
alert tcp $HOME_NET any -> [8.213.217.173] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277866; rev:1;)
alert tcp $HOME_NET any -> [106.54.197.233] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277865; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.15] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277864; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.15] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277863; rev:1;)
alert tcp $HOME_NET any -> [2.50.54.171] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277862; rev:1;)
alert tcp $HOME_NET any -> [142.247.168.217] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277861; rev:1;)
alert tcp $HOME_NET any -> [1.161.68.230] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277860; rev:1;)
alert tcp $HOME_NET any -> [88.251.35.194] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277859; rev:1;)
alert tcp $HOME_NET any -> [178.87.97.126] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277858; rev:1;)
alert tcp $HOME_NET any -> [96.9.213.175] 80  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277857; rev:1;)
alert tcp $HOME_NET any -> [172.173.169.179] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277856; rev:1;)
alert tcp $HOME_NET any -> [13.60.83.83] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277855; rev:1;)
alert tcp $HOME_NET any -> [155.94.204.217] 4443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277854; rev:1;)
alert tcp $HOME_NET any -> [38.165.104.28] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277853; rev:1;)
alert tcp $HOME_NET any -> [89.23.118.175] 3000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277852; rev:1;)
alert tcp $HOME_NET any -> [47.237.20.201] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277851; rev:1;)
alert tcp $HOME_NET any -> [94.156.144.46] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277850/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/moore/five/fre.php"; depth:19; nocase; http.host; content:"tampabayllc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277849; rev:1;)
alert tcp $HOME_NET any -> [91.207.183.111] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"91.207.183.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277847; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 17169  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277843/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"francesco.tarricone.it"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277845; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.101] 1081  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"forum.altoadigeinnovazione.it"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277609; rev:1;)
alert tcp $HOME_NET any -> [47.120.59.37] 6161  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c05b44c6.php"; depth:13; nocase; http.host; content:"a0986754.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277610; rev:1;)
alert tcp $HOME_NET any -> [77.91.73.187] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277570/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277570; rev:1;)
alert tcp $HOME_NET any -> [74.119.193.200] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277571/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cavedesponts/what-is-a-contract-seal/"; depth:38; nocase; http.host; content:"laurenti.ch"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/what-is-gratuitous-contract/"; depth:29; nocase; http.host; content:"fluechtlinge-malen.ch"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/what-is-a-safe-equity-agreement/"; depth:33; nocase; http.host; content:"hirschen-rorschach.ch"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"flavirama.be"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277577; rev:1;)
alert tcp $HOME_NET any -> [195.114.193.217] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"195.114.193.217"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"164.92.237.49"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277605; rev:1;)
alert tcp $HOME_NET any -> [164.92.237.49] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"62.234.55.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277603; rev:1;)
alert tcp $HOME_NET any -> [62.234.55.243] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.supportsmicrosoft.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"141.98.212.51"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277601; rev:1;)
alert tcp $HOME_NET any -> [82.156.167.60] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277600; rev:1;)
alert tcp $HOME_NET any -> [106.53.207.158] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-mpstp742-1252578700.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277597; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-mpstp742-1252578700.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn/jquery-v3-31/jquery-3.3.1.min.js"; depth:37; nocase; http.host; content:"36.89.252.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277596; rev:1;)
alert tcp $HOME_NET any -> [82.156.167.60] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"34.92.137.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277594; rev:1;)
alert tcp $HOME_NET any -> [106.75.237.106] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"106.75.237.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"119.3.179.37"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277590; rev:1;)
alert tcp $HOME_NET any -> [119.3.179.37] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"106.54.209.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277589; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-g0t0y6tj-1324325324.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277587; rev:1;)
alert tcp $HOME_NET any -> [101.43.32.212] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prod/api/debug"; depth:15; nocase; http.host; content:"service-g0t0y6tj-1324325324.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277586; rev:1;)
alert tcp $HOME_NET any -> [43.143.245.43] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"1.12.45.242"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"1.12.239.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.221.76.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277582; rev:1;)
alert tcp $HOME_NET any -> [129.211.173.252] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"129.211.173.252"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"129.211.173.252"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"186.4.217.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277578/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277578; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"hjkdnd.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277568/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277568; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"markjohnhvncpure.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277569/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"yavasyavaslo261.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277558/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"selammudur24.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277557/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"adbennaberortak.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277556/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"festivalrykten.se"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"adile56tasarim.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277555/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"festivalrykten.se"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/us-social-security-agreements/"; depth:31; nocase; http.host; content:"www.platypus-verlag.ch"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/transfer-agreement-concept/"; depth:28; nocase; http.host; content:"bvp.ch"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277541; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.88] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"113.200.137.225"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"101.43.49.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"111.231.140.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"meetlak.link"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"38.60.217.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/fetch"; depth:13; nocase; http.host; content:"47.106.154.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search//uyc06653ba892e.css"; depth:27; nocase; http.host; content:"www.loginmicrosoftadmin.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"82.157.78.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"123.57.63.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"118.31.115.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"118.31.115.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277545; rev:1;)
alert tcp $HOME_NET any -> [216.245.184.156] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/define/balance/cckrhyf90gm"; depth:27; nocase; http.host; content:"ecomexplosion.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277538; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecomexplosion.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277539; rev:1;)
alert tcp $HOME_NET any -> [114.115.174.131] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"114.115.174.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sq"; depth:3; nocase; http.host; content:"185.234.216.143"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"etnikk.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277533; rev:1;)
alert tcp $HOME_NET any -> [137.220.137.85] 24818  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"139.59.45.226"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1277524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"3.110.90.191"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1277525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"104.248.144.21"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1277526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"212.193.51.233"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1277527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"213.136.70.135"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1277529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"47.98.103.55"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1277528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277528; rev:1;)
alert tcp $HOME_NET any -> [117.50.187.104] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"117.50.187.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.9"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.2.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277520; rev:1;)
alert tcp $HOME_NET any -> [5.75.212.9] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277519; rev:1;)
alert tcp $HOME_NET any -> [116.202.2.84] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"192.52.167.217"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1277497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"167.99.76.75"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1277514/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"smlivin.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1277515/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277515; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.128] 4444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277516/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277516; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.232] 65024  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277517; rev:1;)
alert tcp $HOME_NET any -> [91.214.78.238] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277513; rev:1;)
alert tcp $HOME_NET any -> [149.104.24.217] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277512; rev:1;)
alert tcp $HOME_NET any -> [47.120.22.59] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277511; rev:1;)
alert tcp $HOME_NET any -> [47.108.238.82] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277510; rev:1;)
alert tcp $HOME_NET any -> [107.172.234.139] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277509; rev:1;)
alert tcp $HOME_NET any -> [106.54.4.100] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277508; rev:1;)
alert tcp $HOME_NET any -> [49.235.147.250] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277507; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.4] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277506/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277506; rev:1;)
alert tcp $HOME_NET any -> [159.235.45.80] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277505; rev:1;)
alert tcp $HOME_NET any -> [182.30.4.130] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277504; rev:1;)
alert tcp $HOME_NET any -> [202.169.39.4] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277503; rev:1;)
alert tcp $HOME_NET any -> [54.203.168.251] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277502; rev:1;)
alert tcp $HOME_NET any -> [81.43.243.155] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277501; rev:1;)
alert tcp $HOME_NET any -> [89.23.118.175] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277500; rev:1;)
alert tcp $HOME_NET any -> [206.119.72.125] 47000  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277498; rev:1;)
alert tcp $HOME_NET any -> [206.119.72.125] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_31; classtype:trojan-activity; sid:91277499; rev:1;)
alert tcp $HOME_NET any -> [34.125.100.30] 5050  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277486; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gorodpro-42772.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277485/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277485; rev:1;)
alert tcp $HOME_NET any -> [43.155.163.53] 24543  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277487; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"akmedia.in"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277488/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277488; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"bethesdaserukam.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277489; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"galandskiyher5.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277491; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"humman.art"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277493; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"host-file-host6.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277492; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"nuljjjnuli.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277494; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"trybobry.com.ua"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277495; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"vacantion18ffeu.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277496; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 42772  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277484/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277484; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tcp.ngrok.io"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277482/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277482; rev:1;)
alert tcp $HOME_NET any -> [216.137.178.203] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277459; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.matantalbenna.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277460; rev:1;)
alert tcp $HOME_NET any -> [51.68.167.104] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277461/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277461; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"geckoplumbing.com.au"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277463/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277463; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.66] 6318  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277464; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.11] 2054  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277465/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277465; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"anti2020.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277466/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277466; rev:1;)
alert tcp $HOME_NET any -> [209.25.141.211] 23521  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277467/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tips-prairie.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277468/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277468; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 45758  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277469/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277469; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 49671  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277470/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277470; rev:1;)
alert tcp $HOME_NET any -> [3.17.7.232] 16424  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277471/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277471; rev:1;)
alert tcp $HOME_NET any -> [3.22.30.40] 16424  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277472/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277472; rev:1;)
alert tcp $HOME_NET any -> [3.14.182.203] 16424  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277473/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l790rt2bv0htr.php"; depth:18; nocase; http.host; content:"dfcgbllaafenfkh.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277474; rev:1;)
alert tcp $HOME_NET any -> [46.148.39.131] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"moneyeurolanddelicim.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"moneyeurolandbabis.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_31; classtype:trojan-activity; sid:91277436; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 75%)"; dns_query; content:"amazon-analytic.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277437/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:bad-unknown; sid:91277437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"entertainmenttechnologies.co.uk"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277441; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.98] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277449/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s3c6cx5iguhtr.php"; depth:18; nocase; http.host; content:"dfcgbllaafenfkh.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277450; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dfcgbllaafenfkh.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uiavk0u7uzhtr.php"; depth:18; nocase; http.host; content:"dfcgbllaafenfkh.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"estforestry.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tolowgamesqlpublicdownloads.php"; depth:32; nocase; http.host; content:"501046cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/58256ec0.php"; depth:13; nocase; http.host; content:"optimal-expert.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njrs"; depth:5; nocase; http.host; content:"47.120.35.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_31; classtype:trojan-activity; sid:91277480; rev:1;)
alert tcp $HOME_NET any -> [49.13.194.118] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277476; rev:1;)
alert tcp $HOME_NET any -> [8.210.206.52] 1725  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/59f76ddc.php"; depth:13; nocase; http.host; content:"a0985805.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_31; classtype:trojan-activity; sid:91277457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.136.43.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277453; rev:1;)
alert tcp $HOME_NET any -> [162.252.175.98] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277448; rev:1;)
alert tcp $HOME_NET any -> [142.202.240.61] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277447; rev:1;)
alert tcp $HOME_NET any -> [207.148.0.16] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277446; rev:1;)
alert tcp $HOME_NET any -> [3.222.53.37] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277445; rev:1;)
alert tcp $HOME_NET any -> [44.211.3.42] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277444; rev:1;)
alert tcp $HOME_NET any -> [63.250.56.164] 8008  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277443; rev:1;)
alert tcp $HOME_NET any -> [94.20.154.243] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277442; rev:1;)
alert tcp $HOME_NET any -> [154.40.57.207] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277438; rev:1;)
alert tcp $HOME_NET any -> [134.209.106.197] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277432; rev:1;)
alert tcp $HOME_NET any -> [89.169.53.116] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277431; rev:1;)
alert tcp $HOME_NET any -> [89.169.52.177] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277430/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277430; rev:1;)
alert tcp $HOME_NET any -> [116.196.120.131] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277429; rev:1;)
alert tcp $HOME_NET any -> [49.235.166.144] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277428; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.18] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277427; rev:1;)
alert tcp $HOME_NET any -> [2.50.7.121] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277426; rev:1;)
alert tcp $HOME_NET any -> [86.98.8.132] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277425; rev:1;)
alert tcp $HOME_NET any -> [84.213.214.124] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277424; rev:1;)
alert tcp $HOME_NET any -> [91.237.124.162] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277423; rev:1;)
alert tcp $HOME_NET any -> [52.40.136.42] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277422; rev:1;)
alert tcp $HOME_NET any -> [54.169.75.222] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277421; rev:1;)
alert tcp $HOME_NET any -> [167.172.150.173] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277420; rev:1;)
alert tcp $HOME_NET any -> [65.21.63.6] 443  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277419; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.201] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277417/; target:src_ip; metadata: confidence_level 60, first_seen 2024_05_30; classtype:trojan-activity; sid:91277417; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.202] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277418/; target:src_ip; metadata: confidence_level 60, first_seen 2024_05_30; classtype:trojan-activity; sid:91277418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.146.158.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277416; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1c-viewer.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277414; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.18] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/handler"; depth:8; nocase; http.host; content:"1c-viewer.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277413; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.supportsmicrosoft.xyz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.supportsmicrosoft.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277411; rev:1;)
alert tcp $HOME_NET any -> [64.176.178.205] 1988  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rmknqt3s"; depth:9; nocase; http.host; content:"1july.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kz5hd3dkenwged02vbat_kwgfdmwq1"; depth:31; nocase; http.host; content:"download2361.mediafire.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277408/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277408; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 80%)"; dns_query; content:"sustac.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277409/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"s9l0w7n3y5.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277406; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"s9l0w7n3y5.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"s9l0w7n3y5.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277405; rev:1;)
alert tcp $HOME_NET any -> [117.72.33.87] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277178; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.ylzinfo.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277177; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.ylzinfo.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d10/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"bestcdnforfree.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"bestcdnforfree.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277173; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"poivyzeaa.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.php"; depth:6; nocase; http.host; content:"poivyzeaa.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"27.25.151.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277172; rev:1;)
alert tcp $HOME_NET any -> [111.230.207.78] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"122.51.194.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"122.51.194.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"115.159.50.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277168; rev:1;)
alert tcp $HOME_NET any -> [101.33.194.194] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277167; rev:1;)
alert tcp $HOME_NET any -> [83.97.73.157] 4482  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"109.196.166.188"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"107.148.37.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277161; rev:1;)
alert tcp $HOME_NET any -> [107.148.37.77] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277162; rev:1;)
alert tcp $HOME_NET any -> [124.221.113.199] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.221.113.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.220.192.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277157; rev:1;)
alert tcp $HOME_NET any -> [8.220.192.59] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277158; rev:1;)
alert tcp $HOME_NET any -> [192.3.16.18] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"192.3.16.18"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277155; rev:1;)
alert tcp $HOME_NET any -> [140.83.83.58] 9988  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"free.iwaf.cn"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277152; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"free.iwaf.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"129.211.26.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277151; rev:1;)
alert tcp $HOME_NET any -> [111.67.195.152] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"42.51.38.108"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277149; rev:1;)
alert tcp $HOME_NET any -> [45.152.86.11] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"45.152.86.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277147; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bestcdnforfree.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277146; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.124] 1024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277145/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_30; classtype:trojan-activity; sid:91277145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"p4wq3e5r6t.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"gotthebestoffer.site"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277143; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gotthebestoffer.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/nanofolder/img-files/nacati.res"; depth:43; nocase; http.host; content:"groundbreakingsstyle.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277139/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/nanofolder/img-files/a95c346e-bd42-406b-a6a4-ed808e98bf67.res"; depth:73; nocase; http.host; content:"groundbreakingsstyle.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277140/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"diditaxi.kro.kr"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1277141/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277141; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"accountasifkwosov.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277138/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_30; classtype:trojan-activity; sid:91277138; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"p4wq3e5r6t.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277137; rev:1;)
alert tcp $HOME_NET any -> [77.91.77.87] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0987339.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277136; rev:1;)
alert tcp $HOME_NET any -> [54.180.3.125] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/del/students/l9ut5v9e"; depth:22; nocase; http.host; content:"54.180.3.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"8.130.134.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"103.40.161.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.121.133.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"112.124.65.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.40.19.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277122; rev:1;)
alert tcp $HOME_NET any -> [185.241.208.229] 51997  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.254.149.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.94.43.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.jsp"; depth:21; nocase; http.host; content:"8.222.156.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"129.226.201.214"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277116; rev:1;)
alert tcp $HOME_NET any -> [204.137.14.135] 443  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277111; rev:1;)
alert tcp $HOME_NET any -> [45.135.180.6] 443  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277112; rev:1;)
alert tcp $HOME_NET any -> [94.232.46.202] 80  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277113/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_30; classtype:trojan-activity; sid:91277113; rev:1;)
alert tcp $HOME_NET any -> [5.161.81.32] 80  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277114/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_30; classtype:trojan-activity; sid:91277114; rev:1;)
alert tcp $HOME_NET any -> [180.131.145.92] 80  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277115/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_30; classtype:trojan-activity; sid:91277115; rev:1;)
alert tcp $HOME_NET any -> [104.168.107.220] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277110; rev:1;)
alert tcp $HOME_NET any -> [15.228.248.19] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277109; rev:1;)
alert tcp $HOME_NET any -> [45.59.120.155] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277108; rev:1;)
alert tcp $HOME_NET any -> [207.148.17.169] 9000  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277107; rev:1;)
alert tcp $HOME_NET any -> [212.47.244.109] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277106; rev:1;)
alert tcp $HOME_NET any -> [109.123.234.20] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277105; rev:1;)
alert tcp $HOME_NET any -> [34.242.178.11] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277104; rev:1;)
alert tcp $HOME_NET any -> [43.134.47.80] 2096  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277103; rev:1;)
alert tcp $HOME_NET any -> [45.33.97.250] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277102/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277102; rev:1;)
alert tcp $HOME_NET any -> [174.138.24.101] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277101/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277101; rev:1;)
alert tcp $HOME_NET any -> [104.200.72.177] 47513  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277100; rev:1;)
alert tcp $HOME_NET any -> [23.225.146.82] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277099/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277099; rev:1;)
alert tcp $HOME_NET any -> [23.225.146.83] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277098/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277098; rev:1;)
alert tcp $HOME_NET any -> [23.225.146.85] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277097; rev:1;)
alert tcp $HOME_NET any -> [23.225.146.86] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277096; rev:1;)
alert tcp $HOME_NET any -> [23.225.146.84] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277095; rev:1;)
alert tcp $HOME_NET any -> [188.166.116.129] 4443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277094; rev:1;)
alert tcp $HOME_NET any -> [164.90.230.22] 3000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277093/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277093; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dovuzu3rz.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h/get.php"; depth:10; nocase; http.host; content:"septicfl.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276834; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"septicfl.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"kimtams.dk"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"lifeunworthyoflife.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"davidjhindlemann.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276870; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"muse.krazzykriss.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276856; rev:1;)
alert tcp $HOME_NET any -> [103.40.161.161] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"103.40.161.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277091; rev:1;)
alert tcp $HOME_NET any -> [192.227.234.164] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"test.info-twpower.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.info-twpower.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1277088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"test.info-twpower.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"chernobyl-cheat.fun"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/41286969787314313"; depth:28; nocase; http.host; content:"45.61.137.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277085; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.129] 2353  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1277084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processgamebigloaddbflower.php"; depth:31; nocase; http.host; content:"434778cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91277083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"171.120.225.117"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1277082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_30; classtype:trojan-activity; sid:91277082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/83a18cdb.php"; depth:13; nocase; http.host; content:"a0987361.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0987707.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_30; classtype:trojan-activity; sid:91276873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9qod"; depth:5; nocase; http.host; content:"120.46.36.83"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276872/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276872; rev:1;)
alert tcp $HOME_NET any -> [120.46.36.83] 32569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w99t"; depth:5; nocase; http.host; content:"120.26.223.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276869/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276869; rev:1;)
alert tcp $HOME_NET any -> [120.26.223.78] 33128  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199695752269"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ta904ek"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~escolodo/alive/five/fre.ph"; depth:28; nocase; http.host; content:"31.220.2.120"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276865; rev:1;)
alert tcp $HOME_NET any -> [101.52.247.105] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-r3og53uv-1303913364.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276863; rev:1;)
alert tcp $HOME_NET any -> [43.247.135.114] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5en1bjq8aauym2zgoy3k/ll_9354efa.js"; depth:35; nocase; http.host; content:"43.247.135.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/283479bd.php"; depth:13; nocase; http.host; content:"a0986534.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276860; rev:1;)
alert tcp $HOME_NET any -> [104.36.229.16] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276858/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276858; rev:1;)
alert tcp $HOME_NET any -> [193.168.141.64] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276859/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276859; rev:1;)
alert tcp $HOME_NET any -> [45.84.0.48] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276853; rev:1;)
alert tcp $HOME_NET any -> [172.104.183.19] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276852; rev:1;)
alert tcp $HOME_NET any -> [74.50.84.238] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276851; rev:1;)
alert tcp $HOME_NET any -> [154.204.56.185] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276850/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276850; rev:1;)
alert tcp $HOME_NET any -> [82.157.149.243] 8889  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276849/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276849; rev:1;)
alert tcp $HOME_NET any -> [101.43.104.72] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276848/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276848; rev:1;)
alert tcp $HOME_NET any -> [154.246.228.229] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276847/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276847; rev:1;)
alert tcp $HOME_NET any -> [94.49.26.240] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276846/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276846; rev:1;)
alert tcp $HOME_NET any -> [85.107.186.99] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276845/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276845; rev:1;)
alert tcp $HOME_NET any -> [37.107.5.240] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276844/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276844; rev:1;)
alert tcp $HOME_NET any -> [39.40.159.20] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276843; rev:1;)
alert tcp $HOME_NET any -> [202.169.39.4] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276842; rev:1;)
alert tcp $HOME_NET any -> [54.174.87.114] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276841; rev:1;)
alert tcp $HOME_NET any -> [54.174.87.114] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276840; rev:1;)
alert tcp $HOME_NET any -> [66.85.173.32] 25532  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276839; rev:1;)
alert tcp $HOME_NET any -> [206.237.4.54] 7443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276838; rev:1;)
alert tcp $HOME_NET any -> [185.7.219.103] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0913612.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276836; rev:1;)
alert tcp $HOME_NET any -> [180.131.145.85] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276832; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owa.lieamwalls.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276831; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"profile.lieamwalls.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276829; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"email.lieamwalls.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276830; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.lieamwalls.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276828; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"store.lieamwalls.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276827; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.lieamwalls.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.php"; depth:6; nocase; http.host; content:"dovuzu3rz.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276825; rev:1;)
alert tcp $HOME_NET any -> [5.161.81.32] 4001  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/marinabarros320168/new/main/execute_dll.exe"; depth:44; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_29; classtype:trojan-activity; sid:91276821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alexiadarocha195267/rp/raw/main/execute_dll.zip"; depth:48; nocase; http.host; content:"raw.githubusercontent.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276822/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_29; classtype:trojan-activity; sid:91276822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mir/index.php"; depth:14; nocase; http.host; content:"216.189.159.34"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276823/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_29; classtype:trojan-activity; sid:91276823; rev:1;)
alert tcp $HOME_NET any -> [18.252.159.103] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/avatars"; depth:8; nocase; http.host; content:"hr-helpdesk.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.97.100.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.43.228.249"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276817; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.3] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"microsoft.kaspersky.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276814; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft.kaspersky.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search"; depth:7; nocase; http.host; content:"64.23.177.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"meetlak.link"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276812; rev:1;)
alert tcp $HOME_NET any -> [162.33.177.167] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/show/miscellaneous/yg435fs33kc"; depth:31; nocase; http.host; content:"asterchildrenshoes.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276809; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asterchildrenshoes.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft.kasperzky.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276807; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.3] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"microsoft.kasperzky.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"64.7.199.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.121.133.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.54/ysl053kc7qd"; depth:25; nocase; http.host; content:"124.223.41.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276801; rev:1;)
alert tcp $HOME_NET any -> [124.223.41.181] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276802; rev:1;)
alert tcp $HOME_NET any -> [15.206.69.211] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"15.206.69.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"192.121.162.21"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276798; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"responsiveuikit.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.194.219.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"burdurpastane.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276789; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"burdurpastane.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"burdurpastane.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"burdurpastane.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"lilygovert91.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276793; rev:1;)
alert tcp $HOME_NET any -> [94.158.245.103] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"genevafarm.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.200.86.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"service-hvcrn7y8-1257783886.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276787; rev:1;)
alert tcp $HOME_NET any -> [8.210.9.201] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.210.9.201"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"194.59.30.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"139.155.90.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.35.42.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.173.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"159.138.131.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"113.200.137.225"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.130.30.60"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dutchdreamhorses.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276769; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"scada.paradizeconstruction.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276767; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.51] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276768; rev:1;)
alert tcp $HOME_NET any -> [79.110.62.25] 3608  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.34.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.190.18"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.241.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.124.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276762; rev:1;)
alert tcp $HOME_NET any -> [116.202.190.18] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276760; rev:1;)
alert tcp $HOME_NET any -> [128.140.34.253] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276761; rev:1;)
alert tcp $HOME_NET any -> [95.217.241.137] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/putty.zip"; depth:19; nocase; http.host; content:"ccwaterfall.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/reader.zip"; depth:20; nocase; http.host; content:"i.wanblibang.com.cn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276730/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/reader.zip"; depth:20; nocase; http.host; content:"ccwaterfall.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276731/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/putty.zip"; depth:19; nocase; http.host; content:"i.wanblibang.com.cn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276732; rev:1;)
alert tcp $HOME_NET any -> [188.130.251.44] 59666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276713/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276713; rev:1;)
alert tcp $HOME_NET any -> [158.160.14.246] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/reader.zip"; depth:20; nocase; http.host; content:"192.177.51.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276729/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276729; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jupyterlab.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276714/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276714; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ciston.nut.cc"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_29; classtype:trojan-activity; sid:91276692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/products/putty.zip"; depth:19; nocase; http.host; content:"192.177.51.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276734; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"blockworks.one"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276738; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"tokenworks.io"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"dontcrydesignlab.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"doublertrailers.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276746; rev:1;)
alert tcp $HOME_NET any -> [91.107.126.182] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276758/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276758; rev:1;)
alert tcp $HOME_NET any -> [20.201.118.111] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276757/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276757; rev:1;)
alert tcp $HOME_NET any -> [92.63.103.69] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276756; rev:1;)
alert tcp $HOME_NET any -> [124.223.217.37] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276755; rev:1;)
alert tcp $HOME_NET any -> [149.104.24.124] 1088  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276754; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.11] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276753; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.90] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276752; rev:1;)
alert tcp $HOME_NET any -> [122.51.194.153] 8888  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276751; rev:1;)
alert tcp $HOME_NET any -> [165.227.79.41] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276750; rev:1;)
alert tcp $HOME_NET any -> [195.54.160.90] 54320  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276749; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.183] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276748; rev:1;)
alert tcp $HOME_NET any -> [113.207.40.22] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_29; classtype:trojan-activity; sid:91276747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d9/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_29; classtype:trojan-activity; sid:91276745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"175.178.227.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276736; rev:1;)
alert tcp $HOME_NET any -> [23.227.196.84] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276735; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.143] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sq"; depth:3; nocase; http.host; content:"94.232.249.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.200.86.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276726; rev:1;)
alert tcp $HOME_NET any -> [101.43.112.155] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"123.207.46.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276724; rev:1;)
alert tcp $HOME_NET any -> [51.79.134.205] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"51.79.134.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"156.238.240.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276721; rev:1;)
alert tcp $HOME_NET any -> [5.230.54.39] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276720; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"selltix.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum2/index.php"; depth:17; nocase; http.host; content:"otyt.ru"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/index.php"; depth:16; nocase; http.host; content:"selltix.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"176.58.121.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276716; rev:1;)
alert tcp $HOME_NET any -> [174.138.184.53] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276712; rev:1;)
alert tcp $HOME_NET any -> [106.54.61.66] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276711; rev:1;)
alert tcp $HOME_NET any -> [81.69.248.205] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276710; rev:1;)
alert tcp $HOME_NET any -> [172.111.174.67] 8081  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276709; rev:1;)
alert tcp $HOME_NET any -> [8.147.119.54] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276708; rev:1;)
alert tcp $HOME_NET any -> [107.175.115.91] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276706; rev:1;)
alert tcp $HOME_NET any -> [209.38.50.170] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276707; rev:1;)
alert tcp $HOME_NET any -> [107.175.115.91] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276705; rev:1;)
alert tcp $HOME_NET any -> [185.140.12.198] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276704; rev:1;)
alert tcp $HOME_NET any -> [195.123.225.88] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276703; rev:1;)
alert tcp $HOME_NET any -> [195.123.225.88] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276702; rev:1;)
alert tcp $HOME_NET any -> [185.22.64.121] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276701; rev:1;)
alert tcp $HOME_NET any -> [46.183.25.51] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276700; rev:1;)
alert tcp $HOME_NET any -> [101.75.251.49] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276699; rev:1;)
alert tcp $HOME_NET any -> [163.181.100.75] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276698; rev:1;)
alert tcp $HOME_NET any -> [37.27.92.9] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276697; rev:1;)
alert tcp $HOME_NET any -> [79.154.35.27] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276696; rev:1;)
alert tcp $HOME_NET any -> [89.116.110.27] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276695; rev:1;)
alert tcp $HOME_NET any -> [103.85.25.168] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276694; rev:1;)
alert tcp $HOME_NET any -> [23.95.60.82] 4445  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p/land.php"; depth:11; nocase; http.host; content:"ashleypuerner.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276689; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ashleypuerner.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/upgrade/update.php"; depth:30; nocase; http.host; content:"sustaincharlotte.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276691; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jumbie.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276687/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reports.php"; depth:12; nocase; http.host; content:"digitalfreight.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-bear-spray-legal-in-ca-california-bear-spray-laws-explained/"; depth:64; nocase; http.host; content:"solar-audio.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276688; rev:1;)
alert tcp $HOME_NET any -> [45.141.215.89] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276454/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276454; rev:1;)
alert tcp $HOME_NET any -> [51.195.53.197] 13914  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9e2cad7d.php"; depth:13; nocase; http.host; content:"a0982426.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276452; rev:1;)
alert tcp $HOME_NET any -> [47.106.154.91] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276451; rev:1;)
alert tcp $HOME_NET any -> [109.107.182.39] 7771  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"iskorpion.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276449/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"159.100.30.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276445/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"66.42.55.224"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276446/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"170.64.204.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276447/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"88.99.33.29"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"37.27.110.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"13.201.8.106"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276443; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"metallc.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276439/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"128.199.82.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"hack.umbrel.online"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276441; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"telnet.8b8n.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276437/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276437; rev:1;)
alert tcp $HOME_NET any -> [172.67.175.19] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276438; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.80] 4090  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276436/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"52.66.138.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"47.245.94.37"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"165.232.156.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"82.115.17.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"192.52.167.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276409/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"128.199.156.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276410/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"78.47.219.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276411/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"140.246.157.86"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"123.57.192.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"47.96.174.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/communicate/v7.55/oub6r9bd5p"; depth:29; nocase; http.host; content:"121.36.105.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276431; rev:1;)
alert tcp $HOME_NET any -> [121.36.105.186] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276432; rev:1;)
alert tcp $HOME_NET any -> [47.76.44.105] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276430; rev:1;)
alert tcp $HOME_NET any -> [47.117.156.22] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.117.156.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"119.45.224.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276426; rev:1;)
alert tcp $HOME_NET any -> [119.45.224.170] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"119.45.224.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276425; rev:1;)
alert tcp $HOME_NET any -> [119.45.224.170] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.254.149.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2024/05/9dv7ayhg1ag2kwo30_"; depth:54; nocase; http.host; content:"122.51.2.91"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"121.196.202.214"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276420; rev:1;)
alert tcp $HOME_NET any -> [121.196.202.214] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.115.216.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"175.178.227.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.254.149.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.134.122.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"w.sanfor.club"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276414; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w.sanfor.club"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/lang/zh-cn/lang.js"; depth:26; nocase; http.host; content:"1.92.81.30"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276412; rev:1;)
alert tcp $HOME_NET any -> [1.92.81.30] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276413; rev:1;)
alert tcp $HOME_NET any -> [85.209.133.248] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276406; rev:1;)
alert tcp $HOME_NET any -> [80.76.49.162] 4545  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276405; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"super.shoppro.fun"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276400/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276400; rev:1;)
alert tcp $HOME_NET any -> [159.89.247.83] 22533  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276401; rev:1;)
alert tcp $HOME_NET any -> [162.120.71.116] 53421  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276402; rev:1;)
alert tcp $HOME_NET any -> [162.120.71.117] 53421  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276403; rev:1;)
alert tcp $HOME_NET any -> [80.253.246.4] 777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276371/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276371; rev:1;)
alert tcp $HOME_NET any -> [3.94.10.34] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"erxst.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276373/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276373; rev:1;)
alert tcp $HOME_NET any -> [192.3.209.101] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276374/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276374; rev:1;)
alert tcp $HOME_NET any -> [156.238.240.49] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"156.238.240.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eo.css"; depth:7; nocase; http.host; content:"43.138.173.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276396; rev:1;)
alert tcp $HOME_NET any -> [43.138.173.160] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276397; rev:1;)
alert tcp $HOME_NET any -> [157.230.250.250] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.222.15.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.92.131.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"192.168.3.187"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"112.124.5.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"service-ltwr9lk5-1319740527.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"microsoftsoftwave.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"38.180.146.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"175.178.99.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276382; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-b8dmmmy2-1318428097.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"service-b8dmmmy2-1318428097.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.100.180.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276378; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coinbasenftapp.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276375; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.fynndows.de"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276376; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myra.re"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/"; depth:5; nocase; http.host; content:"91.215.85.55"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276365/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/juranfile"; depth:10; nocase; http.host; content:"becorist.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276366/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/86.apk"; depth:7; nocase; http.host; content:"menusand.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276363/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hanihani"; depth:9; nocase; http.host; content:"menusand.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276362/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"185.215.113.31"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276364/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276364; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.bobungbu.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdffile"; depth:8; nocase; http.host; content:"menusand.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276361/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276361; rev:1;)
alert tcp $HOME_NET any -> [103.177.35.32] 19990  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trani"; depth:6; nocase; http.host; content:"becorist.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276367/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_28; classtype:trojan-activity; sid:91276367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mp/cd/ddh.php"; depth:14; nocase; http.host; content:"readmemag.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276369; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"readmemag.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276370; rev:1;)
alert tcp $HOME_NET any -> [103.151.239.121] 2023  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276368; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backup.identitynetwork.top"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276353; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backupnet.identitynetwork.top"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276354; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srv.identitynetwork.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276355; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tor-exit1.identitynetwork.top"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276356; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"identitynetwork.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276357; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxies.identitynetwork.top"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276358; rev:1;)
alert tcp $HOME_NET any -> [92.63.193.250] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276352; rev:1;)
alert tcp $HOME_NET any -> [5.78.105.122] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276351; rev:1;)
alert tcp $HOME_NET any -> [86.38.247.6] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276350/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276350; rev:1;)
alert tcp $HOME_NET any -> [114.115.220.199] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276349/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276349; rev:1;)
alert tcp $HOME_NET any -> [8.218.239.22] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276348/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276348; rev:1;)
alert tcp $HOME_NET any -> [49.113.77.31] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276347/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276347; rev:1;)
alert tcp $HOME_NET any -> [1.13.195.134] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276346/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276346; rev:1;)
alert tcp $HOME_NET any -> [106.14.22.214] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276345/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276345; rev:1;)
alert tcp $HOME_NET any -> [103.114.163.246] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276344; rev:1;)
alert tcp $HOME_NET any -> [122.51.1.111] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276343/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276343; rev:1;)
alert tcp $HOME_NET any -> [2.50.38.57] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276342/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276342; rev:1;)
alert tcp $HOME_NET any -> [77.124.100.196] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276341/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276341; rev:1;)
alert tcp $HOME_NET any -> [4.236.60.242] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276340/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276340; rev:1;)
alert tcp $HOME_NET any -> [20.55.194.105] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276339/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276339; rev:1;)
alert tcp $HOME_NET any -> [193.149.189.27] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276338/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276338; rev:1;)
alert tcp $HOME_NET any -> [199.19.106.171] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276337; rev:1;)
alert tcp $HOME_NET any -> [119.96.67.97] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276336; rev:1;)
alert tcp $HOME_NET any -> [45.135.232.38] 8443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_28; classtype:trojan-activity; sid:91276335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.7.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276331; rev:1;)
alert tcp $HOME_NET any -> [95.217.242.38] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276328; rev:1;)
alert tcp $HOME_NET any -> [95.217.242.38] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276329; rev:1;)
alert tcp $HOME_NET any -> [116.203.7.199] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276330; rev:1;)
alert tcp $HOME_NET any -> [95.217.242.38] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276327; rev:1;)
alert tcp $HOME_NET any -> [148.113.165.11] 81  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276325; rev:1;)
alert tcp $HOME_NET any -> [148.113.165.11] 81  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276326/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276326; rev:1;)
alert tcp $HOME_NET any -> [46.183.223.7] 14563  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276324; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.69] 5555  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276320/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276320; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lolibes.nut.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276321; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fiseriy.nut.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276315/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276315; rev:1;)
alert tcp $HOME_NET any -> [54.244.188.177] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276314/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276314; rev:1;)
alert tcp $HOME_NET any -> [149.28.222.15] 44506  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276309; rev:1;)
alert tcp $HOME_NET any -> [105.154.226.162] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276308/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276308; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"x555hd.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276289/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276289; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"unikorea.go.ci"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kakaoaccouts.store"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276283/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276283; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mofamail.homes"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mofamail.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276281/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"10xshares.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276279; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"apcorp.homes"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276280/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_28; classtype:trojan-activity; sid:91276280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"10xshares.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276278; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"10xshares.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1276277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"10xshares.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276276; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.240] 1974  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276323; rev:1;)
alert tcp $HOME_NET any -> [109.248.151.250] 6609  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_28; classtype:trojan-activity; sid:91276322; rev:1;)
alert tcp $HOME_NET any -> [45.159.211.110] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.159.211.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/v3.44/z2u5lk0c"; depth:19; nocase; http.host; content:"193.233.75.241"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276317; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.107] 85  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276316; rev:1;)
alert tcp $HOME_NET any -> [94.232.46.11] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276313/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91276313; rev:1;)
alert tcp $HOME_NET any -> [185.164.163.79] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276310/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91276310; rev:1;)
alert tcp $HOME_NET any -> [104.36.229.104] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276311/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91276311; rev:1;)
alert tcp $HOME_NET any -> [193.168.141.62] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276312/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91276312; rev:1;)
alert tcp $HOME_NET any -> [194.59.30.80] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276307; rev:1;)
alert tcp $HOME_NET any -> [172.232.185.9] 2222  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276306; rev:1;)
alert tcp $HOME_NET any -> [172.232.188.170] 2083  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276305; rev:1;)
alert tcp $HOME_NET any -> [121.41.62.6] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276304; rev:1;)
alert tcp $HOME_NET any -> [47.116.208.65] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276303; rev:1;)
alert tcp $HOME_NET any -> [122.51.166.71] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276302; rev:1;)
alert tcp $HOME_NET any -> [103.1.40.82] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276301; rev:1;)
alert tcp $HOME_NET any -> [2.50.7.137] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276300; rev:1;)
alert tcp $HOME_NET any -> [39.40.177.113] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276299/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276299; rev:1;)
alert tcp $HOME_NET any -> [78.168.80.155] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276298; rev:1;)
alert tcp $HOME_NET any -> [31.44.88.175] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276297; rev:1;)
alert tcp $HOME_NET any -> [138.68.185.106] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276296; rev:1;)
alert tcp $HOME_NET any -> [142.93.101.65] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276295; rev:1;)
alert tcp $HOME_NET any -> [185.22.64.121] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276294; rev:1;)
alert tcp $HOME_NET any -> [3.26.243.129] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276293; rev:1;)
alert tcp $HOME_NET any -> [58.215.159.80] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276292; rev:1;)
alert tcp $HOME_NET any -> [39.145.65.90] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276291; rev:1;)
alert tcp $HOME_NET any -> [20.160.204.211] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91276290; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.118] 2001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276288; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.74] 2001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276287; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.246] 2001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276286; rev:1;)
alert tcp $HOME_NET any -> [197.202.219.104] 555  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vilendar.ga"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276275/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91276275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"prolinice.ga"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276274/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91276274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.zip"; depth:6; nocase; http.host; content:"kostumn1.ilabserver.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276273; rev:1;)
alert tcp $HOME_NET any -> [116.203.15.103] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276269; rev:1;)
alert tcp $HOME_NET any -> [91.107.221.88] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276270; rev:1;)
alert tcp $HOME_NET any -> [116.202.6.172] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276271; rev:1;)
alert tcp $HOME_NET any -> [49.12.115.112] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276272; rev:1;)
alert tcp $HOME_NET any -> [159.69.102.132] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276266; rev:1;)
alert tcp $HOME_NET any -> [94.130.190.88] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276267; rev:1;)
alert tcp $HOME_NET any -> [195.201.253.107] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276268; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.59] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276262; rev:1;)
alert tcp $HOME_NET any -> [78.46.237.77] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276263; rev:1;)
alert tcp $HOME_NET any -> [78.47.123.174] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276264; rev:1;)
alert tcp $HOME_NET any -> [49.13.227.86] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276265; rev:1;)
alert tcp $HOME_NET any -> [65.108.55.55] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276260; rev:1;)
alert tcp $HOME_NET any -> [37.27.34.12] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1276261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.115.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.6.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"91.107.221.88"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.15.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.124.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.253.107"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.190.88"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.102.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.227.86"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.123.174"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.237.77"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.34.12"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199689717899"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/copterwin"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.108.55.55"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1276244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91276244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"bookmycooks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275992; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bookmycooks.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"bookmycooks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"bookmycooks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"ycva887.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.83.114.131"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1275991/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"sekenmarabatayfabanane.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275989/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk"; depth:17; nocase; http.host; content:"kemerdekaradarderler32.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275990/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"karalarlanasa.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275987/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"hakandakal2.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275988/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"manavhakanlar.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275984/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kiremithanedekiler.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275985/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kemerdekaradara123.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275986/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275986; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"main.cloudfronts.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275981/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kemerdekaradar.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"massakarada.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275983/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275983; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 80%)"; dns_query; content:"dash.cloudflare.ovh"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275980; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 32384  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275978/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275978; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"control-road.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275979/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275979; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.dnacharting.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275977/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275977; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.54] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"116.114.20.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275975; rev:1;)
alert tcp $HOME_NET any -> [112.124.5.135] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"112.124.5.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"147.45.159.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"147.45.159.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275971; rev:1;)
alert tcp $HOME_NET any -> [38.180.146.236] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"38.180.146.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"147.45.159.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275968; rev:1;)
alert tcp $HOME_NET any -> [45.138.157.129] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"45.138.157.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"122.51.85.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"123.60.99.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"147.45.159.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275963; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.15] 13322  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275962/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275962; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzjs.ceshi.ink"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.99.75.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275958; rev:1;)
alert tcp $HOME_NET any -> [101.99.75.164] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275959; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arcade.shinjiku.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"arcade.shinjiku.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275956; rev:1;)
alert tcp $HOME_NET any -> [116.114.20.190] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"116.114.20.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275954; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.72] 2001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"156.232.186.194"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prod/api/debug"; depth:15; nocase; http.host; content:"service-hjsbgio3-1324325235.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275948; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hjsbgio3-1324325235.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"123.60.90.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"shellmanaggggger.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275945; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shellmanaggggger.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/css/font-awesome.css"; depth:28; nocase; http.host; content:"124.70.99.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"119.45.21.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.26.46.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"103.97.58.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"192.252.182.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/lang/en-us/lang.js"; depth:26; nocase; http.host; content:"162.14.102.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"120.26.46.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"42.192.131.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275936; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unio.bumbleshrimp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275931; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.147] 7244  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.89.225.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dbl841/index.php"; depth:17; nocase; http.host; content:"hqt3.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275930; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jnmanymen.ydns.eu"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275929; rev:1;)
alert tcp $HOME_NET any -> [45.137.22.173] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/register"; depth:17; nocase; http.host; content:"45.120.177.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gateway/report"; depth:15; nocase; http.host; content:"45.120.177.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275925; rev:1;)
alert tcp $HOME_NET any -> [176.123.4.187] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275926; rev:1;)
alert tcp $HOME_NET any -> [8.217.223.172] 6000  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275927; rev:1;)
alert tcp $HOME_NET any -> [45.132.181.5] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275923; rev:1;)
alert tcp $HOME_NET any -> [172.234.244.189] 1194  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275922; rev:1;)
alert tcp $HOME_NET any -> [194.36.191.81] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275921; rev:1;)
alert tcp $HOME_NET any -> [103.110.152.8] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275920/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275920; rev:1;)
alert tcp $HOME_NET any -> [34.146.109.26] 2095  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275919; rev:1;)
alert tcp $HOME_NET any -> [86.98.22.184] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275918; rev:1;)
alert tcp $HOME_NET any -> [123.60.181.176] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275917; rev:1;)
alert tcp $HOME_NET any -> [95.144.6.229] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275916/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275916; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20025  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275915/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275915; rev:1;)
alert tcp $HOME_NET any -> [146.70.80.94] 20004  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275914; rev:1;)
alert tcp $HOME_NET any -> [152.42.245.111] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_27; classtype:trojan-activity; sid:91275913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"fozkiv.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275855/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"wemdap.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275856/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"zupqel.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275857/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"rizyat.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275858/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"gikmuv.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275859/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"xotpin.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275860/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"werboq.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"nevdiz.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275863/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"hudxap.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"kovjep.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275864/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"tupfij.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275867/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"yiqvux.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275865/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"qowzef.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275866/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"leoyuz.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"xepmeq.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"qidvob.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"gufwap.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275871/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"xulqir.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"lupzod.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275873; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"edgewell.cam"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275907/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275907; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaragoza.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275910; rev:1;)
alert tcp $HOME_NET any -> [18.156.13.209] 10092  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275902/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275902; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 10092  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275900/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275900; rev:1;)
alert tcp $HOME_NET any -> [3.126.37.18] 10092  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275901/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275901; rev:1;)
alert tcp $HOME_NET any -> [18.157.68.73] 10092  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275898/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275898; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 10092  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275899/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275899; rev:1;)
alert tcp $HOME_NET any -> [3.127.181.115] 14522  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275894; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.5] 10092  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275897/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275897; rev:1;)
alert tcp $HOME_NET any -> [3.67.161.133] 14522  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275891/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275891; rev:1;)
alert tcp $HOME_NET any -> [18.158.58.205] 14522  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275892/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275892; rev:1;)
alert tcp $HOME_NET any -> [3.64.4.198] 14522  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275893/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"elbied.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275878; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 15881  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275890/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"elbied.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275875; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"elbied.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"elbied.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"juxleq.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275854/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_27; classtype:trojan-activity; sid:91275854; rev:1;)
alert tcp $HOME_NET any -> [178.215.236.209] 1999  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275824/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-japanese-weapon-laws-regulations-and-restrictions/"; depth:65; nocase; http.host; content:"signcitysa.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d8/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275912; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"africa.thesmalladventureguide.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275853/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275853; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jscodecss.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275911; rev:1;)
alert tcp $HOME_NET any -> [45.76.129.156] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275909; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.147] 6318  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dv2/pws/fre.php"; depth:16; nocase; http.host; content:"edgewell.cam"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275905/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_27; classtype:trojan-activity; sid:91275905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dv2/pws/fre.php"; depth:16; nocase; http.host; content:"edgewell.cam"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275904; rev:1;)
alert tcp $HOME_NET any -> [111.173.106.171] 53779  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_27; classtype:trojan-activity; sid:91275903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tophpsecureprocessprocessorwordpressdletemporary.php"; depth:53; nocase; http.host; content:"a0986030.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0986642.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"192.168.50.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275889; rev:1;)
alert tcp $HOME_NET any -> [112.126.71.52] 8889  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.112.127.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275887; rev:1;)
alert tcp $HOME_NET any -> [147.45.159.99] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"147.45.159.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalimagephppollsecurepacketcpuprocessdbtrack.php"; depth:54; nocase; http.host; content:"expectum.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"139.196.10.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.223.7.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275882; rev:1;)
alert tcp $HOME_NET any -> [124.71.4.216] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipv6test/test"; depth:14; nocase; http.host; content:"124.71.4.216"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275880; rev:1;)
alert tcp $HOME_NET any -> [91.215.85.23] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275879; rev:1;)
alert tcp $HOME_NET any -> [176.124.32.55] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275874/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.227.154.57"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"152.32.202.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"3.133.149.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275849; rev:1;)
alert tcp $HOME_NET any -> [81.200.148.166] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"81.200.148.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"209.38.242.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275846; rev:1;)
alert tcp $HOME_NET any -> [109.107.181.140] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275845/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275845; rev:1;)
alert tcp $HOME_NET any -> [94.154.172.154] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275844/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275844; rev:1;)
alert tcp $HOME_NET any -> [124.220.28.62] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275843; rev:1;)
alert tcp $HOME_NET any -> [103.40.161.185] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275842; rev:1;)
alert tcp $HOME_NET any -> [101.184.153.168] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275841; rev:1;)
alert tcp $HOME_NET any -> [194.219.215.105] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275840; rev:1;)
alert tcp $HOME_NET any -> [5.163.250.175] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275839; rev:1;)
alert tcp $HOME_NET any -> [118.161.16.91] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275838; rev:1;)
alert tcp $HOME_NET any -> [51.20.124.126] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275837; rev:1;)
alert tcp $HOME_NET any -> [193.239.86.162] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275836; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20042  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275835; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20024  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275834; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20033  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275833; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20041  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275832; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20052  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275831; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20051  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275830; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20044  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275829; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20043  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275828; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20050  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275827; rev:1;)
alert tcp $HOME_NET any -> [223.111.199.81] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275826/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275826; rev:1;)
alert tcp $HOME_NET any -> [45.77.136.43] 8443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275825/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275825; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 17680  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275823/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275823; rev:1;)
alert tcp $HOME_NET any -> [89.110.74.77] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"host-89-110-74-77.hosted-by-vdsina.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275721; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host-89-110-74-77.hosted-by-vdsina.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275722; rev:1;)
alert tcp $HOME_NET any -> [43.139.248.193] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275720; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ir8o1y75-1324325235.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prod/api/debug"; depth:15; nocase; http.host; content:"service-ir8o1y75-1324325235.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275718; rev:1;)
alert tcp $HOME_NET any -> [107.173.101.131] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search//uyc06653ba892e.js"; depth:26; nocase; http.host; content:"www.loginmicrosoftadmin.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275716; rev:1;)
alert tcp $HOME_NET any -> [120.46.202.105] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.116.125.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275714; rev:1;)
alert tcp $HOME_NET any -> [111.230.117.136] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"111.230.117.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275712; rev:1;)
alert tcp $HOME_NET any -> [152.69.199.124] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"free2.iwaf.cn"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275709; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"free2.iwaf.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"120.46.202.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275708; rev:1;)
alert tcp $HOME_NET any -> [52.14.9.202] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"s2-charterschools.securportal.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275706; rev:1;)
alert tcp $HOME_NET any -> [111.230.190.86] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"139.9.189.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"118.107.4.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"112.124.5.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275702; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s2-charterschools.securportal.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275700; rev:1;)
alert tcp $HOME_NET any -> [52.14.9.202] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"s2-charterschools.securportal.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275699; rev:1;)
alert tcp $HOME_NET any -> [106.55.223.208] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"111.230.190.86"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"101.33.194.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"94.241.142.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275694; rev:1;)
alert tcp $HOME_NET any -> [94.241.142.55] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275695; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.loginmicrosoftadmin.shop"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275692; rev:1;)
alert tcp $HOME_NET any -> [107.173.101.131] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search//uyc06653ba892e.js"; depth:26; nocase; http.host; content:"www.loginmicrosoftadmin.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-5ba7yjpl-1303971391.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275689; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-5ba7yjpl-1303971391.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275690; rev:1;)
alert tcp $HOME_NET any -> [144.34.175.110] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"144.34.175.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275687; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auth.familysafty.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275657; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"familysafty.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"babycandidateoswp.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"museumtespaceorsp.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"buttockdecarderwiso.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"averageaattractiionsl.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"femininiespywageg.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"employhabragaomlsp.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stalfbaclcalorieeis.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"civilianurinedtsraov.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"roomabolishsnifftwk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275671; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"babycandidateoswp.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275672; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"museumtespaceorsp.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275673; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buttockdecarderwiso.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275674; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"averageaattractiionsl.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275675; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"femininiespywageg.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275676; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"employhabragaomlsp.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275677; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stalfbaclcalorieeis.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275678; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"civilianurinedtsraov.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275679; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roomabolishsnifftwk.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"employeedscratshj.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275681; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"employeedscratshj.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275682; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"netwire2021.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275655; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"729231cm.n9shteam1.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275656; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"86t7b9br9.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275654; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.172] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275648; rev:1;)
alert tcp $HOME_NET any -> [43.226.229.43] 2030  (msg:"ThreatFox NetWire RC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275651; rev:1;)
alert tcp $HOME_NET any -> [23.95.88.13] 3360  (msg:"ThreatFox NetWire RC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275650; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 3042  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275652/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275652; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njratnew.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275653/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275653; rev:1;)
alert tcp $HOME_NET any -> [34.246.200.160] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275683/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275683; rev:1;)
alert tcp $HOME_NET any -> [118.194.235.187] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275686; rev:1;)
alert tcp $HOME_NET any -> [105.154.228.100] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275685; rev:1;)
alert tcp $HOME_NET any -> [194.59.31.74] 5552  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"lobulraualov.in.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"guteyr.cc"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275661/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"greendag.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275660/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"dbfhns.in"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275659/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"729231cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275649; rev:1;)
alert tcp $HOME_NET any -> [62.109.21.72] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275647; rev:1;)
alert tcp $HOME_NET any -> [74.48.84.151] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275646; rev:1;)
alert tcp $HOME_NET any -> [154.198.224.117] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275645; rev:1;)
alert tcp $HOME_NET any -> [66.94.103.177] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275644; rev:1;)
alert tcp $HOME_NET any -> [42.51.38.108] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275643; rev:1;)
alert tcp $HOME_NET any -> [150.109.154.221] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275642; rev:1;)
alert tcp $HOME_NET any -> [139.59.73.191] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275641; rev:1;)
alert tcp $HOME_NET any -> [194.219.106.103] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275640; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.221] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275639; rev:1;)
alert tcp $HOME_NET any -> [158.160.172.199] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275638; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.156] 21132  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275637; rev:1;)
alert tcp $HOME_NET any -> [195.88.87.66] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_26; classtype:trojan-activity; sid:91275636; rev:1;)
alert tcp $HOME_NET any -> [65.0.92.162] 1337  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service_pmp.apk"; depth:36; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275490; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275492; rev:1;)
alert tcp $HOME_NET any -> [65.2.129.159] 80  (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service_dp.apk"; depth:35; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service.apk"; depth:32; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/t.apk"; depth:13; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/tester/miui%20security.apk"; depth:34; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service%20ddp.apk"; depth:38; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/tester/mui%20security_dropper.apk"; depth:41; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service_pmp.apk"; depth:36; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/t.apk"; depth:13; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/tester/miui%20_securitym.apk"; depth:36; nocase; http.host; content:"65.2.129.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service_dp.apk"; depth:35; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service%20ddp.apk"; depth:38; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/crx/xiaomi%20service.apk"; depth:32; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/tester/miui%20_securitym.apk"; depth:36; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/tester/mui%20security_dropper.apk"; depth:41; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/tester/miui%20security.apk"; depth:34; nocase; http.host; content:"ec2-65-2-129-159.ap-south-1.compute.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275478; rev:1;)
alert tcp $HOME_NET any -> [84.247.179.77] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275475; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botuser0.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275494; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botusesr472.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275496; rev:1;)
alert tcp $HOME_NET any -> [209.25.143.181] 17370  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275497; rev:1;)
alert tcp $HOME_NET any -> [3.121.139.82] 14200  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_26; classtype:trojan-activity; sid:91275628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0984236.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0984984.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forum/viewtopic.php"; depth:20; nocase; http.host; content:"198.74.55.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275633; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.186] 37552  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_26; classtype:trojan-activity; sid:91275632; rev:1;)
alert tcp $HOME_NET any -> [45.142.36.64] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/i5y78cwpvberrzcqw9mlrb8t8wlu"; depth:33; nocase; http.host; content:"pt-security.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275629; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pt-security.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275630; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.242] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275627; rev:1;)
alert tcp $HOME_NET any -> [103.244.226.171] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275626; rev:1;)
alert tcp $HOME_NET any -> [27.0.235.26] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275625; rev:1;)
alert tcp $HOME_NET any -> [45.77.65.118] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275624; rev:1;)
alert tcp $HOME_NET any -> [39.40.148.170] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275623; rev:1;)
alert tcp $HOME_NET any -> [158.160.166.214] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275622; rev:1;)
alert tcp $HOME_NET any -> [158.160.140.150] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275621; rev:1;)
alert tcp $HOME_NET any -> [162.216.243.183] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275620; rev:1;)
alert tcp $HOME_NET any -> [164.90.253.167] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275619; rev:1;)
alert tcp $HOME_NET any -> [117.103.116.78] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275618/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275618; rev:1;)
alert tcp $HOME_NET any -> [24.181.166.196] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"123.7.220.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"updates.sublimetext.workers.dev"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275614; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updates.sublimetext.workers.dev"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275615; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 36946  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275474; rev:1;)
alert tcp $HOME_NET any -> [81.4.109.230] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"81.4.109.230"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275472; rev:1;)
alert tcp $HOME_NET any -> [159.75.141.193] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"159.75.141.193"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"119.91.242.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/v1_upload"; depth:20; nocase; http.host; content:"1.14.242.95"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275468; rev:1;)
alert tcp $HOME_NET any -> [119.91.242.214] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"119.45.21.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275466; rev:1;)
alert tcp $HOME_NET any -> [171.214.210.223] 8123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275465; rev:1;)
alert tcp $HOME_NET any -> [45.76.153.153] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"catseven.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275462; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"catseven.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275463; rev:1;)
alert tcp $HOME_NET any -> [82.157.182.107] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"82.157.182.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.89.225.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"154.12.55.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275458; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghs.lidajun.lol"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"ghs.lidajun.lol"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275456; rev:1;)
alert tcp $HOME_NET any -> [103.253.43.175] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"103.253.43.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.106.154.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/get_page_config"; depth:24; nocase; http.host; content:"111.230.112.171"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275452; rev:1;)
alert tcp $HOME_NET any -> [39.100.117.165] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.100.117.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275450; rev:1;)
alert tcp $HOME_NET any -> [106.53.76.19] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.53.76.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"120.78.217.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"47.242.0.17"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275446; rev:1;)
alert tcp $HOME_NET any -> [194.62.250.122] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275445; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"certificatecenter.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"certificatecenter.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.100.117.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275442; rev:1;)
alert tcp $HOME_NET any -> [156.236.72.148] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"156.236.72.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275440; rev:1;)
alert tcp $HOME_NET any -> [193.112.148.133] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"119.91.242.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"106.53.111.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"193.112.148.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275436; rev:1;)
alert tcp $HOME_NET any -> [65.108.232.23] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275428; rev:1;)
alert tcp $HOME_NET any -> [5.182.86.95] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee"; depth:3; nocase; http.host; content:"baznas.dompetdhuaafa.biz.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"49.232.208.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"194.59.30.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"42.51.45.241"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"42.192.131.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"1.15.247.249"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"121.36.81.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"129.211.215.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.98.251.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275423; rev:1;)
alert tcp $HOME_NET any -> [120.78.217.180] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"185.52.1.169"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275420; rev:1;)
alert tcp $HOME_NET any -> [185.52.1.169] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275421; rev:1;)
alert tcp $HOME_NET any -> [159.223.86.73] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275419; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baznas.dompetdhuaafa.biz.id"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee"; depth:3; nocase; http.host; content:"baznas.dompetdhuaafa.biz.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"213.109.202.188"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275416; rev:1;)
alert tcp $HOME_NET any -> [111.223.247.163] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.70.99.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.222.129.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275413; rev:1;)
alert tcp $HOME_NET any -> [123.60.48.76] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"123.60.48.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaisa_image/"; depth:13; nocase; http.host; content:"123.60.104.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275410; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.12] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275348/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275348; rev:1;)
alert tcp $HOME_NET any -> [121.43.176.110] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275370/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275370; rev:1;)
alert tcp $HOME_NET any -> [178.128.92.166] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275371/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275371; rev:1;)
alert tcp $HOME_NET any -> [98.71.132.101] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275372; rev:1;)
alert tcp $HOME_NET any -> [18.176.67.169] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275366/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275366; rev:1;)
alert tcp $HOME_NET any -> [120.26.203.206] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275367/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275367; rev:1;)
alert tcp $HOME_NET any -> [91.107.207.2] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275368/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275368; rev:1;)
alert tcp $HOME_NET any -> [2.207.107.91] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275369/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275369; rev:1;)
alert tcp $HOME_NET any -> [20.234.212.180] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275361/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275361; rev:1;)
alert tcp $HOME_NET any -> [89.44.199.196] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275362/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275362; rev:1;)
alert tcp $HOME_NET any -> [20.234.209.66] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275363/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275363; rev:1;)
alert tcp $HOME_NET any -> [52.73.128.242] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275364/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275364; rev:1;)
alert tcp $HOME_NET any -> [20.16.73.54] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275365/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275365; rev:1;)
alert tcp $HOME_NET any -> [172.187.154.69] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275356/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275356; rev:1;)
alert tcp $HOME_NET any -> [20.231.230.3] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275357/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275357; rev:1;)
alert tcp $HOME_NET any -> [35.226.15.73] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275358/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275358; rev:1;)
alert tcp $HOME_NET any -> [73.15.226.35] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275359; rev:1;)
alert tcp $HOME_NET any -> [20.234.212.176] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275360; rev:1;)
alert tcp $HOME_NET any -> [34.219.143.252] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275351; rev:1;)
alert tcp $HOME_NET any -> [3.133.126.43] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275352/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275352; rev:1;)
alert tcp $HOME_NET any -> [52.32.75.223] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275353/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275353; rev:1;)
alert tcp $HOME_NET any -> [138.197.156.131] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275354/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275354; rev:1;)
alert tcp $HOME_NET any -> [143.198.116.46] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275355; rev:1;)
alert tcp $HOME_NET any -> [35.222.211.147] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275349; rev:1;)
alert tcp $HOME_NET any -> [147.211.222.35] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275350; rev:1;)
alert tcp $HOME_NET any -> [217.12.200.158] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275347/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275347; rev:1;)
alert tcp $HOME_NET any -> [158.160.71.51] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275337/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275337; rev:1;)
alert tcp $HOME_NET any -> [159.223.0.196] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275338/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275338; rev:1;)
alert tcp $HOME_NET any -> [161.35.207.209] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275339/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275339; rev:1;)
alert tcp $HOME_NET any -> [172.174.105.127] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275340/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275340; rev:1;)
alert tcp $HOME_NET any -> [172.201.107.88] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275341/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275341; rev:1;)
alert tcp $HOME_NET any -> [185.16.43.59] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275342/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275342; rev:1;)
alert tcp $HOME_NET any -> [185.158.94.217] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275343/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275343; rev:1;)
alert tcp $HOME_NET any -> [185.178.46.202] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275344/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275344; rev:1;)
alert tcp $HOME_NET any -> [201.243.95.21] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275345/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275345; rev:1;)
alert tcp $HOME_NET any -> [210.215.129.104] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275346; rev:1;)
alert tcp $HOME_NET any -> [122.114.252.179] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275324/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275324; rev:1;)
alert tcp $HOME_NET any -> [128.199.59.209] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275325/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275325; rev:1;)
alert tcp $HOME_NET any -> [129.226.154.137] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275326/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275326; rev:1;)
alert tcp $HOME_NET any -> [134.209.171.201] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275327/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275327; rev:1;)
alert tcp $HOME_NET any -> [135.181.205.15] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275328/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275328; rev:1;)
alert tcp $HOME_NET any -> [137.184.39.229] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275329/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275329; rev:1;)
alert tcp $HOME_NET any -> [138.197.66.41] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275330/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275330; rev:1;)
alert tcp $HOME_NET any -> [142.93.74.10] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275331/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275331; rev:1;)
alert tcp $HOME_NET any -> [143.198.233.101] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275332/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275332; rev:1;)
alert tcp $HOME_NET any -> [146.148.110.87] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275333/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275333; rev:1;)
alert tcp $HOME_NET any -> [147.45.150.204] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275334/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275334; rev:1;)
alert tcp $HOME_NET any -> [149.104.26.229] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275335/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275335; rev:1;)
alert tcp $HOME_NET any -> [152.42.162.105] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275336/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275336; rev:1;)
alert tcp $HOME_NET any -> [47.242.227.140] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275306/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275306; rev:1;)
alert tcp $HOME_NET any -> [51.250.108.206] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275307/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275307; rev:1;)
alert tcp $HOME_NET any -> [52.14.189.239] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275308/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275308; rev:1;)
alert tcp $HOME_NET any -> [54.74.198.96] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275309/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275309; rev:1;)
alert tcp $HOME_NET any -> [54.183.137.162] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275310/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275310; rev:1;)
alert tcp $HOME_NET any -> [62.171.158.126] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275311/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275311; rev:1;)
alert tcp $HOME_NET any -> [64.23.149.255] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275312/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275312; rev:1;)
alert tcp $HOME_NET any -> [65.20.72.205] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275313/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275313; rev:1;)
alert tcp $HOME_NET any -> [68.183.69.22] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275314/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275314; rev:1;)
alert tcp $HOME_NET any -> [94.131.8.254] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275315/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275315; rev:1;)
alert tcp $HOME_NET any -> [95.217.6.101] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275316/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275316; rev:1;)
alert tcp $HOME_NET any -> [107.172.159.50] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275317/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275317; rev:1;)
alert tcp $HOME_NET any -> [118.31.164.200] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275318/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275318; rev:1;)
alert tcp $HOME_NET any -> [120.27.139.123] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275319/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275319; rev:1;)
alert tcp $HOME_NET any -> [121.40.157.89] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275320/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275320; rev:1;)
alert tcp $HOME_NET any -> [121.43.166.96] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275321; rev:1;)
alert tcp $HOME_NET any -> [121.127.33.25] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275322/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275322; rev:1;)
alert tcp $HOME_NET any -> [121.199.0.100] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275323/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275323; rev:1;)
alert tcp $HOME_NET any -> [20.186.89.88] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275288/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275288; rev:1;)
alert tcp $HOME_NET any -> [20.229.189.122] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275289/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275289; rev:1;)
alert tcp $HOME_NET any -> [34.16.7.41] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275290/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275290; rev:1;)
alert tcp $HOME_NET any -> [34.31.178.96] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275291/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275291; rev:1;)
alert tcp $HOME_NET any -> [34.171.128.254] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275292/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275292; rev:1;)
alert tcp $HOME_NET any -> [35.153.232.88] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275293; rev:1;)
alert tcp $HOME_NET any -> [35.163.149.144] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275294/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275294; rev:1;)
alert tcp $HOME_NET any -> [35.177.104.235] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275295/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275295; rev:1;)
alert tcp $HOME_NET any -> [35.239.106.52] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275296/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275296; rev:1;)
alert tcp $HOME_NET any -> [37.187.118.185] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275297/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275297; rev:1;)
alert tcp $HOME_NET any -> [44.224.147.7] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275298/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275298; rev:1;)
alert tcp $HOME_NET any -> [45.133.238.221] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275299/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275299; rev:1;)
alert tcp $HOME_NET any -> [47.74.90.4] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275300/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275300; rev:1;)
alert tcp $HOME_NET any -> [47.76.61.241] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275301/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275301; rev:1;)
alert tcp $HOME_NET any -> [47.96.141.72] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275302/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275302; rev:1;)
alert tcp $HOME_NET any -> [47.96.141.218] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275303/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275303; rev:1;)
alert tcp $HOME_NET any -> [47.96.254.47] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275304/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275304; rev:1;)
alert tcp $HOME_NET any -> [47.99.102.146] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275305/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275305; rev:1;)
alert tcp $HOME_NET any -> [3.16.25.250] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275279/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275279; rev:1;)
alert tcp $HOME_NET any -> [3.23.94.235] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275280/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275280; rev:1;)
alert tcp $HOME_NET any -> [3.82.197.233] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275281/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275281; rev:1;)
alert tcp $HOME_NET any -> [3.144.95.38] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275282; rev:1;)
alert tcp $HOME_NET any -> [5.255.116.34] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275283/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275283; rev:1;)
alert tcp $HOME_NET any -> [13.40.187.52] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275284; rev:1;)
alert tcp $HOME_NET any -> [13.50.224.236] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275285/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275285; rev:1;)
alert tcp $HOME_NET any -> [13.58.109.128] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275286; rev:1;)
alert tcp $HOME_NET any -> [13.238.128.178] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275287/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275287; rev:1;)
alert tcp $HOME_NET any -> [178.128.208.252] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275278/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275278; rev:1;)
alert tcp $HOME_NET any -> [165.22.217.69] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275277/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275277; rev:1;)
alert tcp $HOME_NET any -> [206.189.140.103] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275276/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275276; rev:1;)
alert tcp $HOME_NET any -> [18.208.232.211] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275275/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275275; rev:1;)
alert tcp $HOME_NET any -> [134.122.204.200] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275274/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275274; rev:1;)
alert tcp $HOME_NET any -> [34.146.210.0] 2095  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275273/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275273; rev:1;)
alert tcp $HOME_NET any -> [89.117.1.117] 14431  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275272/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275272; rev:1;)
alert tcp $HOME_NET any -> [3.145.14.200] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275271; rev:1;)
alert tcp $HOME_NET any -> [200.234.232.64] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275270; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 2054  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275269; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 5060  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275268/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275268; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"liviste8888.softether.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275251/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275251; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sight.geoportal.co.id"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275252/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275252; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bitdefenderupdate.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275249; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smlivin.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275250; rev:1;)
alert tcp $HOME_NET any -> [184.105.237.195] 10008  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275248; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tiktokshoppro.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275253/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"andylaub.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275255; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vpn340948845.softether.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1275256/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_25; classtype:trojan-activity; sid:91275256; rev:1;)
alert tcp $HOME_NET any -> [41.142.211.38] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_25; classtype:trojan-activity; sid:91275265; rev:1;)
alert tcp $HOME_NET any -> [154.12.93.14] 13855  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275267; rev:1;)
alert tcp $HOME_NET any -> [65.21.63.6] 3306  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275266; rev:1;)
alert tcp $HOME_NET any -> [160.177.77.232] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_25; classtype:trojan-activity; sid:91275264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.242.238.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275263; rev:1;)
alert tcp $HOME_NET any -> [47.99.151.161] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.99.151.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.100.244.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275260; rev:1;)
alert tcp $HOME_NET any -> [191.88.248.178] 3008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275259; rev:1;)
alert tcp $HOME_NET any -> [74.48.9.144] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"74.48.9.144"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1275257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275257; rev:1;)
alert tcp $HOME_NET any -> [20.117.108.240] 7825  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91275254; rev:1;)
alert tcp $HOME_NET any -> [5.252.176.97] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274957; rev:1;)
alert tcp $HOME_NET any -> [159.65.210.12] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274958; rev:1;)
alert tcp $HOME_NET any -> [178.62.57.69] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274959; rev:1;)
alert tcp $HOME_NET any -> [185.244.181.207] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274961; rev:1;)
alert tcp $HOME_NET any -> [18.119.104.19] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274960; rev:1;)
alert tcp $HOME_NET any -> [138.68.81.93] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274962; rev:1;)
alert tcp $HOME_NET any -> [138.197.113.218] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274963; rev:1;)
alert tcp $HOME_NET any -> [93.95.231.98] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274964; rev:1;)
alert tcp $HOME_NET any -> [176.36.20.11] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274965; rev:1;)
alert tcp $HOME_NET any -> [159.203.173.117] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274966; rev:1;)
alert tcp $HOME_NET any -> [178.170.13.122] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274968; rev:1;)
alert tcp $HOME_NET any -> [167.172.27.13] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274967; rev:1;)
alert tcp $HOME_NET any -> [45.120.178.47] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274969; rev:1;)
alert tcp $HOME_NET any -> [144.91.123.40] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274970; rev:1;)
alert tcp $HOME_NET any -> [178.62.203.210] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274971; rev:1;)
alert tcp $HOME_NET any -> [146.190.20.237] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274972; rev:1;)
alert tcp $HOME_NET any -> [35.189.178.127] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274973; rev:1;)
alert tcp $HOME_NET any -> [159.100.22.133] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274974; rev:1;)
alert tcp $HOME_NET any -> [42.96.32.189] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274976; rev:1;)
alert tcp $HOME_NET any -> [130.215.28.105] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274975; rev:1;)
alert tcp $HOME_NET any -> [201.87.237.3] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274977; rev:1;)
alert tcp $HOME_NET any -> [104.194.79.234] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274978; rev:1;)
alert tcp $HOME_NET any -> [191.233.248.46] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274979; rev:1;)
alert tcp $HOME_NET any -> [191.233.254.31] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274980; rev:1;)
alert tcp $HOME_NET any -> [178.128.39.255] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274982; rev:1;)
alert tcp $HOME_NET any -> [120.46.91.41] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274981; rev:1;)
alert tcp $HOME_NET any -> [134.122.51.249] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274983; rev:1;)
alert tcp $HOME_NET any -> [85.203.42.194] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274984; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 41021  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274985/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274985; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"every-unnecessary.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274986/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274986; rev:1;)
alert tcp $HOME_NET any -> [38.62.245.19] 4747  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274992; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manymen7.ydns.eu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274993; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.201] 1024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275234/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91275234; rev:1;)
alert tcp $HOME_NET any -> [23.95.182.29] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275246/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275246; rev:1;)
alert tcp $HOME_NET any -> [147.45.69.6] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275245/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275245; rev:1;)
alert tcp $HOME_NET any -> [106.75.75.118] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275244/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275244; rev:1;)
alert tcp $HOME_NET any -> [128.199.184.87] 10000  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275243/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275243; rev:1;)
alert tcp $HOME_NET any -> [52.200.215.252] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275242/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275242; rev:1;)
alert tcp $HOME_NET any -> [3.99.177.194] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275241/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275241; rev:1;)
alert tcp $HOME_NET any -> [78.41.139.60] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275240; rev:1;)
alert tcp $HOME_NET any -> [176.107.154.149] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275239/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275239; rev:1;)
alert tcp $HOME_NET any -> [147.135.92.77] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275238; rev:1;)
alert tcp $HOME_NET any -> [39.185.245.209] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275237; rev:1;)
alert tcp $HOME_NET any -> [106.52.75.125] 30001  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275236; rev:1;)
alert tcp $HOME_NET any -> [106.52.75.125] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1275235/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91275235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"39.101.130.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274990; rev:1;)
alert tcp $HOME_NET any -> [39.101.130.53] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"43.136.176.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"117.50.178.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/serverwordpress/protonphpprovider9/baselinecentraltrack/tempexternalbetter/1to/traffic/packetpipeuploads/externalgenerator4javascript/9auth1db/sqllinuxasync3/pipephpjscpuauthbigloadtrafficwordpresswppublic.php"; depth:210; nocase; http.host; content:"89.111.173.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274987; rev:1;)
alert tcp $HOME_NET any -> [174.138.179.200] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274954; rev:1;)
alert tcp $HOME_NET any -> [8.222.228.156] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274955; rev:1;)
alert tcp $HOME_NET any -> [8.222.253.149] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274956; rev:1;)
alert tcp $HOME_NET any -> [206.166.251.243] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274947; rev:1;)
alert tcp $HOME_NET any -> [192.253.234.80] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274948; rev:1;)
alert tcp $HOME_NET any -> [161.35.135.204] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274949; rev:1;)
alert tcp $HOME_NET any -> [167.71.205.181] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274950; rev:1;)
alert tcp $HOME_NET any -> [107.148.77.36] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274951; rev:1;)
alert tcp $HOME_NET any -> [146.70.54.90] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274952; rev:1;)
alert tcp $HOME_NET any -> [35.91.159.178] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274953; rev:1;)
alert tcp $HOME_NET any -> [37.220.86.55] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274939/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274939; rev:1;)
alert tcp $HOME_NET any -> [82.147.84.166] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274940; rev:1;)
alert tcp $HOME_NET any -> [45.79.139.29] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274941; rev:1;)
alert tcp $HOME_NET any -> [185.142.184.147] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274942; rev:1;)
alert tcp $HOME_NET any -> [95.164.18.23] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274943/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274943; rev:1;)
alert tcp $HOME_NET any -> [8.213.220.188] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274944; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.174] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274945; rev:1;)
alert tcp $HOME_NET any -> [206.119.167.184] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274946; rev:1;)
alert tcp $HOME_NET any -> [64.23.213.55] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274931; rev:1;)
alert tcp $HOME_NET any -> [168.100.11.139] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274932; rev:1;)
alert tcp $HOME_NET any -> [38.207.149.95] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274933; rev:1;)
alert tcp $HOME_NET any -> [38.207.149.93] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274934; rev:1;)
alert tcp $HOME_NET any -> [38.207.149.96] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274935; rev:1;)
alert tcp $HOME_NET any -> [94.158.247.71] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274936; rev:1;)
alert tcp $HOME_NET any -> [38.207.149.94] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274937; rev:1;)
alert tcp $HOME_NET any -> [38.207.149.97] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274938; rev:1;)
alert tcp $HOME_NET any -> [185.216.68.112] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274924; rev:1;)
alert tcp $HOME_NET any -> [139.162.73.120] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274925; rev:1;)
alert tcp $HOME_NET any -> [47.242.116.142] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274926; rev:1;)
alert tcp $HOME_NET any -> [5.161.212.47] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274927; rev:1;)
alert tcp $HOME_NET any -> [150.109.254.40] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274928; rev:1;)
alert tcp $HOME_NET any -> [78.47.126.26] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274929; rev:1;)
alert tcp $HOME_NET any -> [134.209.173.136] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274930; rev:1;)
alert tcp $HOME_NET any -> [107.148.37.171] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274917; rev:1;)
alert tcp $HOME_NET any -> [191.233.253.225] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274918; rev:1;)
alert tcp $HOME_NET any -> [202.129.16.106] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274919; rev:1;)
alert tcp $HOME_NET any -> [213.148.1.16] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274920/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274920; rev:1;)
alert tcp $HOME_NET any -> [45.9.148.209] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274921; rev:1;)
alert tcp $HOME_NET any -> [34.23.66.82] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274922; rev:1;)
alert tcp $HOME_NET any -> [135.181.205.15] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274923; rev:1;)
alert tcp $HOME_NET any -> [23.236.66.200] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274908; rev:1;)
alert tcp $HOME_NET any -> [89.221.225.207] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274909; rev:1;)
alert tcp $HOME_NET any -> [149.104.1.145] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274910; rev:1;)
alert tcp $HOME_NET any -> [94.198.54.193] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274911; rev:1;)
alert tcp $HOME_NET any -> [51.159.234.90] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274912; rev:1;)
alert tcp $HOME_NET any -> [191.233.249.66] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274913; rev:1;)
alert tcp $HOME_NET any -> [162.120.71.48] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274914; rev:1;)
alert tcp $HOME_NET any -> [34.16.110.198] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274915/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274915; rev:1;)
alert tcp $HOME_NET any -> [143.47.225.174] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274916/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274916; rev:1;)
alert tcp $HOME_NET any -> [138.128.247.200] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274901; rev:1;)
alert tcp $HOME_NET any -> [185.113.8.148] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274902; rev:1;)
alert tcp $HOME_NET any -> [54.179.178.208] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274903; rev:1;)
alert tcp $HOME_NET any -> [5.199.161.21] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274904; rev:1;)
alert tcp $HOME_NET any -> [158.220.115.82] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274905; rev:1;)
alert tcp $HOME_NET any -> [174.138.179.149] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274906; rev:1;)
alert tcp $HOME_NET any -> [87.248.156.153] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274907; rev:1;)
alert tcp $HOME_NET any -> [207.148.81.11] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274894; rev:1;)
alert tcp $HOME_NET any -> [185.186.245.86] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274895; rev:1;)
alert tcp $HOME_NET any -> [34.93.210.165] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274896; rev:1;)
alert tcp $HOME_NET any -> [5.252.179.38] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274897; rev:1;)
alert tcp $HOME_NET any -> [16.163.146.197] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274898; rev:1;)
alert tcp $HOME_NET any -> [81.17.103.110] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274899; rev:1;)
alert tcp $HOME_NET any -> [57.128.87.135] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274900; rev:1;)
alert tcp $HOME_NET any -> [217.195.153.204] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274887; rev:1;)
alert tcp $HOME_NET any -> [194.87.252.24] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274888/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274888; rev:1;)
alert tcp $HOME_NET any -> [151.236.27.67] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274889/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274889; rev:1;)
alert tcp $HOME_NET any -> [121.36.36.99] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274890; rev:1;)
alert tcp $HOME_NET any -> [192.177.98.86] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274891; rev:1;)
alert tcp $HOME_NET any -> [46.226.167.60] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274892; rev:1;)
alert tcp $HOME_NET any -> [193.178.147.164] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274893; rev:1;)
alert tcp $HOME_NET any -> [188.120.248.116] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274881/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274881; rev:1;)
alert tcp $HOME_NET any -> [162.19.64.24] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274882; rev:1;)
alert tcp $HOME_NET any -> [172.245.19.146] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274883/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274883; rev:1;)
alert tcp $HOME_NET any -> [45.11.181.128] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274884/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274884; rev:1;)
alert tcp $HOME_NET any -> [45.154.12.202] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274885/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274885; rev:1;)
alert tcp $HOME_NET any -> [157.245.12.65] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274886/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274886; rev:1;)
alert tcp $HOME_NET any -> [136.144.162.236] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274880; rev:1;)
alert tcp $HOME_NET any -> [178.128.94.42] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274875; rev:1;)
alert tcp $HOME_NET any -> [54.169.221.72] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274876; rev:1;)
alert tcp $HOME_NET any -> [104.128.88.109] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274877; rev:1;)
alert tcp $HOME_NET any -> [45.140.143.62] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274878/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274878; rev:1;)
alert tcp $HOME_NET any -> [80.251.217.247] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274879/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274879; rev:1;)
alert tcp $HOME_NET any -> [172.245.159.246] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274868; rev:1;)
alert tcp $HOME_NET any -> [8.219.57.178] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274869; rev:1;)
alert tcp $HOME_NET any -> [207.180.253.60] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274870; rev:1;)
alert tcp $HOME_NET any -> [81.200.148.166] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274871; rev:1;)
alert tcp $HOME_NET any -> [54.169.178.188] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274872; rev:1;)
alert tcp $HOME_NET any -> [134.122.35.217] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274873; rev:1;)
alert tcp $HOME_NET any -> [150.158.9.124] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274874; rev:1;)
alert tcp $HOME_NET any -> [45.145.228.51] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274862; rev:1;)
alert tcp $HOME_NET any -> [115.159.152.161] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274863; rev:1;)
alert tcp $HOME_NET any -> [103.207.68.25] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274864; rev:1;)
alert tcp $HOME_NET any -> [20.255.58.253] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274865; rev:1;)
alert tcp $HOME_NET any -> [51.250.1.152] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274866; rev:1;)
alert tcp $HOME_NET any -> [68.84.193.1] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274867; rev:1;)
alert tcp $HOME_NET any -> [185.150.162.80] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274856; rev:1;)
alert tcp $HOME_NET any -> [188.166.9.214] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274857; rev:1;)
alert tcp $HOME_NET any -> [94.23.84.20] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274858; rev:1;)
alert tcp $HOME_NET any -> [103.56.16.31] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274859; rev:1;)
alert tcp $HOME_NET any -> [172.233.90.114] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274860; rev:1;)
alert tcp $HOME_NET any -> [43.138.184.91] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274861; rev:1;)
alert tcp $HOME_NET any -> [213.139.205.100] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274850/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274850; rev:1;)
alert tcp $HOME_NET any -> [185.174.101.126] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274851; rev:1;)
alert tcp $HOME_NET any -> [158.220.106.198] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274852; rev:1;)
alert tcp $HOME_NET any -> [3.25.174.244] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274853; rev:1;)
alert tcp $HOME_NET any -> [170.64.249.50] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274854; rev:1;)
alert tcp $HOME_NET any -> [34.232.187.165] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274855; rev:1;)
alert tcp $HOME_NET any -> [45.115.236.168] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274843; rev:1;)
alert tcp $HOME_NET any -> [193.46.243.117] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274844/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274844; rev:1;)
alert tcp $HOME_NET any -> [163.172.188.230] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274845/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274845; rev:1;)
alert tcp $HOME_NET any -> [185.246.118.237] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274846/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274846; rev:1;)
alert tcp $HOME_NET any -> [79.174.93.85] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274847/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274847; rev:1;)
alert tcp $HOME_NET any -> [156.224.26.80] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274848/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274848; rev:1;)
alert tcp $HOME_NET any -> [194.15.216.113] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274849/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274849; rev:1;)
alert tcp $HOME_NET any -> [138.197.32.191] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274834; rev:1;)
alert tcp $HOME_NET any -> [47.128.239.93] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274835; rev:1;)
alert tcp $HOME_NET any -> [137.184.178.106] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274836; rev:1;)
alert tcp $HOME_NET any -> [107.172.44.232] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274837; rev:1;)
alert tcp $HOME_NET any -> [13.229.232.97] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274838; rev:1;)
alert tcp $HOME_NET any -> [16.163.53.136] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274839; rev:1;)
alert tcp $HOME_NET any -> [107.173.87.151] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274840; rev:1;)
alert tcp $HOME_NET any -> [43.134.204.137] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274841; rev:1;)
alert tcp $HOME_NET any -> [8.208.15.65] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274842; rev:1;)
alert tcp $HOME_NET any -> [185.112.144.136] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274827; rev:1;)
alert tcp $HOME_NET any -> [194.87.146.103] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274828; rev:1;)
alert tcp $HOME_NET any -> [89.23.117.246] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274829; rev:1;)
alert tcp $HOME_NET any -> [139.84.155.5] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274830; rev:1;)
alert tcp $HOME_NET any -> [3.75.210.50] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274831; rev:1;)
alert tcp $HOME_NET any -> [94.158.247.13] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274832; rev:1;)
alert tcp $HOME_NET any -> [192.210.203.236] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274833; rev:1;)
alert tcp $HOME_NET any -> [62.171.158.126] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274821; rev:1;)
alert tcp $HOME_NET any -> [45.32.124.195] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274822; rev:1;)
alert tcp $HOME_NET any -> [23.159.160.16] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274823; rev:1;)
alert tcp $HOME_NET any -> [74.48.139.77] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274824/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274824; rev:1;)
alert tcp $HOME_NET any -> [143.244.181.177] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274825/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274825; rev:1;)
alert tcp $HOME_NET any -> [45.77.6.216] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274826/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274826; rev:1;)
alert tcp $HOME_NET any -> [179.43.172.53] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274814; rev:1;)
alert tcp $HOME_NET any -> [159.65.137.199] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274815; rev:1;)
alert tcp $HOME_NET any -> [89.147.111.197] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274816; rev:1;)
alert tcp $HOME_NET any -> [156.245.19.127] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274817; rev:1;)
alert tcp $HOME_NET any -> [154.3.2.153] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274818/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274818; rev:1;)
alert tcp $HOME_NET any -> [64.225.60.244] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274819/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274819; rev:1;)
alert tcp $HOME_NET any -> [84.252.94.179] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274820/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274820; rev:1;)
alert tcp $HOME_NET any -> [52.226.161.33] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274809; rev:1;)
alert tcp $HOME_NET any -> [80.87.206.160] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274810; rev:1;)
alert tcp $HOME_NET any -> [134.209.170.217] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274811; rev:1;)
alert tcp $HOME_NET any -> [143.110.237.179] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274812; rev:1;)
alert tcp $HOME_NET any -> [45.33.103.13] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274813; rev:1;)
alert tcp $HOME_NET any -> [165.232.86.167] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274805/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274805; rev:1;)
alert tcp $HOME_NET any -> [142.93.71.107] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274806/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274806; rev:1;)
alert tcp $HOME_NET any -> [185.104.112.206] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274807/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274807; rev:1;)
alert tcp $HOME_NET any -> [43.129.31.59] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274808; rev:1;)
alert tcp $HOME_NET any -> [185.239.226.11] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274798/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274798; rev:1;)
alert tcp $HOME_NET any -> [206.188.197.211] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274799/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274799; rev:1;)
alert tcp $HOME_NET any -> [23.95.61.136] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274800/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274800; rev:1;)
alert tcp $HOME_NET any -> [8.130.67.45] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274801/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274801; rev:1;)
alert tcp $HOME_NET any -> [151.80.119.224] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274802; rev:1;)
alert tcp $HOME_NET any -> [46.226.105.167] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274803/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274803; rev:1;)
alert tcp $HOME_NET any -> [174.138.79.59] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274804/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274804; rev:1;)
alert tcp $HOME_NET any -> [85.215.44.146] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274791/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274791; rev:1;)
alert tcp $HOME_NET any -> [45.55.51.117] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274792/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274792; rev:1;)
alert tcp $HOME_NET any -> [54.204.118.225] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274793; rev:1;)
alert tcp $HOME_NET any -> [52.139.156.33] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274794/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274794; rev:1;)
alert tcp $HOME_NET any -> [103.207.68.204] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274795/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274795; rev:1;)
alert tcp $HOME_NET any -> [172.235.10.74] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274796; rev:1;)
alert tcp $HOME_NET any -> [18.216.41.200] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274797/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274797; rev:1;)
alert tcp $HOME_NET any -> [185.29.8.219] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274786; rev:1;)
alert tcp $HOME_NET any -> [66.151.41.58] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274787; rev:1;)
alert tcp $HOME_NET any -> [137.184.126.213] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274788; rev:1;)
alert tcp $HOME_NET any -> [113.31.106.106] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274789; rev:1;)
alert tcp $HOME_NET any -> [139.59.236.124] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274790; rev:1;)
alert tcp $HOME_NET any -> [172.245.246.103] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274779/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274779; rev:1;)
alert tcp $HOME_NET any -> [64.23.139.91] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274780/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274780; rev:1;)
alert tcp $HOME_NET any -> [154.12.87.184] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274781/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274781; rev:1;)
alert tcp $HOME_NET any -> [138.68.173.59] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274782; rev:1;)
alert tcp $HOME_NET any -> [194.87.252.205] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274783; rev:1;)
alert tcp $HOME_NET any -> [8.222.176.223] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274784; rev:1;)
alert tcp $HOME_NET any -> [209.38.200.20] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274785; rev:1;)
alert tcp $HOME_NET any -> [54.167.175.147] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274773/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274773; rev:1;)
alert tcp $HOME_NET any -> [170.64.249.48] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274774/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274774; rev:1;)
alert tcp $HOME_NET any -> [66.78.40.182] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274775/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274775; rev:1;)
alert tcp $HOME_NET any -> [185.247.224.163] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274776/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274776; rev:1;)
alert tcp $HOME_NET any -> [3.224.74.192] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274777/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274777; rev:1;)
alert tcp $HOME_NET any -> [185.177.59.103] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274778/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274778; rev:1;)
alert tcp $HOME_NET any -> [147.45.136.226] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274768; rev:1;)
alert tcp $HOME_NET any -> [38.180.141.152] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274769/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274769; rev:1;)
alert tcp $HOME_NET any -> [168.138.179.33] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274770/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274770; rev:1;)
alert tcp $HOME_NET any -> [185.237.252.174] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274771/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274771; rev:1;)
alert tcp $HOME_NET any -> [111.180.204.51] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274772/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274772; rev:1;)
alert tcp $HOME_NET any -> [20.224.227.30] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274762/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274762; rev:1;)
alert tcp $HOME_NET any -> [172.233.214.50] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274763/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274763; rev:1;)
alert tcp $HOME_NET any -> [188.127.227.208] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274764/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274764; rev:1;)
alert tcp $HOME_NET any -> [45.133.238.41] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274765/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274765; rev:1;)
alert tcp $HOME_NET any -> [83.97.73.202] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274766/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274766; rev:1;)
alert tcp $HOME_NET any -> [23.254.204.15] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274767; rev:1;)
alert tcp $HOME_NET any -> [164.90.228.119] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274757/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274757; rev:1;)
alert tcp $HOME_NET any -> [176.120.73.75] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274758/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274758; rev:1;)
alert tcp $HOME_NET any -> [38.207.176.218] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274759/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274759; rev:1;)
alert tcp $HOME_NET any -> [46.148.26.72] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274760/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274760; rev:1;)
alert tcp $HOME_NET any -> [209.141.54.92] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274761/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274761; rev:1;)
alert tcp $HOME_NET any -> [80.78.23.106] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274755; rev:1;)
alert tcp $HOME_NET any -> [192.121.87.111] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274756; rev:1;)
alert tcp $HOME_NET any -> [195.201.223.219] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274753; rev:1;)
alert tcp $HOME_NET any -> [199.248.230.106] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274754; rev:1;)
alert tcp $HOME_NET any -> [156.245.13.61] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274748; rev:1;)
alert tcp $HOME_NET any -> [156.245.13.101] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274749; rev:1;)
alert tcp $HOME_NET any -> [157.90.21.73] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274750; rev:1;)
alert tcp $HOME_NET any -> [165.227.136.106] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274751; rev:1;)
alert tcp $HOME_NET any -> [170.64.160.157] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274752; rev:1;)
alert tcp $HOME_NET any -> [156.245.13.36] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274747; rev:1;)
alert tcp $HOME_NET any -> [54.243.224.196] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274744; rev:1;)
alert tcp $HOME_NET any -> [64.23.191.37] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274745; rev:1;)
alert tcp $HOME_NET any -> [82.157.142.84] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274746; rev:1;)
alert tcp $HOME_NET any -> [8.220.197.83] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274740; rev:1;)
alert tcp $HOME_NET any -> [34.124.239.78] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274741; rev:1;)
alert tcp $HOME_NET any -> [35.224.239.139] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274742; rev:1;)
alert tcp $HOME_NET any -> [38.242.152.52] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274743; rev:1;)
alert tcp $HOME_NET any -> [5.8.10.66] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274739; rev:1;)
alert tcp $HOME_NET any -> [152.89.198.51] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274738; rev:1;)
alert tcp $HOME_NET any -> [77.221.137.158] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274737/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temporary/7trackdb7/trackwptemp.php"; depth:36; nocase; http.host; content:"62.109.13.68"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274736; rev:1;)
alert tcp $HOME_NET any -> [47.99.188.195] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274735; rev:1;)
alert tcp $HOME_NET any -> [5.180.154.49] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274734/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274734; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.107] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274733/; target:src_ip; metadata: confidence_level 60, first_seen 2024_05_24; classtype:trojan-activity; sid:91274733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/center/user_sid"; depth:16; nocase; http.host; content:"43.138.234.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274732/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274732; rev:1;)
alert tcp $HOME_NET any -> [43.138.234.160] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"123.57.63.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274730; rev:1;)
alert tcp $HOME_NET any -> [143.198.216.99] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"143.198.216.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.242.200.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274727; rev:1;)
alert tcp $HOME_NET any -> [47.92.127.53] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.127.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274725; rev:1;)
alert tcp $HOME_NET any -> [101.132.250.80] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.132.250.80"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274723; rev:1;)
alert tcp $HOME_NET any -> [39.100.111.113] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274722; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sck.img.yunphui.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"sck.img.yunphui.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"ec-web.staticec.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274718; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec-web.staticec.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"91.92.254.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.130.156.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274715; rev:1;)
alert tcp $HOME_NET any -> [8.130.156.236] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274716; rev:1;)
alert tcp $HOME_NET any -> [8.222.130.235] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274714; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.notepadplugin.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.notepadplugin.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274712; rev:1;)
alert tcp $HOME_NET any -> [162.14.102.143] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274711; rev:1;)
alert tcp $HOME_NET any -> [36.89.252.50] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn/main/jquery-3.3.1.min.js"; depth:29; nocase; http.host; content:"103.26.14.91"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274709; rev:1;)
alert tcp $HOME_NET any -> [74.124.44.237] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274708; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqueryupdate1.confidantsoftware.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"jqueryupdate1.confidantsoftware.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"20.56.35.166"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274705; rev:1;)
alert tcp $HOME_NET any -> [5.135.192.32] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hogayaterachalhatfirnaaana"; depth:27; nocase; http.host; content:"5.135.192.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"107.173.57.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274702; rev:1;)
alert tcp $HOME_NET any -> [47.92.127.53] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.127.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0981582.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0949311.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ae048376.php"; depth:13; nocase; http.host; content:"budding-knives.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/installer.msi"; depth:14; nocase; http.host; content:"mediaclubspot.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wasabi-2.0.7.1.msi"; depth:19; nocase; http.host; content:"mediaclubspot.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"1.94.43.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"129.211.215.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"update.360safety.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"193.143.1.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0984678.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274681; rev:1;)
alert tcp $HOME_NET any -> [38.62.245.18] 3232  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/async/info"; depth:18; nocase; http.host; content:"8.134.249.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274680; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.ziekte.news"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274678; rev:1;)
alert tcp $HOME_NET any -> [54.242.72.155] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"api.ziekte.news"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274677; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hvcrn7y8-1257783886.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/micro_app/get_org_app"; depth:30; nocase; http.host; content:"service-hvcrn7y8-1257783886.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274675; rev:1;)
alert tcp $HOME_NET any -> [120.77.150.119] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274674; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"statisticgateway.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:bad-unknown; sid:91274672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8724b2c0.php"; depth:13; nocase; http.host; content:"a0985701.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"maviderinkalem.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"karayipkalanda.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"maviceketler.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"martilarlaaraba.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"kafaneredeciler2.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274657/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"mavidlimanda.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274658/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"mavidendercam.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274659/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"mavideritarak2.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274660/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"beyazgelinlik12.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274661/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"mahmatagada.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274662/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"maviderinasfkalem1231.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274663/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"hadiordangel23.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274664/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"martilarlaaraba2412.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274665/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"kafaneredecilersda2.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274666/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl/"; depth:18; nocase; http.host; content:"mavidlimanda123.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274667/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzuxnjc3ymzjntnl"; depth:17; nocase; http.host; content:"mavidendercamlar2.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_24; classtype:trojan-activity; sid:91274668; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"analytics-static.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:bad-unknown; sid:91274670; rev:1;)
alert tcp $HOME_NET any -> [45.128.36.178] 5610  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0983585.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274652; rev:1;)
alert tcp $HOME_NET any -> [198.55.115.39] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274651/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274651; rev:1;)
alert tcp $HOME_NET any -> [198.55.115.39] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274650/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274650; rev:1;)
alert tcp $HOME_NET any -> [198.55.115.39] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"alex-faber.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274648; rev:1;)
alert tcp $HOME_NET any -> [79.137.206.67] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274646; rev:1;)
alert tcp $HOME_NET any -> [47.96.168.200] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274645; rev:1;)
alert tcp $HOME_NET any -> [39.104.52.122] 30005  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274644; rev:1;)
alert tcp $HOME_NET any -> [162.14.96.180] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274643; rev:1;)
alert tcp $HOME_NET any -> [39.106.17.72] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274642; rev:1;)
alert tcp $HOME_NET any -> [23.94.66.68] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274641; rev:1;)
alert tcp $HOME_NET any -> [5.253.41.224] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274640; rev:1;)
alert tcp $HOME_NET any -> [47.96.72.100] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274639; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.14] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274638; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.14] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274637; rev:1;)
alert tcp $HOME_NET any -> [103.187.4.53] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274636; rev:1;)
alert tcp $HOME_NET any -> [2.50.4.36] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274635; rev:1;)
alert tcp $HOME_NET any -> [52.50.41.59] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274634; rev:1;)
alert tcp $HOME_NET any -> [20.117.108.240] 5612  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274633; rev:1;)
alert tcp $HOME_NET any -> [195.77.176.178] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274632; rev:1;)
alert tcp $HOME_NET any -> [138.197.37.104] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274630; rev:1;)
alert tcp $HOME_NET any -> [138.197.37.104] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274631; rev:1;)
alert tcp $HOME_NET any -> [159.223.0.103] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274629; rev:1;)
alert tcp $HOME_NET any -> [194.67.207.216] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274628; rev:1;)
alert tcp $HOME_NET any -> [99.83.165.50] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274627; rev:1;)
alert tcp $HOME_NET any -> [142.93.74.10] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274626; rev:1;)
alert tcp $HOME_NET any -> [18.176.67.169] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274625; rev:1;)
alert tcp $HOME_NET any -> [147.45.150.204] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274624; rev:1;)
alert tcp $HOME_NET any -> [54.249.228.34] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274623; rev:1;)
alert tcp $HOME_NET any -> [87.247.142.15] 30003  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274622; rev:1;)
alert tcp $HOME_NET any -> [87.247.142.15] 30007  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274621; rev:1;)
alert tcp $HOME_NET any -> [87.247.142.15] 30004  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274620; rev:1;)
alert tcp $HOME_NET any -> [87.247.142.15] 30002  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274619; rev:1;)
alert tcp $HOME_NET any -> [87.247.142.15] 30006  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274618/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274618; rev:1;)
alert tcp $HOME_NET any -> [103.85.25.168] 8095  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274617; rev:1;)
alert tcp $HOME_NET any -> [103.85.25.168] 8080  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_24; classtype:trojan-activity; sid:91274616; rev:1;)
alert tcp $HOME_NET any -> [64.23.184.217] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274615/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-call-and-put-contracts-legal-options-trading-guide/"; depth:66; nocase; http.host; content:"solar-audio.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"clintkustoms.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274593; rev:1;)
alert tcp $HOME_NET any -> [160.176.158.157] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274595/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274595; rev:1;)
alert tcp $HOME_NET any -> [154.204.78.151] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274600/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274600; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"valdepian.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274601/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274601; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 13265  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274609/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"4bata.net"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274608; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 13265  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274610/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_24; classtype:trojan-activity; sid:91274610; rev:1;)
alert tcp $HOME_NET any -> [40.121.142.114] 6709  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.91.154.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"101.91.154.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274613; rev:1;)
alert tcp $HOME_NET any -> [194.59.31.54] 3154  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_24; classtype:trojan-activity; sid:91274612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"822987529cm.whiteproducts.ru"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0984800.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274602; rev:1;)
alert tcp $HOME_NET any -> [159.223.29.112] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"159.223.29.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274598; rev:1;)
alert tcp $HOME_NET any -> [46.101.212.131] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"46.101.212.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274596; rev:1;)
alert tcp $HOME_NET any -> [188.226.118.231] 1527  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274590/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274590; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njratvtope30.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274591/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274591; rev:1;)
alert tcp $HOME_NET any -> [94.250.250.251] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274589; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.211] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274588; rev:1;)
alert tcp $HOME_NET any -> [185.208.158.109] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274587; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.155] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274586/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274586; rev:1;)
alert tcp $HOME_NET any -> [43.136.180.61] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274585/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274585; rev:1;)
alert tcp $HOME_NET any -> [120.76.74.159] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274584/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274584; rev:1;)
alert tcp $HOME_NET any -> [156.238.236.241] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274583/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274583; rev:1;)
alert tcp $HOME_NET any -> [177.255.88.222] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274582/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274582; rev:1;)
alert tcp $HOME_NET any -> [2.30.117.234] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274581/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274581; rev:1;)
alert tcp $HOME_NET any -> [39.40.142.133] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274580/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274580; rev:1;)
alert tcp $HOME_NET any -> [98.64.127.186] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274579/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274579; rev:1;)
alert tcp $HOME_NET any -> [107.175.115.91] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274578/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274578; rev:1;)
alert tcp $HOME_NET any -> [200.234.232.64] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274577/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274577; rev:1;)
alert tcp $HOME_NET any -> [38.242.151.91] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274576/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274576; rev:1;)
alert tcp $HOME_NET any -> [45.56.165.131] 5142  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274575/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274575; rev:1;)
alert tcp $HOME_NET any -> [110.168.29.138] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274574/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274574; rev:1;)
alert tcp $HOME_NET any -> [87.247.142.15] 54002  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274573; rev:1;)
alert tcp $HOME_NET any -> [5.42.67.8] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274572/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274572; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.116] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274571/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vivianstyler.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274570/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vikompalion.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sephoraofficetz.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"rafraystore.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274567/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"picwalldoor.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274566/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"ccbaminumpot.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274565/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"agentsuperpupervinil.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/csharp/"; depth:17; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/process.php"; depth:18; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/news.php"; depth:9; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update2.hta"; depth:12; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.ps1~"; depth:12; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.ps1"; depth:11; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.hta"; depth:11; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ps-updater.exe"; depth:15; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update2.hta"; depth:12; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.ps1~"; depth:12; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.ps1"; depth:11; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update.hta"; depth:11; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ps-updater.exe"; depth:15; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/process.php"; depth:18; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/news.php"; depth:9; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/get.php"; depth:14; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.jsp"; depth:10; nocase; http.host; content:"20.163.176.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/get.php"; depth:14; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.jsp"; depth:10; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/csharp/"; depth:17; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274362; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"powershell.skype-api.co.uk"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274357; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skype-api.co.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/news.php"; depth:9; nocase; http.host; content:"powershell.skype-api.co.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274356; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"skype-api.co.uk"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274388; rev:1;)
alert tcp $HOME_NET any -> [20.163.176.155] 443  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274389; rev:1;)
alert tcp $HOME_NET any -> [20.163.176.155] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"powershell.skype-api.co.uk"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274387; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wonderbooth.com.my"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274418/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274418; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 18134  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274419/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274419; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 18134  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274420/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274420; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 18134  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274421/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274421; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newsddawork.3utilities.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274424; rev:1;)
alert tcp $HOME_NET any -> [94.232.249.160] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274425/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274425; rev:1;)
alert tcp $HOME_NET any -> [147.124.205.158] 40544  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274549; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icpanel.hackcrack.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot6708321519:aah9wpgzqn8mlll2zn6ccueu4dymqgcetcq/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274551; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"automatia.in"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274553/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"chudywawrzyniec.pl"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"cimaq.es"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274560; rev:1;)
alert tcp $HOME_NET any -> [130.51.23.8] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274562/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274562; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sssteell-com.asia"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274563/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"54ggter6ujfgt.site"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274348/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"kdehrweuybvfrer4.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274349/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274349; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hydeoutent.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274354/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274354; rev:1;)
alert tcp $HOME_NET any -> [18.158.58.205] 15949  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"frewgewhy6fg.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274347/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"jey6mjdyerh82k.online"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274346/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"cambiobolivar.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274344; rev:1;)
alert tcp $HOME_NET any -> [18.229.146.63] 14622  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raw/6bpeutd1"; depth:13; nocase; http.host; content:"pastebin.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274343; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"spygate.myftp.biz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274292/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274292; rev:1;)
alert tcp $HOME_NET any -> [185.215.113.67] 40960  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274293; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.16] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"azahar.bg"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.kappo-mifuku.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274341; rev:1;)
alert tcp $HOME_NET any -> [105.104.48.230] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274291/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sht/fre.php"; depth:12; nocase; http.host; content:"sssteell-com.asia"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274561; rev:1;)
alert tcp $HOME_NET any -> [5.42.67.8] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274559; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.116] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274558; rev:1;)
alert tcp $HOME_NET any -> [88.198.124.82] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274556/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274556; rev:1;)
alert tcp $HOME_NET any -> [116.202.8.208] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274555/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274555; rev:1;)
alert tcp $HOME_NET any -> [116.202.8.208] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274554/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274554; rev:1;)
alert tcp $HOME_NET any -> [104.243.242.165] 1620  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274423; rev:1;)
alert tcp $HOME_NET any -> [66.235.168.242] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274422/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"38.207.176.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"118.31.115.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274415; rev:1;)
alert tcp $HOME_NET any -> [118.195.183.6] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"118.195.183.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"154.3.0.70"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.220.215.195"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"3.145.83.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"106.15.62.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.bitdefenders.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274407; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bitdefenders.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.220.215.195"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"118.31.115.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274405; rev:1;)
alert tcp $HOME_NET any -> [118.195.183.6] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"118.195.183.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274403; rev:1;)
alert tcp $HOME_NET any -> [129.211.215.7] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"129.211.215.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274401; rev:1;)
alert tcp $HOME_NET any -> [202.144.192.44] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"202.144.192.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"64.7.198.122"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update/version"; depth:15; nocase; http.host; content:"117.72.46.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"38.207.176.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274396; rev:1;)
alert tcp $HOME_NET any -> [154.3.0.70] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274395; rev:1;)
alert tcp $HOME_NET any -> [66.235.168.242] 3232  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274352/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274352; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.81] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274351; rev:1;)
alert tcp $HOME_NET any -> [91.214.78.17] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.120.67.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274338; rev:1;)
alert tcp $HOME_NET any -> [118.89.125.171] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"118.89.125.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274336; rev:1;)
alert tcp $HOME_NET any -> [118.25.192.79] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"118.25.192.79"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274334; rev:1;)
alert tcp $HOME_NET any -> [117.50.179.15] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaaaaaaaa"; depth:10; nocase; http.host; content:"117.50.179.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonpacketgamebigloadprivatecentral.php"; depth:42; nocase; http.host; content:"objectiveci.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274331; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.137] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274330/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"117.72.35.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"141.98.7.79"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"123.207.29.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/css/bootstrap.sass"; depth:26; nocase; http.host; content:"124.70.99.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.135.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"91.224.92.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"182.92.216.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"117.72.47.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.71.46.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274317; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.35] 47230  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274316; rev:1;)
alert tcp $HOME_NET any -> [185.208.158.112] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274313/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274313; rev:1;)
alert tcp $HOME_NET any -> [23.96.246.163] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274312/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274312; rev:1;)
alert tcp $HOME_NET any -> [154.26.130.199] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274311; rev:1;)
alert tcp $HOME_NET any -> [172.247.168.75] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274310; rev:1;)
alert tcp $HOME_NET any -> [142.171.133.69] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274309; rev:1;)
alert tcp $HOME_NET any -> [211.159.225.15] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274308; rev:1;)
alert tcp $HOME_NET any -> [78.142.245.78] 8443  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274307; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.16] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274306; rev:1;)
alert tcp $HOME_NET any -> [69.157.7.219] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274305; rev:1;)
alert tcp $HOME_NET any -> [125.239.206.199] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274304; rev:1;)
alert tcp $HOME_NET any -> [4.236.25.168] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274303; rev:1;)
alert tcp $HOME_NET any -> [185.245.61.76] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274302; rev:1;)
alert tcp $HOME_NET any -> [79.137.117.20] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274301; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.135] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274300; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.190] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274299/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274299; rev:1;)
alert tcp $HOME_NET any -> [197.243.57.122] 60000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274298; rev:1;)
alert tcp $HOME_NET any -> [107.174.115.223] 4443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274297; rev:1;)
alert tcp $HOME_NET any -> [45.15.158.15] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274296; rev:1;)
alert tcp $HOME_NET any -> [37.187.118.185] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274295; rev:1;)
alert tcp $HOME_NET any -> [38.60.136.208] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_23; classtype:trojan-activity; sid:91274294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"cyclohexylamine.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274271/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"excommunicative.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274272/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"quinquagenarian.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274273/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"juxtaglomerular.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274274/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"juxtaglomerular.hk"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274275/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"animefestival.asia"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"animefestival.asia"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"animefestival.asia"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"womendonotdothat.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274286; rev:1;)
alert tcp $HOME_NET any -> [196.64.243.43] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274284/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_23; classtype:trojan-activity; sid:91274284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"womendonotdothat.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1274287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"womendonotdothat.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"womendonotdothat.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0985859.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"mikilo39.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_23; classtype:trojan-activity; sid:91274285; rev:1;)
alert tcp $HOME_NET any -> [88.198.124.82] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274279/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_23; classtype:trojan-activity; sid:91274279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"122.228.8.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274278; rev:1;)
alert tcp $HOME_NET any -> [111.229.166.198] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.229.166.198"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"msc-mvc-updates.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274270; rev:1;)
alert tcp $HOME_NET any -> [80.66.88.86] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274269; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.136] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274268; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 60143  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274265; rev:1;)
alert tcp $HOME_NET any -> [209.25.141.2] 42759  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274266/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274266; rev:1;)
alert tcp $HOME_NET any -> [209.25.141.2] 42240  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274267/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274267; rev:1;)
alert tcp $HOME_NET any -> [83.229.69.242] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274264/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274264; rev:1;)
alert tcp $HOME_NET any -> [78.135.85.118] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274263; rev:1;)
alert tcp $HOME_NET any -> [202.146.222.171] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274262; rev:1;)
alert tcp $HOME_NET any -> [117.72.69.250] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274261; rev:1;)
alert tcp $HOME_NET any -> [198.46.160.241] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274260; rev:1;)
alert tcp $HOME_NET any -> [107.173.210.245] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274259/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274259; rev:1;)
alert tcp $HOME_NET any -> [47.96.179.5] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274258/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274258; rev:1;)
alert tcp $HOME_NET any -> [172.247.168.79] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274257/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274257; rev:1;)
alert tcp $HOME_NET any -> [5.163.115.132] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274256/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274256; rev:1;)
alert tcp $HOME_NET any -> [87.249.50.32] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274255/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274255; rev:1;)
alert tcp $HOME_NET any -> [172.172.150.146] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274254/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274254; rev:1;)
alert tcp $HOME_NET any -> [172.187.161.228] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274253/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274253; rev:1;)
alert tcp $HOME_NET any -> [206.237.4.54] 9443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274252/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"111.38.106.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274251/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91274251; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.136] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274250; rev:1;)
alert tcp $HOME_NET any -> [107.172.31.6] 1070  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91274249; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.115] 40551  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"lucabet68.online"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"9adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274239/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"jurassicworldtheexhibition.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"6adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274236/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"7adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274237/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"8adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274238/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274238; rev:1;)
alert tcp $HOME_NET any -> [193.233.255.34] 1111  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdq5m2jhm2zkztkx/"; depth:18; nocase; http.host; content:"5adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274235/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"jurassicworldtheexhibition.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"jurassicworldtheexhibition.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1274245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274245; rev:1;)
alert tcp $HOME_NET any -> [5.181.156.63] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91274247; rev:1;)
alert tcp $HOME_NET any -> [79.137.207.27] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274242/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274242; rev:1;)
alert tcp $HOME_NET any -> [118.194.235.187] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274241/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274241; rev:1;)
alert tcp $HOME_NET any -> [95.164.87.54] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1274240/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91274240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"ajserviceusa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogqyzwqwnguyzdk3/"; depth:18; nocase; http.host; content:"kozansinyalcimisinla.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273985/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjvlnznjndfizdm3/"; depth:18; nocase; http.host; content:"mayadasinyalcimisinaga.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjvlnznjndfizdm3/"; depth:18; nocase; http.host; content:"mayadahacibaba.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273983/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogqyzwqwnguyzdk3/"; depth:18; nocase; http.host; content:"kozanaseviyor.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273984/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"airgaz.bydgoszcz.pl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjvlnznjndfizdm3/"; depth:18; nocase; http.host; content:"mayadahackerbaba.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273979/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjvlnznjndfizdm3/"; depth:18; nocase; http.host; content:"mayadadelimisinyav.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjvlnznjndfizdm3/"; depth:18; nocase; http.host; content:"mayadabeniseviyor.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273981/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogqyzwqwnguyzdk3/"; depth:18; nocase; http.host; content:"kozanhacibaba.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273986/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273986; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bipto.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273990; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jobresurs.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273991; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tonybabb.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"tonybabb.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"jobresurs.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"bipto.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jtpo"; depth:5; nocase; http.host; content:"114.132.98.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273978/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273978; rev:1;)
alert tcp $HOME_NET any -> [114.132.98.252] 4431  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273976; rev:1;)
alert tcp $HOME_NET any -> [193.33.195.42] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273975/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"150.158.43.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273974; rev:1;)
alert tcp $HOME_NET any -> [119.28.83.149] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.236.8.228"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273971; rev:1;)
alert tcp $HOME_NET any -> [159.138.131.191] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"159.138.131.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"360.wangli.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273968; rev:1;)
alert tcp $HOME_NET any -> [13.230.185.79] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"13.230.185.79"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273966; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"merckllc.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273958/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273958; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"infres.in"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273960/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273960; rev:1;)
alert tcp $HOME_NET any -> [64.7.198.169] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273965; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alliancebbs.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/damage/v9.19/m3zw19mk"; depth:22; nocase; http.host; content:"alliancebbs.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273963; rev:1;)
alert tcp $HOME_NET any -> [81.70.17.125] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"81.70.17.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0982894.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"aimrental.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"39.100.85.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"185.243.240.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.42.169.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"1.92.91.192"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"1.94.43.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kin/five/fre.php"; depth:17; nocase; http.host; content:"merckllc.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273943; rev:1;)
alert tcp $HOME_NET any -> [45.76.129.156] 5050  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"602024.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273941; rev:1;)
alert tcp $HOME_NET any -> [106.52.246.227] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273938; rev:1;)
alert tcp $HOME_NET any -> [13.215.90.213] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273937; rev:1;)
alert tcp $HOME_NET any -> [49.232.128.33] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273936; rev:1;)
alert tcp $HOME_NET any -> [123.207.205.138] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273935; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.12] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273934; rev:1;)
alert tcp $HOME_NET any -> [189.152.7.184] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273933; rev:1;)
alert tcp $HOME_NET any -> [2.50.33.176] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273932; rev:1;)
alert tcp $HOME_NET any -> [20.21.130.76] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273931; rev:1;)
alert tcp $HOME_NET any -> [45.95.234.87] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273930; rev:1;)
alert tcp $HOME_NET any -> [121.14.159.60] 10250  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273929; rev:1;)
alert tcp $HOME_NET any -> [135.181.205.15] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273928; rev:1;)
alert tcp $HOME_NET any -> [159.223.0.196] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273927; rev:1;)
alert tcp $HOME_NET any -> [172.105.57.197] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273926; rev:1;)
alert tcp $HOME_NET any -> [87.247.142.15] 30005  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_22; classtype:trojan-activity; sid:91273925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/text/mc.js"; depth:23; nocase; http.host; content:"electrikar.com.mx"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"junggvbvb.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273895/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"nisiqnisiq.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273893/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"siqnisiq.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273894/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"junggvbv.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"sabgggsabggg.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273897/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273897; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"production-reservation.gl.at.ply.gg"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273901/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"dc3common.sakura.ne.jp"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"4handscleaning.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273917; rev:1;)
alert tcp $HOME_NET any -> [35.158.159.254] 17748  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273918; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 10614  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273921; rev:1;)
alert tcp $HOME_NET any -> [3.126.37.18] 10614  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273922; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 10614  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273923; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.5] 10614  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273924; rev:1;)
alert tcp $HOME_NET any -> [204.10.160.176] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_22; classtype:trojan-activity; sid:91273920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0982456.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d5/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273916; rev:1;)
alert tcp $HOME_NET any -> [121.37.221.98] 11443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_22; classtype:trojan-activity; sid:91273915; rev:1;)
alert tcp $HOME_NET any -> [109.107.181.111] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273912/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273912; rev:1;)
alert tcp $HOME_NET any -> [5.75.232.183] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273911/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273911; rev:1;)
alert tcp $HOME_NET any -> [5.75.232.183] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273910/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_22; classtype:trojan-activity; sid:91273910; rev:1;)
alert tcp $HOME_NET any -> [41.249.41.48] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273909; rev:1;)
alert tcp $HOME_NET any -> [23.26.232.161] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/open/js/jweixin-1.4.0.js"; depth:25; nocase; http.host; content:"23.26.232.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273907; rev:1;)
alert tcp $HOME_NET any -> [80.249.147.242] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/favicon.js"; depth:11; nocase; http.host; content:"80.249.147.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273905; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aiphiex9ae.ptsupport.tech"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/favicon.js"; depth:11; nocase; http.host; content:"aiphiex9ae.ptsupport.tech"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"185.243.240.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273902; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 47823  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273900; rev:1;)
alert tcp $HOME_NET any -> [146.19.143.163] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273899/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273899; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jelelaiyegba.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"microsoftsoftwave.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-i50ggjoo-1253504731.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273889; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-i50ggjoo-1253504731.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/account"; depth:8; nocase; http.host; content:"8.137.117.105"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"1.14.69.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273886; rev:1;)
alert tcp $HOME_NET any -> [94.16.118.242] 7080  (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da9ae588.php"; depth:13; nocase; http.host; content:"fanskrairg.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273883; rev:1;)
alert tcp $HOME_NET any -> [51.15.16.116] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273882; rev:1;)
alert tcp $HOME_NET any -> [91.107.127.198] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273881/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273881; rev:1;)
alert tcp $HOME_NET any -> [185.208.158.47] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273880; rev:1;)
alert tcp $HOME_NET any -> [207.244.252.87] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273879/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273879; rev:1;)
alert tcp $HOME_NET any -> [103.234.72.191] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273878/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273878; rev:1;)
alert tcp $HOME_NET any -> [172.247.168.232] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273877; rev:1;)
alert tcp $HOME_NET any -> [49.232.128.4] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273876; rev:1;)
alert tcp $HOME_NET any -> [216.250.247.22] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273875; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.12] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273874; rev:1;)
alert tcp $HOME_NET any -> [78.182.41.160] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273873; rev:1;)
alert tcp $HOME_NET any -> [38.145.202.153] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273872; rev:1;)
alert tcp $HOME_NET any -> [87.249.50.32] 8888  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273871; rev:1;)
alert tcp $HOME_NET any -> [45.95.234.87] 8888  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273870; rev:1;)
alert tcp $HOME_NET any -> [152.89.92.204] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273869; rev:1;)
alert tcp $HOME_NET any -> [213.183.56.95] 25  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273868; rev:1;)
alert tcp $HOME_NET any -> [205.234.200.8] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273867; rev:1;)
alert tcp $HOME_NET any -> [61.182.130.80] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273866; rev:1;)
alert tcp $HOME_NET any -> [65.20.72.205] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273865; rev:1;)
alert tcp $HOME_NET any -> [172.247.44.101] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273864; rev:1;)
alert tcp $HOME_NET any -> [165.227.229.96] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bip.dpsbranszczyk.pl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"3.145.83.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"3.145.83.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/q2gs"; depth:5; nocase; http.host; content:"3.145.83.235"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273861; rev:1;)
alert tcp $HOME_NET any -> [3.145.83.235] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273859; rev:1;)
alert tcp $HOME_NET any -> [51.195.145.87] 8092  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273858; rev:1;)
alert tcp $HOME_NET any -> [178.236.247.210] 8080  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273857; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ezikidei.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273514; rev:1;)
alert tcp $HOME_NET any -> [185.255.114.98] 5634  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bezpiecznie.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273827; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"survey-dover.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273547/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273547; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 21679  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273546/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273546; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.72] 4258  (msg:"ThreatFox BiBi-Linux payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273845/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273845; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.141] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273855; rev:1;)
alert tcp $HOME_NET any -> [185.94.29.85] 2222  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273854; rev:1;)
alert tcp $HOME_NET any -> [47.208.30.4] 2222  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273853; rev:1;)
alert tcp $HOME_NET any -> [47.238.162.247] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273852; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mylittlecabbage.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273851; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goodone.loseyourip.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273850; rev:1;)
alert tcp $HOME_NET any -> [213.195.117.131] 5001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273849; rev:1;)
alert tcp $HOME_NET any -> [160.178.192.178] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273848; rev:1;)
alert tcp $HOME_NET any -> [202.133.88.95] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273847; rev:1;)
alert tcp $HOME_NET any -> [192.227.228.34] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273846; rev:1;)
alert tcp $HOME_NET any -> [165.227.44.40] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273844; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.25] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273843/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273843; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.24] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273842/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273842; rev:1;)
alert tcp $HOME_NET any -> [151.106.34.110] 8081  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273841; rev:1;)
alert tcp $HOME_NET any -> [103.1.40.154] 8000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273840; rev:1;)
alert tcp $HOME_NET any -> [91.110.144.65] 9000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273839; rev:1;)
alert tcp $HOME_NET any -> [79.110.49.252] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273836; rev:1;)
alert tcp $HOME_NET any -> [79.110.49.252] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273837; rev:1;)
alert tcp $HOME_NET any -> [79.110.49.252] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273838; rev:1;)
alert tcp $HOME_NET any -> [78.179.134.46] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273833; rev:1;)
alert tcp $HOME_NET any -> [78.179.247.213] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273834; rev:1;)
alert tcp $HOME_NET any -> [78.179.134.46] 3000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273835; rev:1;)
alert tcp $HOME_NET any -> [78.161.80.54] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273832; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud.palloaltonetworks.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/anticipate/v10.75/u4fwfq0ej9c"; depth:30; nocase; http.host; content:"cloud.palloaltonetworks.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273829; rev:1;)
alert tcp $HOME_NET any -> [184.145.64.157] 4444  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273828; rev:1;)
alert tcp $HOME_NET any -> [179.97.173.22] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273826; rev:1;)
alert tcp $HOME_NET any -> [101.201.150.204] 8888  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273825; rev:1;)
alert tcp $HOME_NET any -> [54.193.220.196] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273824; rev:1;)
alert tcp $HOME_NET any -> [51.178.195.149] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273823; rev:1;)
alert tcp $HOME_NET any -> [14.225.219.33] 9999  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273822; rev:1;)
alert tcp $HOME_NET any -> [185.234.75.77] 6666  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273821; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.89] 34568  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273818; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.43] 34568  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273819; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.84] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273820; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.88] 34568  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"103.146.158.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273816; rev:1;)
alert tcp $HOME_NET any -> [103.146.158.113] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273815; rev:1;)
alert tcp $HOME_NET any -> [51.81.169.92] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273814; rev:1;)
alert tcp $HOME_NET any -> [107.173.156.189] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273813; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mad.chakrashaman.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273812; rev:1;)
alert tcp $HOME_NET any -> [108.160.131.194] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273550; rev:1;)
alert tcp $HOME_NET any -> [65.20.71.36] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"209.38.242.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273548; rev:1;)
alert tcp $HOME_NET any -> [209.38.242.240] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273545; rev:1;)
alert tcp $HOME_NET any -> [206.189.11.228] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"157.230.110.194"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273543; rev:1;)
alert tcp $HOME_NET any -> [157.230.110.194] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"64.227.124.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273541; rev:1;)
alert tcp $HOME_NET any -> [64.227.124.121] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"64.226.77.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"64.226.77.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273538; rev:1;)
alert tcp $HOME_NET any -> [64.226.77.182] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273536; rev:1;)
alert tcp $HOME_NET any -> [64.226.77.182] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273537; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liudehua.buzz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273535; rev:1;)
alert tcp $HOME_NET any -> [64.23.177.220] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.237.95.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273533; rev:1;)
alert tcp $HOME_NET any -> [47.237.95.107] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273532; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chinamobi1e.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"chinamobi1e.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273530; rev:1;)
alert tcp $HOME_NET any -> [8.218.140.240] 2095  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273528; rev:1;)
alert tcp $HOME_NET any -> [8.218.140.240] 2086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273529; rev:1;)
alert tcp $HOME_NET any -> [124.71.78.211] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273524; rev:1;)
alert tcp $HOME_NET any -> [124.71.223.58] 5431  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273525; rev:1;)
alert tcp $HOME_NET any -> [139.9.189.30] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273526; rev:1;)
alert tcp $HOME_NET any -> [139.159.179.84] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273527; rev:1;)
alert tcp $HOME_NET any -> [124.70.99.224] 2231  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273521; rev:1;)
alert tcp $HOME_NET any -> [124.70.213.23] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273522; rev:1;)
alert tcp $HOME_NET any -> [124.70.213.23] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273523; rev:1;)
alert tcp $HOME_NET any -> [116.204.115.90] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273517; rev:1;)
alert tcp $HOME_NET any -> [121.36.23.25] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273518; rev:1;)
alert tcp $HOME_NET any -> [124.70.0.56] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273519; rev:1;)
alert tcp $HOME_NET any -> [124.70.0.56] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273520; rev:1;)
alert tcp $HOME_NET any -> [1.92.156.179] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273515; rev:1;)
alert tcp $HOME_NET any -> [1.94.43.16] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273516; rev:1;)
alert tcp $HOME_NET any -> [120.55.63.163] 789  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273511; rev:1;)
alert tcp $HOME_NET any -> [139.224.0.158] 8069  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273512; rev:1;)
alert tcp $HOME_NET any -> [112.124.5.135] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273507; rev:1;)
alert tcp $HOME_NET any -> [112.124.71.123] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273508; rev:1;)
alert tcp $HOME_NET any -> [112.126.77.173] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273509; rev:1;)
alert tcp $HOME_NET any -> [118.31.0.110] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273510; rev:1;)
alert tcp $HOME_NET any -> [47.120.20.82] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273504; rev:1;)
alert tcp $HOME_NET any -> [101.37.31.139] 6650  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273505; rev:1;)
alert tcp $HOME_NET any -> [101.132.124.211] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273506; rev:1;)
alert tcp $HOME_NET any -> [47.98.154.34] 10443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273499; rev:1;)
alert tcp $HOME_NET any -> [47.105.68.50] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273500; rev:1;)
alert tcp $HOME_NET any -> [47.105.121.158] 58443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273501; rev:1;)
alert tcp $HOME_NET any -> [47.109.69.135] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273502; rev:1;)
alert tcp $HOME_NET any -> [47.115.204.203] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273503; rev:1;)
alert tcp $HOME_NET any -> [39.100.117.165] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273495; rev:1;)
alert tcp $HOME_NET any -> [47.92.7.36] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273496; rev:1;)
alert tcp $HOME_NET any -> [47.92.7.36] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273497; rev:1;)
alert tcp $HOME_NET any -> [47.92.24.58] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273498; rev:1;)
alert tcp $HOME_NET any -> [8.130.103.235] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273491; rev:1;)
alert tcp $HOME_NET any -> [8.136.121.216] 33898  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273492; rev:1;)
alert tcp $HOME_NET any -> [8.146.198.79] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273493; rev:1;)
alert tcp $HOME_NET any -> [39.99.254.197] 5432  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3longpolltemporary/_/2provider/0voiddbvideolongpoll/vmphpjavascripthttpgeosqldatalifetemp.php"; depth:94; nocase; http.host; content:"5.35.98.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273490; rev:1;)
alert tcp $HOME_NET any -> [175.178.45.180] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273488; rev:1;)
alert tcp $HOME_NET any -> [175.178.45.180] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273489; rev:1;)
alert tcp $HOME_NET any -> [150.158.43.153] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273487; rev:1;)
alert tcp $HOME_NET any -> [139.155.99.210] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273486; rev:1;)
alert tcp $HOME_NET any -> [122.51.2.91] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"119.45.226.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273484; rev:1;)
alert tcp $HOME_NET any -> [119.45.226.126] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beacon.exe"; depth:11; nocase; http.host; content:"114.132.120.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.43.111.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"49.65.96.139"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.230.38.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rw1-api-update.afd.azureedge.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"rw1-api-update.afd.azureedge.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273477; rev:1;)
alert tcp $HOME_NET any -> [111.230.38.159] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273476; rev:1;)
alert tcp $HOME_NET any -> [110.40.180.6] 8083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"nimappche.buzz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.43.29.8"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"106.53.181.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273472; rev:1;)
alert tcp $HOME_NET any -> [101.43.29.8] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.54.33.85"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.35.248.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273468; rev:1;)
alert tcp $HOME_NET any -> [8.217.222.41] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273469; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"time.api.chinabm.cn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/maps/overlaybfpr"; depth:17; nocase; http.host; content:"time.api.chinabm.cn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-f9dx5hom-1305082597.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"hell.hydracenter.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"150.158.43.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273463; rev:1;)
alert tcp $HOME_NET any -> [64.7.199.165] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"64.7.199.165"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273461; rev:1;)
alert tcp $HOME_NET any -> [101.35.248.106] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"91.224.92.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273458; rev:1;)
alert tcp $HOME_NET any -> [91.224.92.27] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"139.159.203.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273457; rev:1;)
alert tcp $HOME_NET any -> [139.159.203.44] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"139.159.203.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"1.94.43.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"101.35.245.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273453; rev:1;)
alert tcp $HOME_NET any -> [81.69.37.111] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273452; rev:1;)
alert tcp $HOME_NET any -> [43.139.168.97] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"1.14.96.14"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273450; rev:1;)
alert tcp $HOME_NET any -> [1.14.96.14] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.248.45.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"annitaswaerts.nl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273447; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"nanoshield.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.84.93.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273445; rev:1;)
alert tcp $HOME_NET any -> [85.209.133.18] 4545  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273444/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273444; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.219] 2323  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273442; rev:1;)
alert tcp $HOME_NET any -> [142.93.102.168] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273441; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.3] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273439/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273439; rev:1;)
alert tcp $HOME_NET any -> [173.249.34.252] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273440; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 59712  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"andreaslennartsson.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273432; rev:1;)
alert tcp $HOME_NET any -> [124.70.99.70] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/lang/en-us/lang.js"; depth:26; nocase; http.host; content:"124.70.99.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273436; rev:1;)
alert tcp $HOME_NET any -> [8.217.222.41] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273435; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.api.qianxin.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"update.api.qianxin.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273433; rev:1;)
alert tcp $HOME_NET any -> [185.243.240.54] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"185.243.240.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273430; rev:1;)
alert tcp $HOME_NET any -> [79.110.49.106] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273429; rev:1;)
alert tcp $HOME_NET any -> [193.164.4.124] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273428; rev:1;)
alert tcp $HOME_NET any -> [77.105.147.23] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273427; rev:1;)
alert tcp $HOME_NET any -> [43.159.58.81] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273426; rev:1;)
alert tcp $HOME_NET any -> [49.234.187.223] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273425; rev:1;)
alert tcp $HOME_NET any -> [111.229.19.56] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273424; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.23] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273422; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.23] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273423; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.23] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273421; rev:1;)
alert tcp $HOME_NET any -> [79.107.155.247] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273420; rev:1;)
alert tcp $HOME_NET any -> [2.50.34.153] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273419; rev:1;)
alert tcp $HOME_NET any -> [41.99.47.129] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273418; rev:1;)
alert tcp $HOME_NET any -> [185.208.158.37] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273417; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.120] 2427  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273416; rev:1;)
alert tcp $HOME_NET any -> [23.227.203.30] 443  (msg:"ThreatFox SmokeLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273415/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273415; rev:1;)
alert tcp $HOME_NET any -> [146.70.41.146] 443  (msg:"ThreatFox SmokeLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273414/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273414; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"airwide-land.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273412; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"summerwaterhall.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calcroom.php"; depth:13; nocase; http.host; content:"airwide-land.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calcroom.php"; depth:13; nocase; http.host; content:"airwide-land.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273409/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calcroom.php"; depth:13; nocase; http.host; content:"summerwaterhall.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273410/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273410; rev:1;)
alert tcp $HOME_NET any -> [185.29.9.103] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273408; rev:1;)
alert tcp $HOME_NET any -> [185.222.57.152] 35789  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d6/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273406; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.72] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273405; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fashionstune.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273404; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.79] 1337  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273394; rev:1;)
alert tcp $HOME_NET any -> [107.189.14.17] 1337  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273395; rev:1;)
alert tcp $HOME_NET any -> [160.179.60.231] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273392/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273392; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.211] 777  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273393; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.79] 6667  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273378/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273378; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.101] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273379/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273379; rev:1;)
alert tcp $HOME_NET any -> [185.150.26.232] 3778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273380/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273380; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.211] 444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273381/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_21; classtype:trojan-activity; sid:91273381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"sekensenserr.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273382/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_21; classtype:trojan-activity; sid:91273382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"sekenmarabatayfa.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_21; classtype:trojan-activity; sid:91273383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk"; depth:17; nocase; http.host; content:"kemerdekaradar.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273384/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_21; classtype:trojan-activity; sid:91273384; rev:1;)
alert tcp $HOME_NET any -> [141.11.92.115] 3778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273396; rev:1;)
alert tcp $HOME_NET any -> [194.59.30.223] 888  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"allegro.autoszczepaniak.pl"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273400; rev:1;)
alert tcp $HOME_NET any -> [109.248.151.181] 1996  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_21; classtype:trojan-activity; sid:91273402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.216.24.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_21; classtype:trojan-activity; sid:91273401; rev:1;)
alert tcp $HOME_NET any -> [101.43.111.14] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.220.53.223"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273390; rev:1;)
alert tcp $HOME_NET any -> [23.26.232.161] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/open/js/jweixin-1.4.0.js"; depth:25; nocase; http.host; content:"23.26.232.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273388; rev:1;)
alert tcp $HOME_NET any -> [172.105.121.169] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273387/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273387; rev:1;)
alert tcp $HOME_NET any -> [172.105.121.169] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273386/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273386; rev:1;)
alert tcp $HOME_NET any -> [172.105.121.169] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273385; rev:1;)
alert tcp $HOME_NET any -> [34.27.202.94] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273377; rev:1;)
alert tcp $HOME_NET any -> [172.247.168.152] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273376; rev:1;)
alert tcp $HOME_NET any -> [116.62.167.249] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273375/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273375; rev:1;)
alert tcp $HOME_NET any -> [2.50.34.255] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273374; rev:1;)
alert tcp $HOME_NET any -> [5.163.165.105] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273373; rev:1;)
alert tcp $HOME_NET any -> [37.14.238.189] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273372/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273372; rev:1;)
alert tcp $HOME_NET any -> [172.105.76.71] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273371/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273371; rev:1;)
alert tcp $HOME_NET any -> [81.70.190.242] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273370/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273370; rev:1;)
alert tcp $HOME_NET any -> [35.95.145.156] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273369; rev:1;)
alert tcp $HOME_NET any -> [167.172.53.165] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273368/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273368; rev:1;)
alert tcp $HOME_NET any -> [158.178.195.77] 20000  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273367/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273367; rev:1;)
alert tcp $HOME_NET any -> [154.198.247.73] 8099  (msg:"ThreatFox ConnectBack botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273366/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273366; rev:1;)
alert tcp $HOME_NET any -> [176.32.38.160] 42021  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273365/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273365; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 14740  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273352/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"costumes-urbains.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273343; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 14740  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273350; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 14740  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273351; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 14088  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273353/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273353; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 14088  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273354/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273354; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 14088  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273355; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 14088  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273356/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273356; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 14088  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273357/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273357; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 14088  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273358/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273358; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"0.tpc.eu.ngrok.io"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"118.178.105.142"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.115.38.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273363; rev:1;)
alert tcp $HOME_NET any -> [111.231.21.83] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"111.231.21.83"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273361; rev:1;)
alert tcp $HOME_NET any -> [89.105.223.78] 41672  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273360; rev:1;)
alert tcp $HOME_NET any -> [194.55.186.11] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273349/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273349; rev:1;)
alert tcp $HOME_NET any -> [194.55.186.11] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273348/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273348; rev:1;)
alert tcp $HOME_NET any -> [62.133.61.244] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273347/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273347; rev:1;)
alert tcp $HOME_NET any -> [62.133.61.244] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273346/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273346; rev:1;)
alert tcp $HOME_NET any -> [194.55.186.12] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273345/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273345; rev:1;)
alert tcp $HOME_NET any -> [194.55.186.12] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273344/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273344; rev:1;)
alert tcp $HOME_NET any -> [46.183.223.69] 13452  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273342; rev:1;)
alert tcp $HOME_NET any -> [5.61.33.19] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273341/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273341; rev:1;)
alert tcp $HOME_NET any -> [18.209.224.126] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273340/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273340; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.64] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273339/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273339; rev:1;)
alert tcp $HOME_NET any -> [152.89.217.229] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273338; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 14740  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273337; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.146] 30120  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273128/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"cocktailhacker.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"col21-champollion.ac-dijon.fr"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquerys-6.3.5.max.js"; depth:21; nocase; http.host; content:"service-dq87eeqy-1259321672.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273335; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-dq87eeqy-1259321672.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"192.168.52.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273127/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"192.168.150.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273126/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"gamestockxchange.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"gamestockxchange.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"gamestockxchange.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"zp3mvmzab.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lancer/get.php"; depth:15; nocase; http.host; content:"cajgtus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/utradvices.scr"; depth:15; nocase; http.host; content:"advising-receipts.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bank/payment_advice.scr"; depth:24; nocase; http.host; content:"advising-receipts.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.236.31.187"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"175.178.45.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2clzbmsjml"; depth:12; nocase; http.host; content:"klgbb.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273115; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klgbb.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2clzbmsjml"; depth:12; nocase; http.host; content:"210.56.49.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2clzbmsjml"; depth:12; nocase; http.host; content:"210.56.49.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273113; rev:1;)
alert tcp $HOME_NET any -> [194.59.30.143] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"194.59.30.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273111; rev:1;)
alert tcp $HOME_NET any -> [194.87.252.8] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"194.87.252.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"116.196.82.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273108; rev:1;)
alert tcp $HOME_NET any -> [45.61.136.79] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fashion/v3.62/9cpwzfxyo"; depth:24; nocase; http.host; content:"anphealthcenter.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273105; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anphealthcenter.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273106; rev:1;)
alert tcp $HOME_NET any -> [116.198.34.83] 2086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"bqrg123.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273102; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bqrg123.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.136.64.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"172.84.93.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273099; rev:1;)
alert tcp $HOME_NET any -> [51.38.187.10] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273093; rev:1;)
alert tcp $HOME_NET any -> [158.160.167.238] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.253.12.185"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273098/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/modify"; depth:17; nocase; http.host; content:"45.61.137.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273096; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manxzas12.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273095; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.12] 7045  (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pyramidzx.scr"; depth:14; nocase; http.host; content:"covid19help.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tolinuxflower.php"; depth:18; nocase; http.host; content:"759931cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273091; rev:1;)
alert tcp $HOME_NET any -> [199.223.235.67] 5050  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273088/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273088; rev:1;)
alert tcp $HOME_NET any -> [106.53.181.113] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"106.53.181.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shipboot.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273078; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 482  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273085; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tomcoyne.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273086; rev:1;)
alert tcp $HOME_NET any -> [41.249.104.99] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273087/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.223.28.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"192.227.232.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"59.110.172.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.35.19.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.223.28.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unwood/admin/1/ppptp.jpg"; depth:25; nocase; http.host; content:"185.229.237.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"choi.helava.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273073; rev:1;)
alert tcp $HOME_NET any -> [8.222.156.244] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.jsp"; depth:21; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273075; rev:1;)
alert tcp $HOME_NET any -> [154.44.10.166] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273072/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273072; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.3] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273071/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273071; rev:1;)
alert tcp $HOME_NET any -> [63.135.69.92] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273070/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273070; rev:1;)
alert tcp $HOME_NET any -> [159.203.143.205] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273069/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273069; rev:1;)
alert tcp $HOME_NET any -> [159.203.143.205] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273068/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273068; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.89] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_20; classtype:trojan-activity; sid:91273067; rev:1;)
alert tcp $HOME_NET any -> [158.160.169.85] 80  (msg:"ThreatFox SmokeLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273066/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273066; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stayherefata4l.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masduh38sjdai.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273063; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omfghellobrosjda38.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273064; rev:1;)
alert tcp $HOME_NET any -> [64.188.27.90] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273062; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 2506  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273046; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nikt0x.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273047; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wae54.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273048; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wave54.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1273049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273049; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 83  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273050; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 19473  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273051/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273051; rev:1;)
alert tcp $HOME_NET any -> [3.68.171.119] 13006  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273052/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273052; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 15748  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273053/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_20; classtype:trojan-activity; sid:91273053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"chivas.taegermoos.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6wpimage/cdn/apiasync/generatordb/process/line37/flowerproton/eternalsqlmultipublic/uploads/gameapiasync/updategamepacket/jsproton3/jsgamesecure/centraltest/to/javascripthttpgamesql.php"; depth:186; nocase; http.host; content:"146.0.73.222"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/index"; depth:16; nocase; http.host; content:"45.61.137.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/6790"; depth:15; nocase; http.host; content:"45.61.137.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_20; classtype:trojan-activity; sid:91273059; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.149] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273056; rev:1;)
alert tcp $HOME_NET any -> [77.221.156.5] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_20; classtype:trojan-activity; sid:91273055; rev:1;)
alert tcp $HOME_NET any -> [185.73.125.157] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273054/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91273054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"stayherefata4l.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91273045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"omfghellobrosjda38.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273044/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91273044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"masduh38sjdai.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91273043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91273042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"150.158.141.97"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91273041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"103.146.140.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91273040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.223.28.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1273039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91273039; rev:1;)
alert tcp $HOME_NET any -> [35.225.180.133] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273038; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.5] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273037; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.167] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273036; rev:1;)
alert tcp $HOME_NET any -> [172.247.168.127] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273035; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.68] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273034; rev:1;)
alert tcp $HOME_NET any -> [107.151.234.238] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273033; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.2] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273032; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.25] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273031; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.33] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273030; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.245] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273029; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.14] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273028; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.61] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273027; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.7] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273026/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273026; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.141] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273025/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273025; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.21] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273024; rev:1;)
alert tcp $HOME_NET any -> [39.100.95.111] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273023/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273023; rev:1;)
alert tcp $HOME_NET any -> [2.50.44.84] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273022/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273022; rev:1;)
alert tcp $HOME_NET any -> [3.74.121.88] 23175  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273021; rev:1;)
alert tcp $HOME_NET any -> [45.56.165.131] 6781  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273020; rev:1;)
alert tcp $HOME_NET any -> [168.100.8.115] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1273019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91273019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bfd31da.php"; depth:13; nocase; http.host; content:"cx53027.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272823; rev:1;)
alert tcp $HOME_NET any -> [194.55.186.13] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272822/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272822; rev:1;)
alert tcp $HOME_NET any -> [194.55.186.13] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272821; rev:1;)
alert tcp $HOME_NET any -> [105.154.100.36] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272820; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 19473  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272819; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 19473  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272818; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 19473  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272817; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 19473  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272816; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.45] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272805; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.124] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272814; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.184] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"centralzvornik.ba"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"centre-culturel-laricamarie.fr"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272815; rev:1;)
alert tcp $HOME_NET any -> [8.222.156.244] 2087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.jsp"; depth:21; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eas.cqiv.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"eas.cqiv.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272810; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 13006  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272808; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 13006  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272807; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 13006  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processlinuxtest.php"; depth:21; nocase; http.host; content:"579050cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"121.5.66.186"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.yorozumanrakudo.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.55.74.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"121.36.23.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"103.143.81.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.94.249.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"42.192.131.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272796; rev:1;)
alert tcp $HOME_NET any -> [114.115.203.114] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa"; depth:4; nocase; http.host; content:"114.115.203.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272794; rev:1;)
alert tcp $HOME_NET any -> [117.50.178.197] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"117.50.178.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.76.42.3"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272791; rev:1;)
alert tcp $HOME_NET any -> [111.229.103.152] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.229.103.152"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272789; rev:1;)
alert tcp $HOME_NET any -> [123.58.198.236] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"123.58.198.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"42.192.131.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"39.100.85.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272785; rev:1;)
alert tcp $HOME_NET any -> [118.178.105.142] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"118.178.105.142"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272783; rev:1;)
alert tcp $HOME_NET any -> [47.94.249.38] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"192.168.12.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272781; rev:1;)
alert tcp $HOME_NET any -> [4.248.13.38] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272780; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dp-prod-dist.azureedge.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.js"; depth:7; nocase; http.host; content:"dp-prod-dist.azureedge.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"207.154.242.220"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"42.192.131.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"175.178.45.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.104.49.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272774; rev:1;)
alert tcp $HOME_NET any -> [8.222.156.244] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.jsp"; depth:21; nocase; http.host; content:"ww2.jji.cz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272771; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ww2.jji.cz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272772; rev:1;)
alert tcp $HOME_NET any -> [207.154.242.220] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"207.154.242.220"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"h-c-v.ru"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272768; rev:1;)
alert tcp $HOME_NET any -> [31.44.6.123] 80  (msg:"ThreatFox SmokeLoader botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272767/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272767; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h-c-v.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.nishitama-auto.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272765; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.126] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272764/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272764; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.214] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272763/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272763; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.54] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272762/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272762; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.222] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272761/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272761; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.60] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272760/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272760; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.74] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272759/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272759; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.62] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272758/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272758; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.244] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272757/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272757; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.31] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272756; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.216] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272755; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.43] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272754; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.146] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272753; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.191] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272752; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.32] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272751; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.8] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272750; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.152] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272749; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.10] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272748; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.242] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272747; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.122] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272746; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.162] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272745; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.105] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272744; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.149] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272743; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.175] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272742; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.183] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272741; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.85] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272740; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.29] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272739; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.90] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272738; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.48] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272737; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.232] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272736; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.11] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272735; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.93] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272734/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272734; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.174] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272733/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272733; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.80] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272732/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272732; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.113] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272731/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272731; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.195] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272730/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272730; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.27] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272729/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272729; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.229] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272728/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272728; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.69] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272727/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272727; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.184] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272726/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272726; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.140] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272725/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272725; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.230] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272724/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272724; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.15] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272723; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.12] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272722; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.63] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272721; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.142] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272720; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.217] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272719; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.3] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272718; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.103] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272717; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.234] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272716; rev:1;)
alert tcp $HOME_NET any -> [39.100.111.208] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272715; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.147] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272714; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.215] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272713; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.159] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272712; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.161] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272711; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.165] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272710; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.151] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272709; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.254] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272708; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.81] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272707; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.197] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272706; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.155] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272705; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.158] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272704; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.169] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272703; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.168] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272702; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.181] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272701; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.127] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272700; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.91] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272699; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.66] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272698; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.77] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272697; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.129] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272696; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.131] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272695; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.135] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272694; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.119] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272693/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272693; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.110] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272692; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.139] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272691; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.83] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272690; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.47] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272689/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272689; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.17] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272688/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272688; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.231] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272687; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.92] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272686; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.117] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272685/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272685; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.170] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272684/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272684; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.227] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272683; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.76] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272682; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.240] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272681/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272681; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.218] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272680; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.94] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272679/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272679; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.128] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272678/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272678; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.233] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272677; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.67] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272676; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.24] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272675; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.35] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272674/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272674; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.64] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272673; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.223] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272672; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.253] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272671; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.78] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272670; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.95] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272669; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.171] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272668; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.173] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272667; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.88] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272666; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.203] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272665; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.160] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272664; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.98] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272663; rev:1;)
alert tcp $HOME_NET any -> [60.251.145.96] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272661; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.116] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272662; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.114] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272660; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.207] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272659; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.19] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272658; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.206] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272657/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272657; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.28] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272656/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272656; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.109] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272655/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272655; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.164] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272654/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272654; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.211] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272653; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.188] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272652/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272652; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.143] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272651; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.123] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272650/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272650; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.23] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272649; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.136] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272648; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.156] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272647; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.10] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272646; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.10] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272645; rev:1;)
alert tcp $HOME_NET any -> [176.44.119.238] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272644; rev:1;)
alert tcp $HOME_NET any -> [1.161.101.90] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272643; rev:1;)
alert tcp $HOME_NET any -> [34.30.75.53] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272642; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.220] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272641; rev:1;)
alert tcp $HOME_NET any -> [135.181.67.161] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272640; rev:1;)
alert tcp $HOME_NET any -> [223.109.3.172] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272639; rev:1;)
alert tcp $HOME_NET any -> [117.135.194.92] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272638; rev:1;)
alert tcp $HOME_NET any -> [152.42.162.105] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272637; rev:1;)
alert tcp $HOME_NET any -> [152.89.92.204] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272636; rev:1;)
alert tcp $HOME_NET any -> [185.130.46.229] 8080  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272635; rev:1;)
alert tcp $HOME_NET any -> [185.130.46.229] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272634; rev:1;)
alert tcp $HOME_NET any -> [185.130.46.229] 80  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272633; rev:1;)
alert tcp $HOME_NET any -> [185.130.46.229] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272631; rev:1;)
alert tcp $HOME_NET any -> [185.130.46.229] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272632; rev:1;)
alert tcp $HOME_NET any -> [95.164.18.23] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_19; classtype:trojan-activity; sid:91272630; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.manhquyen.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272628; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manhquyen.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272629; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asyncprogramminghub.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272590; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 56071  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272597/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272597; rev:1;)
alert tcp $HOME_NET any -> [3.17.7.232] 15743  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272599/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272599; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"subjects-handbook.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272598/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272598; rev:1;)
alert tcp $HOME_NET any -> [3.13.191.225] 15743  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272600/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272600; rev:1;)
alert tcp $HOME_NET any -> [80.92.204.233] 7765  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272601/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bigdawgimages.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272604; rev:1;)
alert tcp $HOME_NET any -> [185.215.151.236] 16678  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p/land.php"; depth:11; nocase; http.host; content:"zoomzle.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272621; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zoomzle.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/upgrade/update.php"; depth:30; nocase; http.host; content:"www.netzwerkreklame.de"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crush/v1.8/m5el9gvh8h3"; depth:23; nocase; http.host; content:"47.122.9.214"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_19; classtype:trojan-activity; sid:91272627; rev:1;)
alert tcp $HOME_NET any -> [172.111.216.4] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272626; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.28] 65012  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/88c01d4f.php"; depth:13; nocase; http.host; content:"a0982137.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272624; rev:1;)
alert tcp $HOME_NET any -> [105.102.222.156] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272620/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272620; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.225] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272619/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272619; rev:1;)
alert tcp $HOME_NET any -> [2.58.56.246] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272618/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272618; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.199] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272617/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272617; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.201] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272616/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272616; rev:1;)
alert tcp $HOME_NET any -> [86.106.119.113] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272615/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272615; rev:1;)
alert tcp $HOME_NET any -> [146.185.209.82] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272614/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272614; rev:1;)
alert tcp $HOME_NET any -> [212.113.117.130] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272613/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272613; rev:1;)
alert tcp $HOME_NET any -> [212.113.117.130] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272612/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272612; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.216] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272611/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272611; rev:1;)
alert tcp $HOME_NET any -> [119.23.56.222] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272610/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272610; rev:1;)
alert tcp $HOME_NET any -> [78.47.105.28] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272609/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272609; rev:1;)
alert tcp $HOME_NET any -> [78.47.105.28] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272608/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_19; classtype:trojan-activity; sid:91272608; rev:1;)
alert tcp $HOME_NET any -> [172.111.216.4] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_19; classtype:trojan-activity; sid:91272607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0943999.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272606; rev:1;)
alert tcp $HOME_NET any -> [108.186.255.117] 51896  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272596/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272596; rev:1;)
alert tcp $HOME_NET any -> [91.210.107.136] 65535  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272595/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"45.142.36.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"185.196.9.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272593; rev:1;)
alert tcp $HOME_NET any -> [94.247.42.253] 443  (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272592/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272592; rev:1;)
alert tcp $HOME_NET any -> [31.214.157.229] 443  (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272591/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272591; rev:1;)
alert tcp $HOME_NET any -> [105.102.84.188] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272589/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272589; rev:1;)
alert tcp $HOME_NET any -> [14.247.219.179] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272588; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.243] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272587; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.51] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272586/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272586; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.221] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272585/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272585; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.46] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272584/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272584; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.102] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272583/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272583; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.226] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272582/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272582; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.106] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272581/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272581; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.20] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272580/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272580; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.49] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272579/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272579; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.163] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272578/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272578; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.134] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272577/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272577; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.13] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272576/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272576; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.45] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272575/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272575; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.204] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272574/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272574; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.247] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272573; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.121] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272572/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272572; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.200] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272571/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272571; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.224] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272570; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.202] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272569/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272569; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.150] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272568/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272568; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.185] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272567/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272567; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.87] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272566/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272566; rev:1;)
alert tcp $HOME_NET any -> [38.207.123.194] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272565/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272565; rev:1;)
alert tcp $HOME_NET any -> [104.238.167.85] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272564; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.10] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272563; rev:1;)
alert tcp $HOME_NET any -> [41.98.227.43] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272562; rev:1;)
alert tcp $HOME_NET any -> [206.206.123.220] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272561; rev:1;)
alert tcp $HOME_NET any -> [51.8.82.12] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272560/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272560; rev:1;)
alert tcp $HOME_NET any -> [110.43.133.2] 10250  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272559; rev:1;)
alert tcp $HOME_NET any -> [27.221.54.88] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272558/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272558; rev:1;)
alert tcp $HOME_NET any -> [95.164.18.23] 10101  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272557/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272557; rev:1;)
alert tcp $HOME_NET any -> [95.164.18.23] 21  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272556/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272556; rev:1;)
alert tcp $HOME_NET any -> [213.226.112.82] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272555; rev:1;)
alert tcp $HOME_NET any -> [192.3.55.32] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272554/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272554; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.90] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272549/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272549; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.208] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272553/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272553; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.194] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272552/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272552; rev:1;)
alert tcp $HOME_NET any -> [101.43.211.59] 18080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272551/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272551; rev:1;)
alert tcp $HOME_NET any -> [106.15.62.124] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272550/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272550; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.106] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272548/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272548; rev:1;)
alert tcp $HOME_NET any -> [45.245.96.209] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272022/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/advdlc.php"; depth:11; nocase; http.host; content:"185.172.128.90"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/advdlc.php"; depth:11; nocase; http.host; content:"5.42.65.64"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272024; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.64] 80  (msg:"ThreatFox GCleaner botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"en.mg-trade.ir"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272049/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272049; rev:1;)
alert tcp $HOME_NET any -> [85.239.62.80] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"cpbrandindia.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"cybergroundproject.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272047; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ransomproducts.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272057/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"d-mag.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"dantra.de"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"daylightdesignsinc.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"dasouza.es"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"despedidadesolteroengandia.globalwords.net"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272130; rev:1;)
alert tcp $HOME_NET any -> [103.162.20.57] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272128/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272128; rev:1;)
alert tcp $HOME_NET any -> [188.68.221.152] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272122; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"19.ip.gl.ply.gg"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272319/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272319; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 54921  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272318/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272318; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"allows-hindu.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272316/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272316; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 54934  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272315/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f/664684db3a68e68a8dfe2d68"; depth:27; nocase; http.host; content:"nocodeform.io"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f/663357252acab5ebd7dc4d25"; depth:27; nocase; http.host; content:"nocodeform.io"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272132; rev:1;)
alert tcp $HOME_NET any -> [152.228.175.121] 23581  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"chezfur.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"chezfur.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"b-betternow.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/2per.php"; depth:16; nocase; http.host; content:"chezfur.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"osiria-agency.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272398; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 55286  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272399/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272399; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"an-take.gl.at.ply.gg"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272400/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272400; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oepz3iov3ycdiu7lnsrnpe9i2yxdl1ng6760527951839536392332869280909.one"; depth:67; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bakbordet.se"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272434; rev:1;)
alert tcp $HOME_NET any -> [184.105.237.196] 1122  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"betelpl.bdl.pl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272473; rev:1;)
alert tcp $HOME_NET any -> [144.202.40.66] 7771  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272474; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 26075  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"119.91.231.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.141.166.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"43.156.16.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272469; rev:1;)
alert tcp $HOME_NET any -> [121.36.23.25] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-ifupx5k9-1253438913.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272466; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ifupx5k9-1253438913.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272467; rev:1;)
alert tcp $HOME_NET any -> [47.236.147.33] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.236.147.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"91.92.254.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"microsoftsoftwave.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"43.156.16.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272460; rev:1;)
alert tcp $HOME_NET any -> [43.156.16.199] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/digicertglobalrootg1.crl"; depth:25; nocase; http.host; content:"18.199.46.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"119.91.231.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"119.91.231.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.242.203.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272456; rev:1;)
alert tcp $HOME_NET any -> [13.40.213.208] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-2.8.4.min.js"; depth:20; nocase; http.host; content:"13.40.213.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"119.3.216.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.146.140.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272451; rev:1;)
alert tcp $HOME_NET any -> [103.146.140.99] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272452; rev:1;)
alert tcp $HOME_NET any -> [106.53.76.227] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"106.53.76.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272449; rev:1;)
alert tcp $HOME_NET any -> [119.91.231.57] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"119.91.231.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.31.116.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272446; rev:1;)
alert tcp $HOME_NET any -> [51.89.158.68] 7777  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272445/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.92.75.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"81.70.232.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"104.214.168.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.139.177.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cdn.dadadsadaccsoong.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272435; rev:1;)
alert tcp $HOME_NET any -> [81.70.163.57] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272433; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-6y22lbhj-1318289497.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery/2.0.1/jquery.min.js"; depth:27; nocase; http.host; content:"service-6y22lbhj-1318289497.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272431; rev:1;)
alert tcp $HOME_NET any -> [138.197.40.89] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272430; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iopqwe.azureedge.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web.asp"; depth:8; nocase; http.host; content:"iopqwe.azureedge.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272428; rev:1;)
alert tcp $HOME_NET any -> [111.223.247.232] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.weather.pm"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272425; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.weather.pm"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272426; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.101] 3783  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272424; rev:1;)
alert tcp $HOME_NET any -> [82.146.33.201] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272423; rev:1;)
alert tcp $HOME_NET any -> [182.160.6.136] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272422; rev:1;)
alert tcp $HOME_NET any -> [39.104.18.126] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272421; rev:1;)
alert tcp $HOME_NET any -> [103.234.72.175] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272420; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.24] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272419; rev:1;)
alert tcp $HOME_NET any -> [174.82.220.81] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272418; rev:1;)
alert tcp $HOME_NET any -> [43.198.137.245] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272417; rev:1;)
alert tcp $HOME_NET any -> [37.114.42.26] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272416; rev:1;)
alert tcp $HOME_NET any -> [18.118.127.83] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272415; rev:1;)
alert tcp $HOME_NET any -> [37.228.138.163] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272414; rev:1;)
alert tcp $HOME_NET any -> [125.39.177.105] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272413; rev:1;)
alert tcp $HOME_NET any -> [3.130.124.10] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272412; rev:1;)
alert tcp $HOME_NET any -> [161.35.207.209] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272411; rev:1;)
alert tcp $HOME_NET any -> [128.199.59.209] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_18; classtype:trojan-activity; sid:91272410; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.195] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272409/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272409; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.212] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272408/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272408; rev:1;)
alert tcp $HOME_NET any -> [1.14.206.72] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272407; rev:1;)
alert tcp $HOME_NET any -> [124.223.220.137] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272406/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272406; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.134] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272404; rev:1;)
alert tcp $HOME_NET any -> [38.55.26.37] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272403; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.195] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272402; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.213] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272401/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272401; rev:1;)
alert tcp $HOME_NET any -> [171.38.43.209] 42421  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search.php"; depth:11; nocase; http.host; content:"orlandomedianews.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search.php"; depth:11; nocase; http.host; content:"natureanimalsreports.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272392/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerlocalsqlline/javascriptlongpolltrackwindows/voiddbdbapi/1bigload/testuploads/proton/protonvoiddb8datalife/5auth2/multiprocessordatalifegame/dle8/windowsdownloads/linuxproviderbasemulti/provider/imagejavascriptrequestprocessordefaultlinuxtestdle.php"; depth:257; nocase; http.host; content:"193.17.183.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fpmz"; depth:5; nocase; http.host; content:"update.windowsupdate.com.cdn.dnsv1.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272390/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/lib/jquery-1-edb203c114.10.2.js"; depth:35; nocase; http.host; content:"120.26.36.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272389/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lfzq"; depth:5; nocase; http.host; content:"39.107.242.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272388/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/icon2.png"; depth:10; nocase; http.host; content:"175.178.226.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272387/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pnf9"; depth:5; nocase; http.host; content:"128.199.184.87"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272386/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/default-get"; depth:19; nocase; http.host; content:"107.173.111.244"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272385/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/404"; depth:4; nocase; http.host; content:"107.173.111.244"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272384/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pmo1"; depth:5; nocase; http.host; content:"192.168.221.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272383/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vcq3"; depth:5; nocase; http.host; content:"119.3.90.227"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272382/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"81.69.37.111"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272381/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"101.43.96.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272380/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"150.158.150.214"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272379/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videolinetoupdateprocessorauthprotectsqlasync.php"; depth:50; nocase; http.host; content:"77.105.161.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_18; classtype:trojan-activity; sid:91272378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-0xgb0mzs-1317544938.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272377/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xpof"; depth:5; nocase; http.host; content:"172.16.1.106"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272376/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xu79"; depth:5; nocase; http.host; content:"124.70.99.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272375/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_18; classtype:trojan-activity; sid:91272375; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.202] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272374/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272374; rev:1;)
alert tcp $HOME_NET any -> [47.109.192.10] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272373/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272373; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.208] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272372/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272372; rev:1;)
alert tcp $HOME_NET any -> [45.152.64.31] 10010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272371/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272371; rev:1;)
alert tcp $HOME_NET any -> [104.193.69.161] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272370/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272370; rev:1;)
alert tcp $HOME_NET any -> [20.163.182.1] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272369/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272369; rev:1;)
alert tcp $HOME_NET any -> [52.15.184.142] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272368/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272368; rev:1;)
alert tcp $HOME_NET any -> [72.142.102.168] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272367/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272367; rev:1;)
alert tcp $HOME_NET any -> [8.134.122.112] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272366/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272366; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.216] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272365/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272365; rev:1;)
alert tcp $HOME_NET any -> [149.88.75.162] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272361/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_18; classtype:trojan-activity; sid:91272361; rev:1;)
alert tcp $HOME_NET any -> [194.26.232.166] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272360/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272360; rev:1;)
alert tcp $HOME_NET any -> [194.26.232.166] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272359/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272359; rev:1;)
alert tcp $HOME_NET any -> [23.88.106.134] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272358/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272358; rev:1;)
alert tcp $HOME_NET any -> [23.88.106.134] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272357/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272357; rev:1;)
alert tcp $HOME_NET any -> [194.26.232.108] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272356/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272356; rev:1;)
alert tcp $HOME_NET any -> [194.26.232.108] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272355/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272355; rev:1;)
alert tcp $HOME_NET any -> [47.236.19.63] 23456  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272354/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272354; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.212] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272353/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272353; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.196] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272352/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272352; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.199] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272351/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272351; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.213] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272350/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272350; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.220] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272349/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272349; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.211] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272348/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272348; rev:1;)
alert tcp $HOME_NET any -> [192.227.232.151] 3389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272347/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272347; rev:1;)
alert tcp $HOME_NET any -> [146.70.87.203] 41795  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272346/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272346; rev:1;)
alert tcp $HOME_NET any -> [67.205.164.149] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272345/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272345; rev:1;)
alert tcp $HOME_NET any -> [188.127.225.90] 443  (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272344/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272344; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.212] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272343/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272343; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.210] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272342/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272342; rev:1;)
alert tcp $HOME_NET any -> [156.242.42.220] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272341/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272341; rev:1;)
alert tcp $HOME_NET any -> [154.12.55.92] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272340/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272340; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.219] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272339/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272339; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.196] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272338/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272338; rev:1;)
alert tcp $HOME_NET any -> [209.222.101.102] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272337/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272337; rev:1;)
alert tcp $HOME_NET any -> [77.238.229.68] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272336/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272336; rev:1;)
alert tcp $HOME_NET any -> [1.54.12.82] 4444  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272335/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272335; rev:1;)
alert tcp $HOME_NET any -> [5.75.214.104] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272334/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272334; rev:1;)
alert tcp $HOME_NET any -> [5.75.212.247] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272333/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272333; rev:1;)
alert tcp $HOME_NET any -> [5.75.212.247] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272332/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272332; rev:1;)
alert tcp $HOME_NET any -> [116.202.1.60] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272331/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272331; rev:1;)
alert tcp $HOME_NET any -> [116.202.1.60] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272330/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272330; rev:1;)
alert tcp $HOME_NET any -> [5.75.215.51] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272329/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272329; rev:1;)
alert tcp $HOME_NET any -> [5.75.215.51] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272328/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272328; rev:1;)
alert tcp $HOME_NET any -> [85.107.228.217] 3001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272327/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272327; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.182] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272326/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272326; rev:1;)
alert tcp $HOME_NET any -> [95.164.47.247] 8443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_17; classtype:trojan-activity; sid:91272325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.148.120.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272323; rev:1;)
alert tcp $HOME_NET any -> [45.148.120.165] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0948305.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272322; rev:1;)
alert tcp $HOME_NET any -> [104.129.20.98] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_17; classtype:trojan-activity; sid:91272321; rev:1;)
alert tcp $HOME_NET any -> [41.249.51.52] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272317; rev:1;)
alert tcp $HOME_NET any -> [3.79.194.172] 81  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272314/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272314; rev:1;)
alert tcp $HOME_NET any -> [194.116.229.84] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272313/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272313; rev:1;)
alert tcp $HOME_NET any -> [89.185.85.44] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272312/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272312; rev:1;)
alert tcp $HOME_NET any -> [124.70.47.247] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272311; rev:1;)
alert tcp $HOME_NET any -> [103.146.158.113] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272310; rev:1;)
alert tcp $HOME_NET any -> [106.14.0.122] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272309; rev:1;)
alert tcp $HOME_NET any -> [95.179.165.102] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272308; rev:1;)
alert tcp $HOME_NET any -> [45.61.132.242] 443  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272307; rev:1;)
alert tcp $HOME_NET any -> [217.165.79.196] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272306; rev:1;)
alert tcp $HOME_NET any -> [47.243.185.50] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272305; rev:1;)
alert tcp $HOME_NET any -> [118.33.178.150] 8880  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272304; rev:1;)
alert tcp $HOME_NET any -> [44.200.252.252] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272303; rev:1;)
alert tcp $HOME_NET any -> [82.153.138.180] 10443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272302; rev:1;)
alert tcp $HOME_NET any -> [79.137.199.78] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272301; rev:1;)
alert tcp $HOME_NET any -> [79.137.199.78] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"121.40.213.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/3b1tenbkyj"; depth:21; nocase; http.host; content:"45.61.137.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272131; rev:1;)
alert tcp $HOME_NET any -> [95.163.84.88] 81  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272129; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 15221  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272127; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 15221  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272126; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 15221  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272125; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 15221  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272124; rev:1;)
alert tcp $HOME_NET any -> [104.194.152.154] 3678  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_17; classtype:trojan-activity; sid:91272123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"38.54.16.50"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.134.89.27"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272119; rev:1;)
alert tcp $HOME_NET any -> [8.134.89.27] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"107.172.159.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272118; rev:1;)
alert tcp $HOME_NET any -> [121.40.213.116] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-pw5pdob2-1301751349.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272116; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-pw5pdob2-1301751349.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272114; rev:1;)
alert tcp $HOME_NET any -> [121.40.213.116] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-pw5pdob2-1301751349.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.51.111.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272112; rev:1;)
alert tcp $HOME_NET any -> [106.53.94.240] 6000  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272108; rev:1;)
alert tcp $HOME_NET any -> [139.9.105.56] 8033  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-g9r06izm-1320366142.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272104; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-g9r06izm-1320366142.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272099; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upload.windowscdn.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"upload.windowscdn.cn"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"192.168.183.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"114.132.120.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/showthread.php"; depth:15; nocase; http.host; content:"85.203.42.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"121.41.101.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/list/hx28/config.php"; depth:21; nocase; http.host; content:"1.12.55.117"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/list/hx28/config.php"; depth:21; nocase; http.host; content:"1.12.55.117"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.vip8806.mom"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272083; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.vip8806.mom"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272084; rev:1;)
alert tcp $HOME_NET any -> [185.64.246.135] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.99.188.195"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.31.116.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-k2snyjb7-1326503875.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272079; rev:1;)
alert tcp $HOME_NET any -> [91.151.89.38] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272078/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272078; rev:1;)
alert tcp $HOME_NET any -> [104.214.168.71] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272077/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272077; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.15] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272076/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272076; rev:1;)
alert tcp $HOME_NET any -> [46.246.247.138] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272075/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272075; rev:1;)
alert tcp $HOME_NET any -> [50.35.141.241] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272074/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272074; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.117] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272073/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272073; rev:1;)
alert tcp $HOME_NET any -> [46.101.3.161] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272072/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_17; classtype:trojan-activity; sid:91272072; rev:1;)
alert tcp $HOME_NET any -> [88.198.122.201] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272070; rev:1;)
alert tcp $HOME_NET any -> [88.198.122.201] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.122.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.122.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kin/five/fre.php"; depth:17; nocase; http.host; content:"ransomproducts.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272061/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_17; classtype:trojan-activity; sid:91272061; rev:1;)
alert tcp $HOME_NET any -> [173.212.199.134] 8808  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272060/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_17; classtype:trojan-activity; sid:91272060; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.54] 65140  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272059; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.26] 65140  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1e75357.php"; depth:13; nocase; http.host; content:"a0982032.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/096e856b.php"; depth:13; nocase; http.host; content:"a0982114.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_17; classtype:trojan-activity; sid:91272054; rev:1;)
alert tcp $HOME_NET any -> [212.162.153.199] 4001  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91272053; rev:1;)
alert tcp $HOME_NET any -> [39.100.85.244] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91272052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-5hq806dl-1305010017.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1272050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91272050; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-5hq806dl-1305010017.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1272051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91272051; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.125] 1111  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91272043; rev:1;)
alert tcp $HOME_NET any -> [5.180.155.190] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272042; rev:1;)
alert tcp $HOME_NET any -> [79.137.195.24] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272041; rev:1;)
alert tcp $HOME_NET any -> [192.3.233.217] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272040; rev:1;)
alert tcp $HOME_NET any -> [198.181.39.4] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272039; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.15] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272038; rev:1;)
alert tcp $HOME_NET any -> [88.232.102.20] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272037; rev:1;)
alert tcp $HOME_NET any -> [45.241.46.65] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272036; rev:1;)
alert tcp $HOME_NET any -> [92.205.178.185] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272035; rev:1;)
alert tcp $HOME_NET any -> [159.65.114.122] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272034; rev:1;)
alert tcp $HOME_NET any -> [47.76.120.184] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272033; rev:1;)
alert tcp $HOME_NET any -> [3.106.207.57] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272032; rev:1;)
alert tcp $HOME_NET any -> [89.116.236.42] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272031; rev:1;)
alert tcp $HOME_NET any -> [104.223.76.201] 2779  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272030; rev:1;)
alert tcp $HOME_NET any -> [188.25.10.129] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272029; rev:1;)
alert tcp $HOME_NET any -> [45.133.74.80] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272028; rev:1;)
alert tcp $HOME_NET any -> [113.31.106.106] 20000  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91272027; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.54] 7310  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1272026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91272026; rev:1;)
alert tcp $HOME_NET any -> [41.142.192.216] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271796; rev:1;)
alert tcp $HOME_NET any -> [185.93.221.12] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271795/; target:src_ip; metadata: confidence_level 60, first_seen 2024_05_16; classtype:trojan-activity; sid:91271795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bl134/index.php"; depth:16; nocase; http.host; content:"ehzwq.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie1/five/fre.php"; depth:19; nocase; http.host; content:"193.238.153.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271793/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271793; rev:1;)
alert tcp $HOME_NET any -> [89.117.145.5] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271792/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"penisowners.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"penisowners.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/per.php"; depth:15; nocase; http.host; content:"penisowners.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"redsquardhack.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271761; rev:1;)
alert tcp $HOME_NET any -> [5.181.156.11] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271762; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.125] 1974  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"d1x9q8w2e4.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"d1x9q8w2e4.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271740; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"d1x9q8w2e4.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271741; rev:1;)
alert tcp $HOME_NET any -> [104.223.35.217] 3232  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271744; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axe.ydns.eu"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271745; rev:1;)
alert tcp $HOME_NET any -> [84.38.181.66] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271746; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.165] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271789/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271789; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.166] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271790/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271790; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.164] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271787/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271787; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.165] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271788/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271788; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.163] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271786/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271786; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.90] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271784/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271784; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.161] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271785/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271785; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.5] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271783/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271783; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.51] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271782/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271782; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.21] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271780/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271780; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.51] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271781/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271781; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.79] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271778/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271778; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.21] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271779/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271779; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.25] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271777/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271777; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.16] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271775/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271775; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.25] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271776/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271776; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.201] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271773/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271773; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.21] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271774/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271774; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.201] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271772/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271772; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.245] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271771/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271771; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.179] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271770/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271770; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.159] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271769; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.153] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271767/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271767; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.159] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271768/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271768; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.136] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271766/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271766; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.82] 8900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271765/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271765; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.82] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271764/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7043a0c6a68d9c65.php"; depth:21; nocase; http.host; content:"185.172.128.170"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"45.136.14.91"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"io.cy789.ml"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.37.31.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"162.14.70.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271754; rev:1;)
alert tcp $HOME_NET any -> [101.200.120.13] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.200.120.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271752; rev:1;)
alert tcp $HOME_NET any -> [192.227.232.151] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"192.227.232.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271750; rev:1;)
alert tcp $HOME_NET any -> [39.100.103.167] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"m.taobao.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271747; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m.taobao.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/244cbe83570df263.php"; depth:21; nocase; http.host; content:"89.105.198.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271743; rev:1;)
alert tcp $HOME_NET any -> [62.102.148.166] 3319  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271742/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"152.136.174.196"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"1.180.235.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"42.202.173.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"123.129.194.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"117.27.246.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"125.211.192.21"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"117.180.231.141"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"113.62.127.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"116.207.181.183"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/docs"; depth:5; nocase; http.host; content:"14.119.106.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"111.231.140.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.134.23.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"148.135.72.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"www.chinamobile.live"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271722; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-3c8gl60w-1320366142.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-3c8gl60w-1320366142.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"81.70.232.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271714; rev:1;)
alert tcp $HOME_NET any -> [103.150.8.12] 5689  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271713/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"85.203.42.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.113.191.88"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.221.95.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/auth/v1/log"; depth:16; nocase; http.host; content:"47.93.40.122"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271706; rev:1;)
alert tcp $HOME_NET any -> [117.72.72.128] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"117.72.72.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271704; rev:1;)
alert tcp $HOME_NET any -> [80.66.75.52] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/m2m9iodw7rseqaswcw04yac"; depth:41; nocase; http.host; content:"helloboy.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271701; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helloboy.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271702; rev:1;)
alert tcp $HOME_NET any -> [156.251.172.80] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271700; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vip8806.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"vip8806.mom"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271698; rev:1;)
alert tcp $HOME_NET any -> [8.218.192.174] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.testabcdtest.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271695; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.testabcdtest.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"49.234.58.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.139.160.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271693; rev:1;)
alert tcp $HOME_NET any -> [94.103.86.181] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"94.103.86.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.116.187.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"103.39.109.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271689; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"360.wangli.cyou"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271687; rev:1;)
alert tcp $HOME_NET any -> [154.198.227.90] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"360.wangli.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"120.27.158.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271685; rev:1;)
alert tcp $HOME_NET any -> [114.132.120.166] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-izlolzm0-1318382624.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271683; rev:1;)
alert tcp $HOME_NET any -> [118.31.116.9] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.31.116.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zscm"; depth:5; nocase; http.host; content:"103.116.247.207"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271680/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awybcwjc"; depth:9; nocase; http.host; content:"savoystocks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yrorantd"; depth:9; nocase; http.host; content:"savoystocks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271679; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"savoystocks.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.181.44.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.101.181.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271675; rev:1;)
alert tcp $HOME_NET any -> [154.212.149.59] 446  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/meeting/32251816/"; depth:18; nocase; http.host; content:"3.208.96.244"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271673/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus"; depth:17; nocase; http.host; content:"3.208.96.244"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271672; rev:1;)
alert tcp $HOME_NET any -> [3.208.96.244] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271671; rev:1;)
alert tcp $HOME_NET any -> [116.202.5.235] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271670; rev:1;)
alert tcp $HOME_NET any -> [95.217.240.101] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271668; rev:1;)
alert tcp $HOME_NET any -> [116.202.0.24] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.5.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.0.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271665; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 11598  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271535/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271535; rev:1;)
alert tcp $HOME_NET any -> [3.127.59.75] 11598  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271536/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271536; rev:1;)
alert tcp $HOME_NET any -> [35.158.159.254] 11598  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271537/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271537; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.85] 45779  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271571; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"modularfunctiondev.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271585; rev:1;)
alert tcp $HOME_NET any -> [45.90.57.51] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271614/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271614; rev:1;)
alert tcp $HOME_NET any -> [174.138.28.28] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271615/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271615; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vip.manhquyen.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271616/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271616; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mediagift.vn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271620/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271620; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kingu.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271499/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271499; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.5] 14141  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271500/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/full-scope-contracting"; depth:23; nocase; http.host; content:"pricelessdesign.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/what-is-the-difference-between-sla-ola-and-underpinning-contracts"; depth:66; nocase; http.host; content:"urbedu.live"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271532; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jayp.eu"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271492/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/05/23/what-is-an-enterprise-agreements"; depth:44; nocase; http.host; content:"burleys.ca"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/12/11/what-tint-is-legal-in-new-mexico"; depth:44; nocase; http.host; content:"trustadvisorygroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271337; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 52445  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271048/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271048; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tool-seven.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271049/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wfqpfwr1d"; depth:10; nocase; http.host; content:"submit-form.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bless/tsend.php"; depth:16; nocase; http.host; content:"a0979777.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271052; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a0979777.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271053; rev:1;)
alert tcp $HOME_NET any -> [80.249.146.170] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271054; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"polikarbonad.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"polikarbonad.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"polikarbonad.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271044; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"leckeier.ydidiya.store"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271033/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271033; rev:1;)
alert tcp $HOME_NET any -> [194.9.6.197] 60195  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271032/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271032; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"advancedapiintegrations.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619471799"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620821253"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619468640"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620057897"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271661; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frjk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271658; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frpk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271659; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frsk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"frsk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271656; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frgk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"frpk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"frjk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"frgk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"frsk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"frpk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"frjk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"frgk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271649; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.176] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271648; rev:1;)
alert tcp $HOME_NET any -> [206.81.30.223] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271647; rev:1;)
alert tcp $HOME_NET any -> [8.134.211.144] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271646; rev:1;)
alert tcp $HOME_NET any -> [43.136.99.149] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271645; rev:1;)
alert tcp $HOME_NET any -> [107.172.90.243] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271644; rev:1;)
alert tcp $HOME_NET any -> [43.132.156.20] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271643; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.25] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271642; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.25] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271641; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.25] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271640; rev:1;)
alert tcp $HOME_NET any -> [197.94.217.65] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271639; rev:1;)
alert tcp $HOME_NET any -> [41.99.107.98] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271638; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.232] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271637; rev:1;)
alert tcp $HOME_NET any -> [23.227.198.228] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271636; rev:1;)
alert tcp $HOME_NET any -> [23.227.198.228] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271635; rev:1;)
alert tcp $HOME_NET any -> [87.106.230.151] 64443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271634; rev:1;)
alert tcp $HOME_NET any -> [35.178.232.65] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271633; rev:1;)
alert tcp $HOME_NET any -> [16.171.84.168] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271632; rev:1;)
alert tcp $HOME_NET any -> [146.190.122.253] 47001  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271630; rev:1;)
alert tcp $HOME_NET any -> [146.190.122.253] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271631; rev:1;)
alert tcp $HOME_NET any -> [104.225.129.140] 58883  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271629; rev:1;)
alert tcp $HOME_NET any -> [45.9.148.129] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271628; rev:1;)
alert tcp $HOME_NET any -> [43.134.118.235] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271627; rev:1;)
alert tcp $HOME_NET any -> [91.107.207.2] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4b0f4886.php"; depth:13; nocase; http.host; content:"a0981474.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271625; rev:1;)
alert tcp $HOME_NET any -> [151.115.72.13] 8000  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_16; classtype:trojan-activity; sid:91271624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/check.php"; depth:20; nocase; http.host; content:"164.90.149.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_16; classtype:trojan-activity; sid:91271623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/check.php"; depth:20; nocase; http.host; content:"164.90.149.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"aery-messages.000webhostapp.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/t"; depth:12; nocase; http.host; content:"45.61.137.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0981341.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_16; classtype:trojan-activity; sid:91271617; rev:1;)
alert tcp $HOME_NET any -> [43.138.168.21] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-5xpqvjqk-1320366142.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271611; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-5xpqvjqk-1320366142.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/big/five/fre.php"; depth:17; nocase; http.host; content:"45.90.57.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/async/info"; depth:18; nocase; http.host; content:"103.148.151.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271609; rev:1;)
alert tcp $HOME_NET any -> [91.238.181.235] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/level/v3.82/1thwfwtjj8"; depth:23; nocase; http.host; content:"blmdiscount.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271607; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blmdiscount.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271605; rev:1;)
alert tcp $HOME_NET any -> [91.238.181.235] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/level/v3.82/1thwfwtjj8"; depth:23; nocase; http.host; content:"blmdiscount.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271604; rev:1;)
alert tcp $HOME_NET any -> [160.176.173.93] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271603; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utd-corts.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271590; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utd-forts.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271591; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adrooz.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271592; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adschuk.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271593; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-advrez.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271594; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-drmka.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271595; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-fukap.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271596; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-msh.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271597; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adsname.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271598; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adschuk.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271599; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-adsgoogle.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271600; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utm-advrez.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271601; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-inform.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz63343.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271589; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.100] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271588; rev:1;)
alert tcp $HOME_NET any -> [104.129.21.246] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271586/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271586; rev:1;)
alert tcp $HOME_NET any -> [185.12.14.54] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271587/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271587; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.209] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271584; rev:1;)
alert tcp $HOME_NET any -> [177.60.122.85] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271583; rev:1;)
alert tcp $HOME_NET any -> [103.200.124.194] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271580; rev:1;)
alert tcp $HOME_NET any -> [103.200.124.195] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271581; rev:1;)
alert tcp $HOME_NET any -> [103.200.124.197] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271582; rev:1;)
alert tcp $HOME_NET any -> [89.121.228.226] 25565  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271579; rev:1;)
alert tcp $HOME_NET any -> [54.39.249.55] 81  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271578; rev:1;)
alert tcp $HOME_NET any -> [47.120.35.45] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271577; rev:1;)
alert tcp $HOME_NET any -> [24.14.83.31] 8081  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271576; rev:1;)
alert tcp $HOME_NET any -> [14.225.208.152] 9999  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0981008.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271574; rev:1;)
alert tcp $HOME_NET any -> [199.223.235.67] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271573; rev:1;)
alert tcp $HOME_NET any -> [187.24.4.218] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271572; rev:1;)
alert tcp $HOME_NET any -> [178.215.236.224] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271570; rev:1;)
alert tcp $HOME_NET any -> [88.138.253.60] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271569; rev:1;)
alert tcp $HOME_NET any -> [51.81.169.92] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271568; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.125] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271562; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.125] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271563; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.197] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271564; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.197] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271565; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.197] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271566; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.197] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271567; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.125] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271561; rev:1;)
alert tcp $HOME_NET any -> [109.116.71.248] 88  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"94.156.68.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271559; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.92] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271558; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.16] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271550; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.79] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271551; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.5] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271552; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.90] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271553; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.161] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271554; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.163] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271555; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.164] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271556; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.166] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271557; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.153] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271546; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.179] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271547; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.245] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271548; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.21] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271549; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.136] 4443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271545; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.53] 5554  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"91.92.245.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271543; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.161] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271542; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.214] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"ace.cmicro.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271540; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ace.cmicro.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271539; rev:1;)
alert tcp $HOME_NET any -> [2.58.15.239] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271538; rev:1;)
alert tcp $HOME_NET any -> [38.54.33.85] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271534; rev:1;)
alert tcp $HOME_NET any -> [45.142.36.59] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271533; rev:1;)
alert tcp $HOME_NET any -> [172.105.37.93] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271531; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arista-onelogein.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271530; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"character-acquisitions.gl.at.ply.gg"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271529; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.112] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271528/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271528; rev:1;)
alert tcp $HOME_NET any -> [91.202.233.228] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271527/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271527; rev:1;)
alert tcp $HOME_NET any -> [139.59.32.225] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271526/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271526; rev:1;)
alert tcp $HOME_NET any -> [167.235.28.146] 63333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271525/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271525; rev:1;)
alert tcp $HOME_NET any -> [118.195.138.159] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271524; rev:1;)
alert tcp $HOME_NET any -> [89.116.159.101] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271523/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271523; rev:1;)
alert tcp $HOME_NET any -> [47.94.143.32] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271522/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271522; rev:1;)
alert tcp $HOME_NET any -> [86.185.5.61] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271521/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271521; rev:1;)
alert tcp $HOME_NET any -> [69.159.0.52] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271520/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271520; rev:1;)
alert tcp $HOME_NET any -> [83.213.204.133] 993  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271519/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271519; rev:1;)
alert tcp $HOME_NET any -> [189.140.14.175] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271518; rev:1;)
alert tcp $HOME_NET any -> [50.35.133.136] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271517/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271517; rev:1;)
alert tcp $HOME_NET any -> [45.153.70.148] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271516; rev:1;)
alert tcp $HOME_NET any -> [5.42.104.202] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271515/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271515; rev:1;)
alert tcp $HOME_NET any -> [65.109.237.32] 4443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271514; rev:1;)
alert tcp $HOME_NET any -> [128.199.184.87] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271513; rev:1;)
alert tcp $HOME_NET any -> [104.238.61.20] 7800  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271512; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.206] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271511; rev:1;)
alert tcp $HOME_NET any -> [110.168.29.157] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271510; rev:1;)
alert tcp $HOME_NET any -> [80.79.4.177] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271509; rev:1;)
alert tcp $HOME_NET any -> [162.0.233.89] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d3/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271507; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.207] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271506; rev:1;)
alert tcp $HOME_NET any -> [170.130.165.157] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271505; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.127] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271504; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestshawls.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271503; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.50] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsid/google/ui"; depth:16; nocase; http.host; content:"82.180.133.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271496; rev:1;)
alert tcp $HOME_NET any -> [82.180.133.120] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271497; rev:1;)
alert tcp $HOME_NET any -> [82.180.133.120] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271495; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.meedicalabc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adsid/google/ui"; depth:16; nocase; http.host; content:"support.meedicalabc.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.128.43.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271490; rev:1;)
alert tcp $HOME_NET any -> [43.128.43.17] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271489; rev:1;)
alert tcp $HOME_NET any -> [198.23.149.76] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"172.245.79.26"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271487; rev:1;)
alert tcp $HOME_NET any -> [172.245.79.26] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271486; rev:1;)
alert tcp $HOME_NET any -> [107.173.168.25] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"107.172.60.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271484; rev:1;)
alert tcp $HOME_NET any -> [107.172.60.23] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271483; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news.maomwxb.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271482; rev:1;)
alert tcp $HOME_NET any -> [104.168.102.175] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271481; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hell.hydracenter.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271480; rev:1;)
alert tcp $HOME_NET any -> [23.94.14.151] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271479; rev:1;)
alert tcp $HOME_NET any -> [47.254.149.115] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271478; rev:1;)
alert tcp $HOME_NET any -> [47.236.31.187] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271477; rev:1;)
alert tcp $HOME_NET any -> [47.76.42.3] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271476; rev:1;)
alert tcp $HOME_NET any -> [124.71.143.196] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271475; rev:1;)
alert tcp $HOME_NET any -> [124.71.41.210] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271473; rev:1;)
alert tcp $HOME_NET any -> [124.71.41.210] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271474; rev:1;)
alert tcp $HOME_NET any -> [121.37.67.93] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271472; rev:1;)
alert tcp $HOME_NET any -> [120.46.36.55] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271471; rev:1;)
alert tcp $HOME_NET any -> [119.3.216.120] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271470; rev:1;)
alert tcp $HOME_NET any -> [1.94.49.55] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271469; rev:1;)
alert tcp $HOME_NET any -> [1.94.49.55] 60000  (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271468; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xqp.loveyoueverytime.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271467; rev:1;)
alert tcp $HOME_NET any -> [123.56.116.120] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271466; rev:1;)
alert tcp $HOME_NET any -> [121.196.193.233] 20000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271465; rev:1;)
alert tcp $HOME_NET any -> [121.196.193.233] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271464; rev:1;)
alert tcp $HOME_NET any -> [120.79.157.3] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"120.76.197.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271462; rev:1;)
alert tcp $HOME_NET any -> [120.76.197.13] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271461; rev:1;)
alert tcp $HOME_NET any -> [120.27.158.236] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"106.14.90.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271459; rev:1;)
alert tcp $HOME_NET any -> [106.14.90.7] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271458; rev:1;)
alert tcp $HOME_NET any -> [101.201.105.176] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271457; rev:1;)
alert tcp $HOME_NET any -> [59.110.6.203] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271456; rev:1;)
alert tcp $HOME_NET any -> [47.117.174.198] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.99.151.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271454; rev:1;)
alert tcp $HOME_NET any -> [47.99.151.38] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271453; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-f9dx5hom-1305082597.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271452; rev:1;)
alert tcp $HOME_NET any -> [47.92.174.226] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271451; rev:1;)
alert tcp $HOME_NET any -> [47.92.85.204] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271450; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lu8tgeea-1305082597.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271449; rev:1;)
alert tcp $HOME_NET any -> [39.100.102.40] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271448; rev:1;)
alert tcp $HOME_NET any -> [8.137.107.238] 3306  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271447; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.218] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271445; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.221] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271446; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.219] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271438; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.196] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271439; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.198] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271440; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.204] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271441; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.207] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271442; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.208] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271443; rev:1;)
alert tcp $HOME_NET any -> [156.242.47.210] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271444; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.209] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271431; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.210] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271432; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.211] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271433; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.213] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271434; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.214] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271435; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.216] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271436; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.218] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271437; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.199] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271424; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.200] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271425; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.201] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271426; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.202] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271427; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.203] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271428; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.204] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271429; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.206] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271430; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.209] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271417; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.221] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271418; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.193] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271419; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.194] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271420; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.195] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271421; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.197] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271422; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.198] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271423; rev:1;)
alert tcp $HOME_NET any -> [156.242.44.217] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271410; rev:1;)
alert tcp $HOME_NET any -> [156.242.44.219] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271411; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.197] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271412; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.201] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271413; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.202] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271414; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.204] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271415; rev:1;)
alert tcp $HOME_NET any -> [156.242.45.206] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271416; rev:1;)
alert tcp $HOME_NET any -> [156.242.44.199] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271404; rev:1;)
alert tcp $HOME_NET any -> [156.242.44.200] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271405; rev:1;)
alert tcp $HOME_NET any -> [156.242.44.202] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271406; rev:1;)
alert tcp $HOME_NET any -> [156.242.44.208] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271407; rev:1;)
alert tcp $HOME_NET any -> [156.242.44.209] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271408; rev:1;)
alert tcp $HOME_NET any -> [156.242.44.211] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271409; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.216] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271397; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.217] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271398; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.218] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271399; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.219] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271400; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.220] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271401; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.221] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271402; rev:1;)
alert tcp $HOME_NET any -> [156.242.44.195] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271403; rev:1;)
alert tcp $HOME_NET any -> [156.242.42.217] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271391; rev:1;)
alert tcp $HOME_NET any -> [156.242.42.221] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271392; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.198] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271393; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.200] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271394; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.211] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271395; rev:1;)
alert tcp $HOME_NET any -> [156.242.43.214] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271396; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.214] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271384; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.219] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271385; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.220] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271386; rev:1;)
alert tcp $HOME_NET any -> [156.242.42.193] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271387; rev:1;)
alert tcp $HOME_NET any -> [156.242.42.203] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271388; rev:1;)
alert tcp $HOME_NET any -> [156.242.42.208] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271389; rev:1;)
alert tcp $HOME_NET any -> [156.242.42.210] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271390; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.219] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271377; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.220] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271378; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.221] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271379; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.196] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271380; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.200] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271381; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.209] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271382; rev:1;)
alert tcp $HOME_NET any -> [156.242.41.213] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271383; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.212] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271370; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.214] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271371; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.217] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271372; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.217] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271373; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.218] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271374; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.218] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271375; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.219] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271376; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.204] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271363; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.204] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271364; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.205] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271365; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.205] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271366; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.206] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271367; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.207] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271368; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.209] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271369; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.195] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271356; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.196] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271357; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.197] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271358; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.198] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271359; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.198] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271360; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.203] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271361; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.203] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271362; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.193] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271353; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.194] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271354; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.194] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.223.163.235"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271352; rev:1;)
alert tcp $HOME_NET any -> [124.223.163.235] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271351; rev:1;)
alert tcp $HOME_NET any -> [124.222.91.4] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271350; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-k2snyjb7-1326503875.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271349; rev:1;)
alert tcp $HOME_NET any -> [119.45.224.129] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271348; rev:1;)
alert tcp $HOME_NET any -> [118.25.85.198] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271347; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-a7h4x98o-1257783886.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271346; rev:1;)
alert tcp $HOME_NET any -> [111.230.112.171] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271344; rev:1;)
alert tcp $HOME_NET any -> [111.230.112.171] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271345; rev:1;)
alert tcp $HOME_NET any -> [106.55.164.217] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271343; rev:1;)
alert tcp $HOME_NET any -> [101.43.24.140] 60000  (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271342; rev:1;)
alert tcp $HOME_NET any -> [101.43.24.140] 3306  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271340; rev:1;)
alert tcp $HOME_NET any -> [101.43.24.140] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271341; rev:1;)
alert tcp $HOME_NET any -> [82.156.145.233] 8086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271339; rev:1;)
alert tcp $HOME_NET any -> [43.139.160.164] 7443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"42.192.67.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271336; rev:1;)
alert tcp $HOME_NET any -> [42.192.67.154] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalimagerequestcpudefaultdblinux.php"; depth:41; nocase; http.host; content:"339380cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updateserverasynctestdle.php"; depth:29; nocase; http.host; content:"softworker.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271333; rev:1;)
alert tcp $HOME_NET any -> [5.75.214.104] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271087; rev:1;)
alert tcp $HOME_NET any -> [5.75.214.74] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.74"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271083; rev:1;)
alert tcp $HOME_NET any -> [116.202.5.235] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271084; rev:1;)
alert tcp $HOME_NET any -> [95.217.240.101] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271085; rev:1;)
alert tcp $HOME_NET any -> [5.75.220.208] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.104"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.220.208"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.5.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271079; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.beenewsdream.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271077; rev:1;)
alert tcp $HOME_NET any -> [104.156.244.171] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271078; rev:1;)
alert tcp $HOME_NET any -> [49.234.58.158] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"49.234.58.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.2.1.min.js"; depth:20; nocase; http.host; content:"139.9.149.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"213.109.202.188"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271072; rev:1;)
alert tcp $HOME_NET any -> [213.109.202.188] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271073; rev:1;)
alert tcp $HOME_NET any -> [5.161.187.89] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"5.161.187.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/af/fgjds2u"; depth:11; nocase; http.host; content:"1.12.55.117"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/af/fgjds2u"; depth:11; nocase; http.host; content:"1.12.55.117"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"139.224.0.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.134.102.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.92.75.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.134.102.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.12.31.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"113.142.27.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271061; rev:1;)
alert tcp $HOME_NET any -> [139.159.192.61] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/v1_upload"; depth:20; nocase; http.host; content:"111.63.149.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"61.240.220.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"42.177.83.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/analytics/v1_upload"; depth:20; nocase; http.host; content:"113.194.50.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271057; rev:1;)
alert tcp $HOME_NET any -> [107.172.61.115] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"107.172.61.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"148.135.72.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processordbtraffictrackdatalife.php"; depth:36; nocase; http.host; content:"jewokfweteto.skibiteamx.top"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"107.175.158.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"preachy-multiplex.000webhostapp.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"152.136.174.196"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271028; rev:1;)
alert tcp $HOME_NET any -> [152.136.174.196] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"forgreatestgoal.site"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"forgreatestgoal.site"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271023; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"forgreatestgoal.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271025; rev:1;)
alert tcp $HOME_NET any -> [82.197.68.240] 43957  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271027; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.zaloweb.ink"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271026; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 12194  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271013/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/01/17/tattooing-from-home-laws-in-alberta-what-you-need-to-know"; depth:69; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271010; rev:1;)
alert tcp $HOME_NET any -> [45.245.103.148] 5555  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271011/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271011; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"venomm.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271012; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"okilometros.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1271005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oklahoma-street-legal-vehicle-requirements"; depth:43; nocase; http.host; content:"curecvc.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271007; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 1992  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271004; rev:1;)
alert tcp $HOME_NET any -> [68.233.238.115] 80  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270991/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_15; classtype:trojan-activity; sid:91270991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"catering-szafran.pl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271000; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 12272  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91270987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"catalogodecosmetica.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91270988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"calderconsultants.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91270985; rev:1;)
alert tcp $HOME_NET any -> [45.137.22.150] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271022; rev:1;)
alert tcp $HOME_NET any -> [149.154.65.99] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271021; rev:1;)
alert tcp $HOME_NET any -> [104.248.131.61] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271020; rev:1;)
alert tcp $HOME_NET any -> [101.43.26.191] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271019; rev:1;)
alert tcp $HOME_NET any -> [41.99.115.55] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271018/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271018; rev:1;)
alert tcp $HOME_NET any -> [38.60.203.99] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271017; rev:1;)
alert tcp $HOME_NET any -> [13.51.174.30] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271016; rev:1;)
alert tcp $HOME_NET any -> [193.122.115.146] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271015; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.62] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271014/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_15; classtype:trojan-activity; sid:91271014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geodefaultsqllinuxgeneratortesttrackdownloadstemporary.php"; depth:59; nocase; http.host; content:"266026cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1271009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271009; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 19048  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_15; classtype:trojan-activity; sid:91271008; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.141] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1271006/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_15; classtype:trojan-activity; sid:91271006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h9fmdw5/index.php"; depth:18; nocase; http.host; content:"94.156.68.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270998; rev:1;)
alert tcp $HOME_NET any -> [185.241.208.23] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270999; rev:1;)
alert tcp $HOME_NET any -> [45.61.137.23] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270997; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.checktimes.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/promote/static/xv4splmog"; depth:25; nocase; http.host; content:"www.checktimes.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270995; rev:1;)
alert tcp $HOME_NET any -> [114.132.98.252] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"192.168.117.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d2/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270992; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flexiblemaria.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270990; rev:1;)
alert tcp $HOME_NET any -> [66.63.188.21] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270989; rev:1;)
alert tcp $HOME_NET any -> [146.190.15.117] 60169  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bvp.ch"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/general-manager-role-key-responsibilities-and-legal-implications"; depth:65; nocase; http.host; content:"signcitysa.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"brastal.pl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bramafhu.pl"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"brastal.pl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bramafhu.pl"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"businesstraveller.pl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270700; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"franccoisfreres.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270742/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270742; rev:1;)
alert tcp $HOME_NET any -> [31.44.4.118] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270738; rev:1;)
alert tcp $HOME_NET any -> [147.45.78.168] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270983; rev:1;)
alert tcp $HOME_NET any -> [147.45.78.168] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270984; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.8] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270982; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.8] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270981; rev:1;)
alert tcp $HOME_NET any -> [2.50.7.21] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270980; rev:1;)
alert tcp $HOME_NET any -> [167.56.67.81] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270979; rev:1;)
alert tcp $HOME_NET any -> [162.216.243.61] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270978; rev:1;)
alert tcp $HOME_NET any -> [156.253.7.77] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270977; rev:1;)
alert tcp $HOME_NET any -> [39.98.60.175] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.js"; depth:9; nocase; http.host; content:"vsj888.shop"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270972; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vsj888.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270971; rev:1;)
alert tcp $HOME_NET any -> [45.142.36.59] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270970; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.jakithebest.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270969; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.99] 13359  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"franccoisfreres.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270741/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"franccoisfreres.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270740; rev:1;)
alert tcp $HOME_NET any -> [79.110.49.184] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270739; rev:1;)
alert tcp $HOME_NET any -> [167.235.231.252] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270737; rev:1;)
alert tcp $HOME_NET any -> [167.235.231.252] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270736; rev:1;)
alert tcp $HOME_NET any -> [86.124.171.111] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270735; rev:1;)
alert tcp $HOME_NET any -> [86.124.171.111] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270734/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270734; rev:1;)
alert tcp $HOME_NET any -> [201.124.50.186] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270733/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270733; rev:1;)
alert tcp $HOME_NET any -> [47.101.67.119] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270732/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270732; rev:1;)
alert tcp $HOME_NET any -> [64.225.27.95] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270731/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"47.117.174.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270729; rev:1;)
alert tcp $HOME_NET any -> [47.117.174.198] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"89.187.28.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"36.111.191.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"13.232.63.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"103.17.119.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"45.136.14.91"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270723; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-kj4ef32e-1252578700.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270721; rev:1;)
alert tcp $HOME_NET any -> [113.31.105.33] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-kj4ef32e-1252578700.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270720; rev:1;)
alert tcp $HOME_NET any -> [175.178.49.159] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"141.98.7.79"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270717; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.79] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270718; rev:1;)
alert tcp $HOME_NET any -> [39.98.60.175] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.js"; depth:9; nocase; http.host; content:"gov.vsj888.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270714; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gov.vsj888.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"192.3.24.157"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.243.26.247"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.92.96.144"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.138.168.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.143.110.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"111.231.21.83"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.222.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.115.215.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"update.360safety.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"13.232.63.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270686; rev:1;)
alert tcp $HOME_NET any -> [13.232.63.18] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/async/info"; depth:18; nocase; http.host; content:"103.148.151.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270685; rev:1;)
alert tcp $HOME_NET any -> [64.7.198.58] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"www.jumpsrever.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270682; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jumpsrever.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270683; rev:1;)
alert tcp $HOME_NET any -> [95.217.28.63] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270680; rev:1;)
alert tcp $HOME_NET any -> [88.99.124.6] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.124.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k0mono"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199686524322"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270676; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.181] 3434  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270675; rev:1;)
alert tcp $HOME_NET any -> [2.58.95.97] 33335  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270674/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270674; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"senpaiontop.nl"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rpc"; depth:4; nocase; http.host; content:"1.14.192.93"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"booking.intersport.it"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270670; rev:1;)
alert tcp $HOME_NET any -> [107.175.212.20] 2877  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270671; rev:1;)
alert tcp $HOME_NET any -> [38.55.144.53] 12340  (msg:"ThreatFox Rekoobe botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270658/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270658; rev:1;)
alert tcp $HOME_NET any -> [23.226.57.2] 7771  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270657/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270657; rev:1;)
alert tcp $HOME_NET any -> [109.176.199.251] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270656/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270656; rev:1;)
alert tcp $HOME_NET any -> [172.105.15.137] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270655/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270655; rev:1;)
alert tcp $HOME_NET any -> [154.12.35.157] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270654/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270654; rev:1;)
alert tcp $HOME_NET any -> [189.140.20.27] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270653; rev:1;)
alert tcp $HOME_NET any -> [41.97.68.44] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270652/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270652; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.171] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270651; rev:1;)
alert tcp $HOME_NET any -> [83.110.197.64] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270650/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270650; rev:1;)
alert tcp $HOME_NET any -> [85.102.166.95] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270649; rev:1;)
alert tcp $HOME_NET any -> [38.207.176.36] 9999  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270648; rev:1;)
alert tcp $HOME_NET any -> [207.148.125.4] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270647; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20035  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270646; rev:1;)
alert tcp $HOME_NET any -> [172.233.172.190] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270645; rev:1;)
alert tcp $HOME_NET any -> [52.174.178.162] 3389  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270644; rev:1;)
alert tcp $HOME_NET any -> [167.99.191.228] 31338  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_14; classtype:trojan-activity; sid:91270643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mcmaster-collective-agreement-faculty"; depth:38; nocase; http.host; content:"bigcheeserodents.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270613; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zkfileshost.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270614; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wasabiwallet.is"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270615; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 16602  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270619/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270619; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"strutitinca.ro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270622/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270622; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 12841  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270623; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 12841  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270624; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"o.tpc.ngrok.io"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270625; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"capty.nut.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270627; rev:1;)
alert tcp $HOME_NET any -> [52.28.112.211] 10948  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270602/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270602; rev:1;)
alert tcp $HOME_NET any -> [3.127.253.86] 10948  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270603/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270603; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 34625  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270570/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270570; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vacation-nails.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270571/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270571; rev:1;)
alert tcp $HOME_NET any -> [3.127.59.75] 10948  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270601/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"boisebrides.keydesigndevelopment.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270573; rev:1;)
alert tcp $HOME_NET any -> [3.121.139.82] 10948  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_14; classtype:trojan-activity; sid:91270569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whatsapp.apk"; depth:13; nocase; http.host; content:"4.194.25.153"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kavach.apk"; depth:11; nocase; http.host; content:"4.194.25.153"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/foody.apk"; depth:10; nocase; http.host; content:"4.194.25.153"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whatsapp%20%282%29.apk"; depth:23; nocase; http.host; content:"4.194.25.153"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hidden.apk"; depth:11; nocase; http.host; content:"4.194.25.153"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karakaplandalgada.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270631/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270631; rev:1;)
alert tcp $HOME_NET any -> [8.209.111.227] 12814  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karakaplandalgada124.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270629/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"kapankralda.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270630/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karakaplandalgadadas.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270632/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"neredekalgelsn3.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270633/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"kamarkadals53.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270634/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"manavkaradas.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270635/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karacellalder.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270636/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"kamaradas412.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270637/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karadalganagerekta2.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270638/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_14; classtype:trojan-activity; sid:91270638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/06/08/secret-agreement-between-germany"; depth:44; nocase; http.host; content:"ikwilvanmijnpoloaf.nl"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"booking.chaletsphilippe.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagetocpuupdateapitemporary.php"; depth:33; nocase; http.host; content:"taketa.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270642; rev:1;)
alert tcp $HOME_NET any -> [193.149.176.178] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270620; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 16602  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270618; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 16602  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270617; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 16602  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_14; classtype:trojan-activity; sid:91270616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpdefaultpublicuploads.php"; depth:29; nocase; http.host; content:"642229cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270612; rev:1;)
alert tcp $HOME_NET any -> [160.177.79.24] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270611; rev:1;)
alert tcp $HOME_NET any -> [92.118.170.81] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"92.118.170.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270609; rev:1;)
alert tcp $HOME_NET any -> [111.230.25.167] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"111.230.25.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270607; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.86] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270606; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.86] 41441  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0974467.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270604; rev:1;)
alert tcp $HOME_NET any -> [45.137.22.143] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270600; rev:1;)
alert tcp $HOME_NET any -> [97.74.93.173] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270599; rev:1;)
alert tcp $HOME_NET any -> [154.64.253.40] 10000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270598; rev:1;)
alert tcp $HOME_NET any -> [89.148.139.184] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270597; rev:1;)
alert tcp $HOME_NET any -> [185.216.68.100] 8443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270596; rev:1;)
alert tcp $HOME_NET any -> [77.232.137.28] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270595; rev:1;)
alert tcp $HOME_NET any -> [45.32.100.118] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270594; rev:1;)
alert tcp $HOME_NET any -> [198.46.215.32] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270593; rev:1;)
alert tcp $HOME_NET any -> [212.47.247.193] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270592; rev:1;)
alert tcp $HOME_NET any -> [193.227.134.247] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270591; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20036  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270590; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20032  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270588; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20034  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270589; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20031  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270587; rev:1;)
alert tcp $HOME_NET any -> [13.215.213.40] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270586/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270586; rev:1;)
alert tcp $HOME_NET any -> [119.76.173.139] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270585/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270585; rev:1;)
alert tcp $HOME_NET any -> [162.0.233.89] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270584/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"27.193.201.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270583/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270583; rev:1;)
alert tcp $HOME_NET any -> [156.242.46.205] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270582/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270582; rev:1;)
alert tcp $HOME_NET any -> [170.130.165.130] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270581/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270581; rev:1;)
alert tcp $HOME_NET any -> [103.85.25.168] 3000  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270580/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270580; rev:1;)
alert tcp $HOME_NET any -> [1.117.93.65] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270579/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270579; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.206] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270578/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270578; rev:1;)
alert tcp $HOME_NET any -> [103.74.102.181] 2981  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270577/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270577; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.225] 1024  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270576/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270576; rev:1;)
alert tcp $HOME_NET any -> [94.96.101.221] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270575/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270575; rev:1;)
alert tcp $HOME_NET any -> [201.215.238.207] 81  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270572/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270568; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.15] 65012  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270567; rev:1;)
alert tcp $HOME_NET any -> [41.142.26.2] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270566; rev:1;)
alert tcp $HOME_NET any -> [4.194.25.153] 5214  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hhme/"; depth:6; nocase; http.host; content:"www.premiumsystemshk.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270360; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"premiumsystemshk.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270361/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270361; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.premiumsystemshk.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270362/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bmeg.fel.cvut.cz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270366; rev:1;)
alert tcp $HOME_NET any -> [3.67.161.133] 11843  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blurrypixel.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/per.php"; depth:15; nocase; http.host; content:"firstaischool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"veniam-veritatis.site"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270355; rev:1;)
alert tcp $HOME_NET any -> [5.181.156.36] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"firstaischool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"firstaischool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270353; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 12222  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270331/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270331; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 12222  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270330/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.soryokan.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270290; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 12222  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270332/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270332; rev:1;)
alert tcp $HOME_NET any -> [38.92.47.116] 7771  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.zhaixudong.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.teramachi-ah.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/endpoint.php"; depth:17; nocase; http.host; content:"51.195.211.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270351; rev:1;)
alert tcp $HOME_NET any -> [51.195.211.231] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270350; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"de-engines.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270348; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"these-accommodation.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270349; rev:1;)
alert tcp $HOME_NET any -> [45.88.91.227] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270347; rev:1;)
alert tcp $HOME_NET any -> [8.217.113.1] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270346; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twinks234.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270345; rev:1;)
alert tcp $HOME_NET any -> [147.135.165.29] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270343; rev:1;)
alert tcp $HOME_NET any -> [147.135.165.29] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270344; rev:1;)
alert tcp $HOME_NET any -> [136.175.8.56] 9090  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270342; rev:1;)
alert tcp $HOME_NET any -> [84.38.134.107] 59543  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270341; rev:1;)
alert tcp $HOME_NET any -> [51.89.158.68] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270340; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.241] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270338; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.241] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270339; rev:1;)
alert tcp $HOME_NET any -> [141.11.250.181] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270335; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.229] 1334  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270333; rev:1;)
alert tcp $HOME_NET any -> [94.232.245.250] 443  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270329; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voip.analytics-edges.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270328; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.220] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270327; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"newsarena.sbs"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270326; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.190] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270323; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.190] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270324; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.190] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270325; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.108] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270320; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.108] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270321; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.108] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"103.40.161.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270319; rev:1;)
alert tcp $HOME_NET any -> [45.145.228.157] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"45.145.228.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270317; rev:1;)
alert tcp $HOME_NET any -> [83.143.112.27] 25565  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270316; rev:1;)
alert tcp $HOME_NET any -> [95.164.4.185] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"95.164.4.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"45.145.228.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"45.86.162.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"139.84.155.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270311; rev:1;)
alert tcp $HOME_NET any -> [139.84.155.5] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270310; rev:1;)
alert tcp $HOME_NET any -> [45.76.172.9] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270308; rev:1;)
alert tcp $HOME_NET any -> [45.76.172.9] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270309; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chinamobilie.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270307; rev:1;)
alert tcp $HOME_NET any -> [43.156.16.199] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270306; rev:1;)
alert tcp $HOME_NET any -> [47.236.160.26] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270305; rev:1;)
alert tcp $HOME_NET any -> [8.217.35.112] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270304; rev:1;)
alert tcp $HOME_NET any -> [124.220.148.109] 40040  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270303/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270303; rev:1;)
alert tcp $HOME_NET any -> [123.57.77.11] 61314  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270302/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270302; rev:1;)
alert tcp $HOME_NET any -> [13.51.85.88] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270301/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270301; rev:1;)
alert tcp $HOME_NET any -> [45.33.103.13] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270300/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270300; rev:1;)
alert tcp $HOME_NET any -> [43.136.98.30] 9009  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270299/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270299; rev:1;)
alert tcp $HOME_NET any -> [46.148.26.72] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270298/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270298; rev:1;)
alert tcp $HOME_NET any -> [209.38.194.149] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270297/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270297; rev:1;)
alert tcp $HOME_NET any -> [123.60.69.126] 4488  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270296; rev:1;)
alert tcp $HOME_NET any -> [158.69.62.23] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270295/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270295; rev:1;)
alert tcp $HOME_NET any -> [38.55.26.37] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270293; rev:1;)
alert tcp $HOME_NET any -> [120.46.128.120] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270294; rev:1;)
alert tcp $HOME_NET any -> [43.136.71.208] 8054  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270292/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270292; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edgeupdate.office365update.cn"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270291; rev:1;)
alert tcp $HOME_NET any -> [116.205.141.173] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270284; rev:1;)
alert tcp $HOME_NET any -> [14.5.161.232] 5001  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270283/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/63b26ebf.php"; depth:13; nocase; http.host; content:"a0980477.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270282; rev:1;)
alert tcp $HOME_NET any -> [121.41.101.166] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270281; rev:1;)
alert tcp $HOME_NET any -> [180.214.239.242] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270280/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"121.41.1.47"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270279; rev:1;)
alert tcp $HOME_NET any -> [121.41.1.47] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270278; rev:1;)
alert tcp $HOME_NET any -> [121.40.127.134] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"121.40.21.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270276; rev:1;)
alert tcp $HOME_NET any -> [121.40.21.218] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270275; rev:1;)
alert tcp $HOME_NET any -> [112.124.65.163] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.121.26.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.121.26.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270272; rev:1;)
alert tcp $HOME_NET any -> [47.121.26.64] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270270; rev:1;)
alert tcp $HOME_NET any -> [47.121.26.64] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270271; rev:1;)
alert tcp $HOME_NET any -> [47.115.216.170] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270269; rev:1;)
alert tcp $HOME_NET any -> [47.109.100.127] 10500  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270268; rev:1;)
alert tcp $HOME_NET any -> [47.109.49.229] 8887  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.100.196.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270266; rev:1;)
alert tcp $HOME_NET any -> [47.100.196.58] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270265; rev:1;)
alert tcp $HOME_NET any -> [47.97.31.229] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270264; rev:1;)
alert tcp $HOME_NET any -> [47.96.74.108] 8800  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.94.249.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270262; rev:1;)
alert tcp $HOME_NET any -> [47.94.249.38] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270260; rev:1;)
alert tcp $HOME_NET any -> [47.94.249.38] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270261; rev:1;)
alert tcp $HOME_NET any -> [39.101.76.249] 60000  (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"39.101.76.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270258; rev:1;)
alert tcp $HOME_NET any -> [39.101.76.249] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270257; rev:1;)
alert tcp $HOME_NET any -> [39.98.110.45] 8010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.saffronstays.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"116.205.224.194"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"175.178.80.49"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270251; rev:1;)
alert tcp $HOME_NET any -> [175.178.80.49] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.220.167.247"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270249; rev:1;)
alert tcp $HOME_NET any -> [124.220.167.247] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270248; rev:1;)
alert tcp $HOME_NET any -> [118.25.185.173] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270247; rev:1;)
alert tcp $HOME_NET any -> [114.132.61.178] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270246; rev:1;)
alert tcp $HOME_NET any -> [101.43.7.115] 33078  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.34.84.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270244; rev:1;)
alert tcp $HOME_NET any -> [101.34.84.157] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/x"; depth:9; nocase; http.host; content:"images-aliyun-oss.oss-cn-beijing.aliyuncs.com"; depth:45; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270242; rev:1;)
alert tcp $HOME_NET any -> [82.156.151.200] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270241; rev:1;)
alert tcp $HOME_NET any -> [43.143.193.228] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.138.240.140"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270239; rev:1;)
alert tcp $HOME_NET any -> [43.138.240.140] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270238; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yuanruicn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270237; rev:1;)
alert tcp $HOME_NET any -> [43.136.59.232] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270236; rev:1;)
alert tcp $HOME_NET any -> [1.12.248.183] 27000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.124.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270233; rev:1;)
alert tcp $HOME_NET any -> [95.217.28.63] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270231; rev:1;)
alert tcp $HOME_NET any -> [88.99.124.6] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.rainbow1122.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270230; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 3615  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"www.flash-update.info"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"1.14.69.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"120.78.139.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.115.215.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"175.178.50.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.115.215.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"58.218.215.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"42.248.140.76"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270211/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"180.213.251.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270210/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"140.249.61.241"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270209/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"124.236.110.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270208/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"111.170.24.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270207/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wps/solution/index"; depth:19; nocase; http.host; content:"106.42.215.249"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270206/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.pet-portraitartist.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270192; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frck.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frdk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270204; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frfk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1270205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"frcf.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/"; depth:4; nocase; http.host; content:"frcf.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/"; depth:4; nocase; http.host; content:"frdk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"frck.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/"; depth:4; nocase; http.host; content:"frck.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199655148275"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620321083"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199609760273"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199619783336"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199620585818"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie2/five/fre.php"; depth:19; nocase; http.host; content:"spencerstuartllc.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270191/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"arabadakal.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270052/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"amcakalarada.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270053/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"yakanbirkarda.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"yakanbirkardanma.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"karamakarnakalem.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"karayanlardanmak.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"marabakalem.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"sekenmakaslar.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270059/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.itoyakuten.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.jens-bolz.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270064; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 18014  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270066/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_13; classtype:trojan-activity; sid:91270066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/2023/03/20/pros-and-cons-of-multilateral-trade-agreements"; depth:68; nocase; http.host; content:"awadhshreehospital.in"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.jonheese.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270104; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.40] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.lizzygraykitchens.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.lizzygraykitchens.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.193.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"50.75.213.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.96.89"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.23.196"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.166.86"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"77.221.151.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.137"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.183"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.183.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.49.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199675758951"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270179; rev:1;)
alert tcp $HOME_NET any -> [168.119.166.86] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270174; rev:1;)
alert tcp $HOME_NET any -> [78.47.23.196] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270175; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.89] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270176; rev:1;)
alert tcp $HOME_NET any -> [50.75.213.183] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270177; rev:1;)
alert tcp $HOME_NET any -> [88.198.193.148] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270178; rev:1;)
alert tcp $HOME_NET any -> [49.13.49.198] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270171; rev:1;)
alert tcp $HOME_NET any -> [65.21.183.11] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270172; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.87] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_13; classtype:trojan-activity; sid:91270173; rev:1;)
alert tcp $HOME_NET any -> [149.154.67.148] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270170; rev:1;)
alert tcp $HOME_NET any -> [41.99.220.207] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270169; rev:1;)
alert tcp $HOME_NET any -> [82.8.144.54] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270168/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270168; rev:1;)
alert tcp $HOME_NET any -> [46.246.181.110] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270167/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270167; rev:1;)
alert tcp $HOME_NET any -> [41.251.193.48] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270166/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270166; rev:1;)
alert tcp $HOME_NET any -> [104.248.223.131] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270165; rev:1;)
alert tcp $HOME_NET any -> [104.223.76.201] 44102  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270164/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270164; rev:1;)
alert tcp $HOME_NET any -> [183.214.129.174] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270163; rev:1;)
alert tcp $HOME_NET any -> [54.95.170.58] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270162/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_13; classtype:trojan-activity; sid:91270162; rev:1;)
alert tcp $HOME_NET any -> [185.216.117.157] 9002  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270161; rev:1;)
alert tcp $HOME_NET any -> [80.66.75.43] 44433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270160/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270160; rev:1;)
alert tcp $HOME_NET any -> [150.158.121.15] 60000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270159/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270159; rev:1;)
alert tcp $HOME_NET any -> [205.185.121.28] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270158/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270158; rev:1;)
alert tcp $HOME_NET any -> [18.188.31.230] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270157/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270157; rev:1;)
alert tcp $HOME_NET any -> [203.205.6.67] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270156/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270156; rev:1;)
alert tcp $HOME_NET any -> [170.130.165.69] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270155/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270155; rev:1;)
alert tcp $HOME_NET any -> [198.23.135.53] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270154/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270154; rev:1;)
alert tcp $HOME_NET any -> [20.52.146.50] 10443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270153/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270153; rev:1;)
alert tcp $HOME_NET any -> [120.77.251.72] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270147/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_13; classtype:trojan-activity; sid:91270147; rev:1;)
alert tcp $HOME_NET any -> [114.115.206.47] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270146/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270146; rev:1;)
alert tcp $HOME_NET any -> [124.223.9.21] 54321  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270145/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270145; rev:1;)
alert tcp $HOME_NET any -> [124.156.213.14] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270144/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270144; rev:1;)
alert tcp $HOME_NET any -> [94.20.88.63] 63192  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270143/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270143; rev:1;)
alert tcp $HOME_NET any -> [47.98.251.131] 5000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270142/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270142; rev:1;)
alert tcp $HOME_NET any -> [47.116.170.61] 60000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270141/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270141; rev:1;)
alert tcp $HOME_NET any -> [137.220.197.172] 33666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270140/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270140; rev:1;)
alert tcp $HOME_NET any -> [79.132.140.216] 50053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270139/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270139; rev:1;)
alert tcp $HOME_NET any -> [101.32.37.92] 50150  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270138/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270138; rev:1;)
alert tcp $HOME_NET any -> [101.32.37.92] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270137/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270137; rev:1;)
alert tcp $HOME_NET any -> [80.66.75.53] 44433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270136/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270136; rev:1;)
alert tcp $HOME_NET any -> [109.196.166.188] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270135/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270135; rev:1;)
alert tcp $HOME_NET any -> [43.136.96.90] 65432  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270134/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270134; rev:1;)
alert tcp $HOME_NET any -> [47.109.106.162] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270133/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270133; rev:1;)
alert tcp $HOME_NET any -> [137.220.197.188] 33666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270132/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270132; rev:1;)
alert tcp $HOME_NET any -> [146.190.38.217] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270131/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270131; rev:1;)
alert tcp $HOME_NET any -> [143.198.3.13] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270130/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270130; rev:1;)
alert tcp $HOME_NET any -> [34.29.187.33] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270129/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270129; rev:1;)
alert tcp $HOME_NET any -> [135.125.255.44] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270128/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270128; rev:1;)
alert tcp $HOME_NET any -> [45.144.3.98] 443  (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270127/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270127; rev:1;)
alert tcp $HOME_NET any -> [77.51.217.181] 25565  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270126/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270126; rev:1;)
alert tcp $HOME_NET any -> [5.53.20.184] 3333  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270125/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270125; rev:1;)
alert tcp $HOME_NET any -> [50.114.32.219] 4443  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270124/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270124; rev:1;)
alert tcp $HOME_NET any -> [35.226.17.12] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270123/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270123; rev:1;)
alert tcp $HOME_NET any -> [103.17.119.73] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270122; rev:1;)
alert tcp $HOME_NET any -> [162.14.105.213] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270121; rev:1;)
alert tcp $HOME_NET any -> [162.14.122.93] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270120; rev:1;)
alert tcp $HOME_NET any -> [39.101.189.31] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270119; rev:1;)
alert tcp $HOME_NET any -> [47.236.7.86] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270118; rev:1;)
alert tcp $HOME_NET any -> [172.105.121.169] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270117; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.191] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270116; rev:1;)
alert tcp $HOME_NET any -> [217.12.208.114] 8088  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270115; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.91] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270114; rev:1;)
alert tcp $HOME_NET any -> [46.17.44.143] 1194  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270113; rev:1;)
alert tcp $HOME_NET any -> [197.119.237.124] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270112; rev:1;)
alert tcp $HOME_NET any -> [38.145.202.143] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270111/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270111; rev:1;)
alert tcp $HOME_NET any -> [38.145.202.143] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270110/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270110; rev:1;)
alert tcp $HOME_NET any -> [77.99.80.4] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270109/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270109; rev:1;)
alert tcp $HOME_NET any -> [2.56.245.124] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270108; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.142] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270107/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270107; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.82] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270106; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.162] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270105; rev:1;)
alert tcp $HOME_NET any -> [171.250.191.217] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270102; rev:1;)
alert tcp $HOME_NET any -> [171.250.191.217] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270101; rev:1;)
alert tcp $HOME_NET any -> [171.250.191.217] 5001  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270100; rev:1;)
alert tcp $HOME_NET any -> [171.250.191.217] 5000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270099; rev:1;)
alert tcp $HOME_NET any -> [171.250.191.217] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270098; rev:1;)
alert tcp $HOME_NET any -> [58.186.236.71] 9000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270097; rev:1;)
alert tcp $HOME_NET any -> [45.94.170.223] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270096/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270096; rev:1;)
alert tcp $HOME_NET any -> [45.94.170.223] 2000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270095/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270095; rev:1;)
alert tcp $HOME_NET any -> [1.53.31.3] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270094; rev:1;)
alert tcp $HOME_NET any -> [193.187.175.70] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270093; rev:1;)
alert tcp $HOME_NET any -> [91.219.62.14] 7777  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270092; rev:1;)
alert tcp $HOME_NET any -> [1.53.107.135] 9000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270091; rev:1;)
alert tcp $HOME_NET any -> [120.156.150.101] 8085  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270090; rev:1;)
alert tcp $HOME_NET any -> [3.141.40.232] 8443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270089; rev:1;)
alert tcp $HOME_NET any -> [1.180.161.186] 5000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270088; rev:1;)
alert tcp $HOME_NET any -> [77.73.39.76] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270087; rev:1;)
alert tcp $HOME_NET any -> [150.95.112.19] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270086; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.118] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270085; rev:1;)
alert tcp $HOME_NET any -> [103.14.226.21] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270084; rev:1;)
alert tcp $HOME_NET any -> [178.215.236.112] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270083/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270083; rev:1;)
alert tcp $HOME_NET any -> [178.215.236.182] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270082/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270082; rev:1;)
alert tcp $HOME_NET any -> [59.174.210.205] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270081/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270081; rev:1;)
alert tcp $HOME_NET any -> [106.75.218.92] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91270080; rev:1;)
alert tcp $HOME_NET any -> [5.34.182.45] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/add/contact-us/u0tej4uo"; depth:24; nocase; http.host; content:"5.34.182.45"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270078; rev:1;)
alert tcp $HOME_NET any -> [122.10.35.49] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270077; rev:1;)
alert tcp $HOME_NET any -> [210.114.11.173] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"210.114.11.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270075; rev:1;)
alert tcp $HOME_NET any -> [34.141.169.93] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"34.141.169.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270073; rev:1;)
alert tcp $HOME_NET any -> [122.10.105.49] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270072; rev:1;)
alert tcp $HOME_NET any -> [5.34.182.45] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/add/contact-us/u0tej4uo"; depth:24; nocase; http.host; content:"5.34.182.45"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270070; rev:1;)
alert tcp $HOME_NET any -> [92.44.20.216] 9733  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270069; rev:1;)
alert tcp $HOME_NET any -> [85.114.96.11] 1602  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270067/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_12; classtype:trojan-activity; sid:91270067; rev:1;)
alert tcp $HOME_NET any -> [85.114.96.11] 37552  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpressbetter/voiddb/bigloadlinux/dletrafficphp/protectwordpress/uploads2/image/39/mariadbapitraffic/process/5/trafficuniversalwordpress.php"; depth:143; nocase; http.host; content:"62.109.7.179"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1270062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91270062; rev:1;)
alert tcp $HOME_NET any -> [95.164.63.81] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270051; rev:1;)
alert tcp $HOME_NET any -> [23.254.128.104] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270050; rev:1;)
alert tcp $HOME_NET any -> [116.205.224.194] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270049; rev:1;)
alert tcp $HOME_NET any -> [39.107.57.153] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270048; rev:1;)
alert tcp $HOME_NET any -> [118.161.6.183] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270047; rev:1;)
alert tcp $HOME_NET any -> [197.86.195.192] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270046; rev:1;)
alert tcp $HOME_NET any -> [91.210.107.202] 30252  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270045; rev:1;)
alert tcp $HOME_NET any -> [107.172.159.50] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270044; rev:1;)
alert tcp $HOME_NET any -> [3.115.31.102] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270043; rev:1;)
alert tcp $HOME_NET any -> [45.138.74.48] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270042; rev:1;)
alert tcp $HOME_NET any -> [45.138.74.48] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1270041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91270041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2mymzexngvhyjnj/"; depth:18; nocase; http.host; content:"kozanhackerr.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269860/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2mymzexngvhyjnj/"; depth:18; nocase; http.host; content:"kozandelimisin.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2mymzexngvhyjnj/"; depth:18; nocase; http.host; content:"kozanaseviyor.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2mymzexngvhyjnj/"; depth:18; nocase; http.host; content:"kozansinyalcimisinla.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269863/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/n2mymzexngvhyjnj/"; depth:18; nocase; http.host; content:"kozanhacibaba.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269864/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"jin-tonik-boom.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269865/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"double-bubble-gum.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269866/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"bed-car-top-car.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269867/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"free-tree-loop.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"big-tree-ilusion.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmfkztc4ywm3ztk2/"; depth:18; nocase; http.host; content:"pica-chupachups-ok.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yy.apk"; depth:7; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oo.apk"; depth:7; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iu.apk"; depth:7; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c1.apk"; depth:7; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b.apk"; depth:6; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3123.apk"; depth:9; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yy.apk"; depth:7; nocase; http.host; content:"202.79.165.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apkide_japanpost1.apk"; depth:22; nocase; http.host; content:"202.79.165.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oo.apk"; depth:7; nocase; http.host; content:"202.79.165.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iu.apk"; depth:7; nocase; http.host; content:"202.79.165.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c1.apk"; depth:7; nocase; http.host; content:"202.79.165.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yy.apk"; depth:7; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b.apk"; depth:6; nocase; http.host; content:"202.79.165.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apkide_japanpost1.apk"; depth:22; nocase; http.host; content:"202.79.165.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oo.apk"; depth:7; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iu.apk"; depth:7; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c1.apk"; depth:7; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.icondesignlab.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.icondesignlab.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.hongo-makoto.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269790; rev:1;)
alert tcp $HOME_NET any -> [80.249.144.188] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brewinstaller"; depth:14; nocase; http.host; content:"5.255.107.149"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/brewinstaller"; depth:14; nocase; http.host; content:"homebrew.cx"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269850; rev:1;)
alert tcp $HOME_NET any -> [107.175.150.73] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269848/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_12; classtype:trojan-activity; sid:91269848; rev:1;)
alert tcp $HOME_NET any -> [5.255.107.149] 443  (msg:"ThreatFox AMOS payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269852; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"homebrew.cx"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269853; rev:1;)
alert tcp $HOME_NET any -> [139.180.155.73] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b.apk"; depth:6; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3123.apk"; depth:9; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apkide_japanpost1.apk"; depth:22; nocase; http.host; content:"202.79.165.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269892; rev:1;)
alert tcp $HOME_NET any -> [202.79.165.160] 9080  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269893; rev:1;)
alert tcp $HOME_NET any -> [202.79.165.162] 9080  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269894; rev:1;)
alert tcp $HOME_NET any -> [202.79.165.170] 9080  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269895; rev:1;)
alert tcp $HOME_NET any -> [103.206.109.165] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269902/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269902; rev:1;)
alert tcp $HOME_NET any -> [45.74.0.252] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269901/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269901; rev:1;)
alert tcp $HOME_NET any -> [95.169.211.7] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269900/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269900; rev:1;)
alert tcp $HOME_NET any -> [172.111.139.13] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269899/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269899; rev:1;)
alert tcp $HOME_NET any -> [194.59.31.115] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269898/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269898; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.177] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269897/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269897; rev:1;)
alert tcp $HOME_NET any -> [35.87.2.201] 80  (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"81.17.22.42"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.zip"; depth:6; nocase; http.host; content:"smbeckwithlaw.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.zip"; depth:6; nocase; http.host; content:"smbeckwithlaw.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269858; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kindupdates.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269857; rev:1;)
alert tcp $HOME_NET any -> [54.180.28.87] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagepipelowauthgameflowertestprivate.php"; depth:42; nocase; http.host; content:"815622cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269847; rev:1;)
alert tcp $HOME_NET any -> [194.36.178.33] 47454  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269846; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.252] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269845; rev:1;)
alert tcp $HOME_NET any -> [185.104.195.215] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269844; rev:1;)
alert tcp $HOME_NET any -> [5.252.53.186] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269843; rev:1;)
alert tcp $HOME_NET any -> [185.104.195.215] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269842; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.57] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269841/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269841; rev:1;)
alert tcp $HOME_NET any -> [38.54.56.43] 8443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269840/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269840; rev:1;)
alert tcp $HOME_NET any -> [95.164.16.146] 8443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269839/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269839; rev:1;)
alert tcp $HOME_NET any -> [102.47.144.227] 443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269838/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"148.135.46.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269837; rev:1;)
alert tcp $HOME_NET any -> [39.105.60.105] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"39.105.60.105"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"42.192.131.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269833; rev:1;)
alert tcp $HOME_NET any -> [42.192.131.115] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.2.1.min.js"; depth:20; nocase; http.host; content:"139.9.149.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269831; rev:1;)
alert tcp $HOME_NET any -> [139.9.149.143] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.134.163.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269829; rev:1;)
alert tcp $HOME_NET any -> [8.134.163.72] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.3.min.js"; depth:20; nocase; http.host; content:"114.132.120.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"95.164.4.185"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269826; rev:1;)
alert tcp $HOME_NET any -> [95.164.4.185] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.115.38.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"148.135.46.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"175.178.49.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"114.55.112.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"164.92.249.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.130.134.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269820; rev:1;)
alert tcp $HOME_NET any -> [139.9.149.143] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.2.1.min.js"; depth:20; nocase; http.host; content:"139.9.149.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269818; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.mitigize.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"js.mitigize.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"5.34.182.216"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"142.171.200.25"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269814; rev:1;)
alert tcp $HOME_NET any -> [43.143.193.228] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269813; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.chiante1ecom.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.chiante1ecom.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269811; rev:1;)
alert tcp $HOME_NET any -> [164.92.249.209] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"164.92.249.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269809; rev:1;)
alert tcp $HOME_NET any -> [54.180.28.87] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269791; rev:1;)
alert tcp $HOME_NET any -> [193.143.1.180] 801  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269788; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prideconstituiiosjk.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269777; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smallelementyjdui.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269778; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"appetitesallooonsj.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269775; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minorittyeffeoos.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269776; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tendencyportionjsuk.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269773; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"headraisepresidensu.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269774; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sloganprogrevidefkso.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269770; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sofaprivateawarderysj.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269771; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lineagelasserytailsd.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"smallelementyjdui.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"appetitesallooonsj.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"minorittyeffeoos.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"prideconstituiiosjk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tendencyportionjsuk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"headraisepresidensu.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sloganprogrevidefkso.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sofaprivateawarderysj.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lineagelasserytailsd.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.gn8.at"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.gn8.at"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zamo7h/index.php"; depth:17; nocase; http.host; content:"5.42.96.7"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zamo7h/login.php"; depth:17; nocase; http.host; content:"5.42.96.7"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269780; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.7] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269784; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trad-einmyus.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269785; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tradein-myus.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269786; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trade-inmyus.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"tambanunakere.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269514/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"tabukareler.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269513/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"fesatokero.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269515/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"lemanobelki.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269516/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"tutankamunhaci.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269517/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"karakapkaraklpak.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269518/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"buzbuzdagdaglari.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269519/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bilebilegndere.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269520/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"saybyebyetohepiniz.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269521/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"ruhumdnzincirr.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269522/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kefalmefaltefal.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269523/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"gecelerisvdmpkiyasen.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269524/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"yoktuhcfener.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269526/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kranliktaaradm.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269525/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"astralanahatarim.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"dlounayyanimda.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269527/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"izlemebskasiyla.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"anilardvrimi.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269530/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"leardolordoloro.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269531/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"hadikapanikapatsana.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269532/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_12; classtype:trojan-activity; sid:91269532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.festivalfilmeduc.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/"; depth:8; nocase; http.host; content:"39.100.85.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ny-car-lease-tax-calculator"; depth:28; nocase; http.host; content:"urbedu.live"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"y9f6z0q1w2.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"y9f6z0q1w2.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269543; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 10345  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_12; classtype:trojan-activity; sid:91269709; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"study-window.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269710/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_12; classtype:trojan-activity; sid:91269710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ny-car-lease-tax-calculator"; depth:28; nocase; http.host; content:"urbedu.live"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/10/01/are-ping-eye-irons-legal"; depth:36; nocase; http.host; content:"trustadvisorygroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269742; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 2551  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/05/23/what-is-an-enterprise-agreements/"; depth:45; nocase; http.host; content:"www.burleys.ca"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/03/11/lease-agreement-between-husband-and-wife"; depth:52; nocase; http.host; content:"casadevida.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.42.228.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269753; rev:1;)
alert tcp $HOME_NET any -> [185.117.72.120] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269751; rev:1;)
alert tcp $HOME_NET any -> [149.154.158.222] 3933  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269750; rev:1;)
alert tcp $HOME_NET any -> [104.200.72.177] 57067  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269749; rev:1;)
alert tcp $HOME_NET any -> [173.216.245.82] 8080  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269748; rev:1;)
alert tcp $HOME_NET any -> [35.177.104.235] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_12; classtype:trojan-activity; sid:91269747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"53473cm.easyswap.space"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0951334.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_12; classtype:trojan-activity; sid:91269743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"43.136.71.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.44.24.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269738; rev:1;)
alert tcp $HOME_NET any -> [54.82.65.203] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269737; rev:1;)
alert tcp $HOME_NET any -> [34.92.137.73] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"34.92.137.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269735; rev:1;)
alert tcp $HOME_NET any -> [43.156.13.20] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"43.156.13.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269732; rev:1;)
alert tcp $HOME_NET any -> [154.204.180.125] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"154.204.180.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269730; rev:1;)
alert tcp $HOME_NET any -> [51.89.72.183] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.htm"; depth:10; nocase; http.host; content:"51.89.72.183"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269728; rev:1;)
alert tcp $HOME_NET any -> [113.31.105.33] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-1bsjckga-1252578700.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269725; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-1bsjckga-1252578700.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269726; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.18] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269724; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"action-winds.cfd"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269723; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microstar.cfd"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data"; depth:5; nocase; http.host; content:"action-winds.cfd"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task"; depth:5; nocase; http.host; content:"microstar.cfd"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1"; depth:3; nocase; http.host; content:"1c-marketing.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269718; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1c-marketing.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"122.10.105.51"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269717; rev:1;)
alert tcp $HOME_NET any -> [43.143.193.228] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.143.193.228"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269715; rev:1;)
alert tcp $HOME_NET any -> [111.229.209.159] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/owa/"; depth:15; nocase; http.host; content:"111.229.209.159"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269713; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.227] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269712; rev:1;)
alert tcp $HOME_NET any -> [95.217.242.180] 443  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"124.222.36.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"192.168.183.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"49.235.118.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"1.14.204.208"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"1.117.93.65"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269511; rev:1;)
alert tcp $HOME_NET any -> [103.21.88.13] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269510; rev:1;)
alert tcp $HOME_NET any -> [103.21.88.14] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269508; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.224] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269506; rev:1;)
alert tcp $HOME_NET any -> [8.130.135.45] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269505; rev:1;)
alert tcp $HOME_NET any -> [120.55.100.239] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269502; rev:1;)
alert tcp $HOME_NET any -> [43.159.230.147] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269501; rev:1;)
alert tcp $HOME_NET any -> [118.25.101.81] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"124.223.220.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269500; rev:1;)
alert tcp $HOME_NET any -> [107.167.18.2] 7979  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269498; rev:1;)
alert tcp $HOME_NET any -> [107.167.18.4] 7979  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269497; rev:1;)
alert tcp $HOME_NET any -> [107.167.18.3] 7979  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269495; rev:1;)
alert tcp $HOME_NET any -> [107.167.18.6] 7979  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"104.236.69.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269493; rev:1;)
alert tcp $HOME_NET any -> [85.104.36.117] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"147.135.211.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"111.231.21.83"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269490; rev:1;)
alert tcp $HOME_NET any -> [13.231.126.178] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269489; rev:1;)
alert tcp $HOME_NET any -> [178.128.170.218] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269488; rev:1;)
alert tcp $HOME_NET any -> [172.81.61.224] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269487; rev:1;)
alert tcp $HOME_NET any -> [43.155.16.246] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269486; rev:1;)
alert tcp $HOME_NET any -> [172.172.150.146] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269483; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20023  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269484; rev:1;)
alert tcp $HOME_NET any -> [149.154.158.222] 36884  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269481; rev:1;)
alert tcp $HOME_NET any -> [5.189.152.51] 80  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269480/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"173.249.196.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269479; rev:1;)
alert tcp $HOME_NET any -> [52.83.56.72] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"104.236.69.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269476; rev:1;)
alert tcp $HOME_NET any -> [125.73.208.47] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"wraimey.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wraimey.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269472; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d1v4b6pbk0kwvw.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d1v4b6pbk0kwvw.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d2ewlfde9nvzf.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d2ewlfde9nvzf.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"118.25.85.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"188.116.22.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"139.9.62.19"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269464; rev:1;)
alert tcp $HOME_NET any -> [23.227.203.189] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/mcvq-9f5hgl92ma7ouczvcz"; depth:41; nocase; http.host; content:"23.227.203.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"139.9.62.19"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"84.247.155.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269460; rev:1;)
alert tcp $HOME_NET any -> [105.155.173.158] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cq77272.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti3ntjmywy0mwe2/"; depth:18; nocase; http.host; content:"ferocanhackerr.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269444/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti3ntjmywy0mwe2/"; depth:18; nocase; http.host; content:"ferocandelimisin.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269445/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti3ntjmywy0mwe2/"; depth:18; nocase; http.host; content:"ferocansinyalcimisinla.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269447/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti3ntjmywy0mwe2/"; depth:18; nocase; http.host; content:"ferocanaseviyor.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti3ntjmywy0mwe2/"; depth:18; nocase; http.host; content:"ferocanagahacibaba.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269448/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"bananamanana.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269449/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"spedarito.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269450/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"spritecocola.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269452/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"melonna.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269451/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"meibuzjasta.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269453/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"makcolanivaesto.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269454/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269454; rev:1;)
alert tcp $HOME_NET any -> [45.76.153.153] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.enghauser.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"nt-stealers.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269442; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt-stealers.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ote5mzgxywzinjk1/"; depth:18; nocase; http.host; content:"birimammonedm.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269455/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar/understanding-ohio-forced-medication-laws-what-you-need-to-know"; depth:67; nocase; http.host; content:"smallders.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.demuthphoto.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.demuthphoto.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/03/31/washington-state-medical-assistant-scope-of-practice-laws-legal-overview"; depth:84; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/08/28/how-to-write-money-agreement"; depth:40; nocase; http.host; content:"ikwilvanmijnpoloaf.nl"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.demuthphoto.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blog.demuthphoto.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"countnatbt.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"mix3etbt.website"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"btcountates.fun"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"3countbt.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269405/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"vat-app.su"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269406/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrhzjaxngm1yjfh/"; depth:18; nocase; http.host; content:"alleggro.pw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_11; classtype:trojan-activity; sid:91269407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/orange-coast-title-company-license-number-legal-title-services"; depth:63; nocase; http.host; content:"lumiere.grupotyc.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269424; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"krampus-executor.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sendgrid/krampus/files/15199097/krampus.zip"; depth:44; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269429; rev:1;)
alert tcp $HOME_NET any -> [80.66.81.134] 80  (msg:"ThreatFox SmartLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:45; nocase; http.host; content:"80.66.81.134"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269430; rev:1;)
alert tcp $HOME_NET any -> [146.70.158.83] 80  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269433; rev:1;)
alert tcp $HOME_NET any -> [54.80.154.23] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269437/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_11; classtype:trojan-activity; sid:91269437; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"higomanga.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_11; classtype:trojan-activity; sid:91269438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0946931.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269436; rev:1;)
alert tcp $HOME_NET any -> [176.123.161.158] 1337  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalprotectdefault.php"; depth:26; nocase; http.host; content:"044913cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e7ea97c6.php"; depth:13; nocase; http.host; content:"a0941925.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.220.19.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.137.116.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a448b41e.php"; depth:13; nocase; http.host; content:"a0929453.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linejavascriptsqltraffic.php"; depth:29; nocase; http.host; content:"470927cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269401; rev:1;)
alert tcp $HOME_NET any -> [79.110.49.244] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269400; rev:1;)
alert tcp $HOME_NET any -> [45.155.250.229] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269399; rev:1;)
alert tcp $HOME_NET any -> [115.231.218.42] 10299  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269398; rev:1;)
alert tcp $HOME_NET any -> [123.99.198.130] 10299  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269397; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.142] 1144  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/azure"; depth:10; nocase; http.host; content:"boriz400.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content.php"; depth:12; nocase; http.host; content:"anikvan.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269394; rev:1;)
alert tcp $HOME_NET any -> [95.164.68.73] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269392/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_11; classtype:trojan-activity; sid:91269392; rev:1;)
alert tcp $HOME_NET any -> [91.194.11.183] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_11; classtype:trojan-activity; sid:91269393; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anikvan.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boriz400.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"illoskanawer.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/11/legal-responsibility-of-a-when-a-dog-attacks-a-cat"; depth:62; nocase; http.host; content:"mindelscott.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blixtgordon.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"blixtgordon.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269359; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blazinghotter.igg.biz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269361/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_11; classtype:trojan-activity; sid:91269361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft-enterprise-purchase-agreement"; depth:40; nocase; http.host; content:"studiolegalefalco-masi.it"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guarantor-for-rental-agreement-ontario"; depth:39; nocase; http.host; content:"bellbaker.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269373; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 14858  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269374/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_11; classtype:trojan-activity; sid:91269374; rev:1;)
alert tcp $HOME_NET any -> [46.183.222.118] 5057  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269378; rev:1;)
alert tcp $HOME_NET any -> [167.88.174.49] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/12/06/what-color-rock-lights-are-legal-in-florida"; depth:55; nocase; http.host; content:"langtonhowarth.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269380; rev:1;)
alert tcp $HOME_NET any -> [185.173.36.71] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269388; rev:1;)
alert tcp $HOME_NET any -> [106.52.18.198] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269387; rev:1;)
alert tcp $HOME_NET any -> [119.45.38.211] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269386/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269386; rev:1;)
alert tcp $HOME_NET any -> [1.161.85.40] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269385/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269385; rev:1;)
alert tcp $HOME_NET any -> [103.70.232.240] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269384/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269384; rev:1;)
alert tcp $HOME_NET any -> [104.200.72.177] 6513  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269383/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269383; rev:1;)
alert tcp $HOME_NET any -> [185.17.40.153] 81  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269381/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_11; classtype:trojan-activity; sid:91269381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/images/favicon.ico"; depth:19; nocase; http.host; content:"images-oss-1318291330.cos.ap-beijing.myqcloud.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269376; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"images-oss-1318291330.cos.ap-beijing.myqcloud.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_11; classtype:trojan-activity; sid:91269375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"qaliharsit.tech"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"illoskanawer.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"workspacin.cloud"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/msi.msi"; depth:8; nocase; http.host; content:"91.194.11.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269367; rev:1;)
alert tcp $HOME_NET any -> [107.174.241.206] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.16.117.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"193.134.211.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269363; rev:1;)
alert tcp $HOME_NET any -> [193.134.211.173] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269364; rev:1;)
alert tcp $HOME_NET any -> [118.89.90.122] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269362; rev:1;)
alert tcp $HOME_NET any -> [185.73.125.7] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269357/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91269357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.96.65"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.221.151.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.96.77"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.96.54"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.96.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.96.14"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269336; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.77] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269331; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.92] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269332; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.83] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.156.68.83"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"107.178.105.96"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"147.45.47.126"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"147.45.47.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269346; rev:1;)
alert tcp $HOME_NET any -> [103.153.69.150] 12345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91269355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"acceptabledcooeprs.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"obsceneclassyjuwks.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"zippyfinickysofwps.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"miniaturefinerninewjs.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sweetsquarediaslw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"plaintediousidowsko.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"holicisticscrarws.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"boredimperissvieos.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269022; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whispedwoodmoodsksl.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269023; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acceptabledcooeprs.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269024; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obsceneclassyjuwks.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zippyfinickysofwps.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269026; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miniaturefinerninewjs.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269027; rev:1;)
alert tcp $HOME_NET any -> [37.1.36.185] 1912  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269039; rev:1;)
alert tcp $HOME_NET any -> [194.59.31.219] 2023  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"bliss.pro"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269041; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plaintediousidowsko.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269028; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweetsquarediaslw.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269029; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"holicisticscrarws.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269030; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boredimperissvieos.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mazefearcontainujsy.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stiffraspyofkwsl.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"plasterdaughejsijuk.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269034; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mazefearcontainujsy.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269035; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"directorryversionyju.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269036; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stiffraspyofkwsl.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269037; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plasterdaughejsijuk.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"whispedwoodmoodsksl.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269014; rev:1;)
alert tcp $HOME_NET any -> [5.75.208.137] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269012; rev:1;)
alert tcp $HOME_NET any -> [5.75.208.137] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.109.242.112"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1269009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.208.137"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1269010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269010; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.112] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269011; rev:1;)
alert tcp $HOME_NET any -> [89.37.143.245] 56016  (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199681720597"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/talmatin"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269008; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.folder.ro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91269004; rev:1;)
alert tcp $HOME_NET any -> [180.76.54.181] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269354/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269354; rev:1;)
alert tcp $HOME_NET any -> [175.27.189.129] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269353/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269353; rev:1;)
alert tcp $HOME_NET any -> [107.167.18.5] 7979  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269352; rev:1;)
alert tcp $HOME_NET any -> [142.247.182.11] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269351; rev:1;)
alert tcp $HOME_NET any -> [41.99.54.227] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269350/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269350; rev:1;)
alert tcp $HOME_NET any -> [164.90.213.105] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269348/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269348; rev:1;)
alert tcp $HOME_NET any -> [164.90.213.105] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269349/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269349; rev:1;)
alert tcp $HOME_NET any -> [74.48.115.132] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269347/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269347; rev:1;)
alert tcp $HOME_NET any -> [43.138.25.26] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269344; rev:1;)
alert tcp $HOME_NET any -> [107.172.57.113] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269335; rev:1;)
alert tcp $HOME_NET any -> [34.221.207.33] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269334; rev:1;)
alert tcp $HOME_NET any -> [23.94.120.119] 5443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269330/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269330; rev:1;)
alert tcp $HOME_NET any -> [54.253.108.48] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269329/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269329; rev:1;)
alert tcp $HOME_NET any -> [13.55.72.22] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269328/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269328; rev:1;)
alert tcp $HOME_NET any -> [13.79.48.220] 3000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269327/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269327; rev:1;)
alert tcp $HOME_NET any -> [45.14.66.194] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269326/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269326; rev:1;)
alert tcp $HOME_NET any -> [18.170.123.22] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269325/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.55.239.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1269324/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91269324; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.196] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269006/; target:src_ip; metadata: confidence_level 60, first_seen 2024_05_10; classtype:trojan-activity; sid:91269006; rev:1;)
alert tcp $HOME_NET any -> [34.29.71.138] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1269001/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91269001; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lapphuongshoe.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91269002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/12/05/what-age-can-you-legally-leave-a-child-home-alone-in-california"; depth:75; nocase; http.host; content:"langtonhowarth.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/annual-agreement-for-permanent-seasonal-employment"; depth:51; nocase; http.host; content:"radium-audio.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-dog-barking-laws-in-nsw-what-you-need-to-know"; depth:60; nocase; http.host; content:"darululoom.com.au"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268977; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"edulinkr.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1269000/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91269000; rev:1;)
alert tcp $HOME_NET any -> [43.139.107.157] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"service-ac5ca85o-1314199502.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"114.115.205.82"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268995; rev:1;)
alert tcp $HOME_NET any -> [114.115.205.82] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268996; rev:1;)
alert tcp $HOME_NET any -> [43.139.107.157] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268994; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ac5ca85o-1314199502.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"service-ac5ca85o-1314199502.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268992; rev:1;)
alert tcp $HOME_NET any -> [40.76.51.14] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"40.76.51.14"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268990; rev:1;)
alert tcp $HOME_NET any -> [116.198.34.83] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-3vkzoky0-1312172028.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268988; rev:1;)
alert tcp $HOME_NET any -> [8.210.81.151] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v3/corporationlimited"; depth:26; nocase; http.host; content:"wpscheckmembers.vip"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268985; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wpscheckmembers.vip"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"140.246.157.86"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.222.36.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268983; rev:1;)
alert tcp $HOME_NET any -> [111.230.98.22] 3333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268982; rev:1;)
alert tcp $HOME_NET any -> [116.198.34.83] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268981; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-3vkzoky0-1312172028.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-3vkzoky0-1312172028.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.139.107.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adjt8svp3dlardjlt.exe"; depth:22; nocase; http.host; content:"goupbuy.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268973; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"goupbuy.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/08/11/a-voidable-contract-is-quizlet"; depth:42; nocase; http.host; content:"ikwilvanmijnpoloaf.nl"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268948; rev:1;)
alert tcp $HOME_NET any -> [107.173.4.21] 2888  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268959; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madamwebb.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268960; rev:1;)
alert tcp $HOME_NET any -> [31.220.2.120] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268958/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268958; rev:1;)
alert tcp $HOME_NET any -> [156.238.224.215] 6642  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268961; rev:1;)
alert tcp $HOME_NET any -> [18.229.146.63] 13081  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268962; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kammies.co.za"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268964/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kom/dhl1.php"; depth:13; nocase; http.host; content:"dhgnegociosinmobiliarios.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268970; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dhgnegociosinmobiliarios.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/12/13/writing-dollar-amounts-in-legal-documents"; depth:53; nocase; http.host; content:"mindelscott.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268972; rev:1;)
alert tcp $HOME_NET any -> [54.254.164.33] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server/api-v1/"; depth:15; nocase; http.host; content:"cdn-carbonat.kimcuonghoanmy.shop"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268967; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-carbonat.kimcuonghoanmy.shop"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"18.232.156.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268966; rev:1;)
alert tcp $HOME_NET any -> [185.189.112.19] 30311  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268965/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268965; rev:1;)
alert tcp $HOME_NET any -> [42.192.37.72] 50055  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"139.9.190.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"192.168.183.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.54/ysl053kc7qd"; depth:25; nocase; http.host; content:"101.200.86.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.35.235.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268947; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"workspacin.cloud"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268945; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qaliharsit.tech"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268946; rev:1;)
alert tcp $HOME_NET any -> [172.93.222.147] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268944/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/sample-letter-to-request-extension-of-contract"; depth:52; nocase; http.host; content:"terragamecenter.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268938; rev:1;)
alert tcp $HOME_NET any -> [195.123.211.210] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268943/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"62.234.27.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268942; rev:1;)
alert tcp $HOME_NET any -> [43.138.20.240] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"43.138.20.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie1/five/fre.php"; depth:19; nocase; http.host; content:"195.123.211.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268939; rev:1;)
alert tcp $HOME_NET any -> [103.153.69.150] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268937/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268937; rev:1;)
alert tcp $HOME_NET any -> [103.153.69.151] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268936/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"185.234.216.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmzyzq3yzgyogrk/"; depth:18; nocase; http.host; content:"midigomedelimisinyav.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268898/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmzyzq3yzgyogrk/"; depth:18; nocase; http.host; content:"midigomehackerbaba.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268897/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmzyzq3yzgyogrk/"; depth:18; nocase; http.host; content:"midigomesinyalcimisinaga.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268900/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmzyzq3yzgyogrk/"; depth:18; nocase; http.host; content:"midigomebeniseviyor.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268899/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otmzyzq3yzgyogrk/"; depth:18; nocase; http.host; content:"midigomehacibaba.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268901/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"moneyeuroland.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268902/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"moneyeuroland7.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268903/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"moneyeuroland.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268904/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"moneyeurolandcamp.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268905/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"2moneyeuroland.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268906/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"2moneyeuroland.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268907/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmi1m2zimgrmodey/"; depth:18; nocase; http.host; content:"3moneyeuroland.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268908/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_10; classtype:trojan-activity; sid:91268908; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.229] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268922; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 17751  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268844/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268844; rev:1;)
alert tcp $HOME_NET any -> [104.250.172.89] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268845/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268845; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"levantain.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268846/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268846; rev:1;)
alert tcp $HOME_NET any -> [51.158.202.242] 443  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268553/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268553; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asra1.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268554/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_10; classtype:trojan-activity; sid:91268554; rev:1;)
alert tcp $HOME_NET any -> [31.184.253.65] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268566; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"y9f6z0q1w2.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268575; rev:1;)
alert tcp $HOME_NET any -> [5.253.40.168] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268935; rev:1;)
alert tcp $HOME_NET any -> [45.8.144.87] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268934; rev:1;)
alert tcp $HOME_NET any -> [116.205.231.141] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268933; rev:1;)
alert tcp $HOME_NET any -> [122.51.220.170] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268932; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.19] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268931; rev:1;)
alert tcp $HOME_NET any -> [187.192.66.171] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268930; rev:1;)
alert tcp $HOME_NET any -> [64.229.116.108] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268929; rev:1;)
alert tcp $HOME_NET any -> [104.248.223.131] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268928; rev:1;)
alert tcp $HOME_NET any -> [45.32.233.38] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268927; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20054  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268926; rev:1;)
alert tcp $HOME_NET any -> [34.221.207.33] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268925; rev:1;)
alert tcp $HOME_NET any -> [13.79.48.220] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268924; rev:1;)
alert tcp $HOME_NET any -> [193.3.19.136] 53  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_10; classtype:trojan-activity; sid:91268923; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.49] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268921; rev:1;)
alert tcp $HOME_NET any -> [107.175.229.141] 53152  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268920; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.10] 2054  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"149.62.47.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268917; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.65] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/982c183d8a9835c6.php"; depth:21; nocase; http.host; content:"45.11.92.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_10; classtype:trojan-activity; sid:91268915; rev:1;)
alert tcp $HOME_NET any -> [84.247.154.81] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268914; rev:1;)
alert tcp $HOME_NET any -> [84.247.154.81] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268913/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268913; rev:1;)
alert tcp $HOME_NET any -> [84.247.154.81] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"149.62.47.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268910; rev:1;)
alert tcp $HOME_NET any -> [149.62.47.7] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268911; rev:1;)
alert tcp $HOME_NET any -> [105.154.96.186] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2727ccb9.php"; depth:13; nocase; http.host; content:"a0951158.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268895; rev:1;)
alert tcp $HOME_NET any -> [62.133.60.205] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268894/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268894; rev:1;)
alert tcp $HOME_NET any -> [62.133.60.205] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268893/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268893; rev:1;)
alert tcp $HOME_NET any -> [49.13.229.86] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268892/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268892; rev:1;)
alert tcp $HOME_NET any -> [49.13.229.86] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268891; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.96] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268890/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268890; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.96] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268889; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.165] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268888; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.165] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268887; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.168] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268886; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.168] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268885; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.159] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268884; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.159] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268883; rev:1;)
alert tcp $HOME_NET any -> [65.109.170.29] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268882; rev:1;)
alert tcp $HOME_NET any -> [65.109.170.29] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268881; rev:1;)
alert tcp $HOME_NET any -> [62.133.60.218] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268880; rev:1;)
alert tcp $HOME_NET any -> [62.133.60.218] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268879; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.129] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268878; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.129] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268877; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.89] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268876/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268876; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.89] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268875/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268875; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.141] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268874/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268874; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.141] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268873; rev:1;)
alert tcp $HOME_NET any -> [95.181.173.85] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268872; rev:1;)
alert tcp $HOME_NET any -> [95.181.173.85] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268871/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268871; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.109] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268870; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.109] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268869; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.132] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268868; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.132] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268867/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268867; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.14] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268866/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268866; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.65] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268865/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268865; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.147] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268864/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268864; rev:1;)
alert tcp $HOME_NET any -> [107.178.105.96] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268863/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268863; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.49] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268862; rev:1;)
alert tcp $HOME_NET any -> [5.75.213.183] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268861; rev:1;)
alert tcp $HOME_NET any -> [5.75.213.183] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268860/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268860; rev:1;)
alert tcp $HOME_NET any -> [49.12.115.57] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268859/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268859; rev:1;)
alert tcp $HOME_NET any -> [49.12.115.57] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268858/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"vladiez8.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268857; rev:1;)
alert tcp $HOME_NET any -> [172.104.182.4] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268856; rev:1;)
alert tcp $HOME_NET any -> [101.99.75.123] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268855; rev:1;)
alert tcp $HOME_NET any -> [103.45.173.142] 4444  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268854; rev:1;)
alert tcp $HOME_NET any -> [103.187.4.53] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268853; rev:1;)
alert tcp $HOME_NET any -> [190.135.209.105] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268852; rev:1;)
alert tcp $HOME_NET any -> [54.227.37.24] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268851; rev:1;)
alert tcp $HOME_NET any -> [122.248.226.169] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268850/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268850; rev:1;)
alert tcp $HOME_NET any -> [65.20.78.91] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268849/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268849; rev:1;)
alert tcp $HOME_NET any -> [93.127.197.83] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268848/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268848; rev:1;)
alert tcp $HOME_NET any -> [195.10.205.91] 1707  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"104.214.168.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"52.190.15.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"39.107.242.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268576; rev:1;)
alert tcp $HOME_NET any -> [79.110.62.41] 7205  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.96.74.108"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"101.133.175.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"185.145.148.107"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268571; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hathawaya.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/about"; depth:6; nocase; http.host; content:"www.hathawaya.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.145.148.107"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.134.148.103"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"1.14.204.208"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"121.40.127.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"103.26.14.91"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268563; rev:1;)
alert tcp $HOME_NET any -> [8.134.150.210] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"106.54.143.140"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user"; depth:5; nocase; http.host; content:"175.24.252.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268560; rev:1;)
alert tcp $HOME_NET any -> [49.232.90.121] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268559; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dq.sched.vip-dk.tdnsvod1.cn"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compute/cd/k7ba6v385v"; depth:22; nocase; http.host; content:"www.dq.sched.vip-dk.tdnsvod1.cn"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.222.251.230"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268556/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a6031851.php"; depth:13; nocase; http.host; content:"a0952196.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268555; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.26] 65024  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagejavascriptupdateapiserverdefaultbasewindowstrafficpublic.php"; depth:66; nocase; http.host; content:"956330cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268550; rev:1;)
alert tcp $HOME_NET any -> [45.89.55.76] 3330  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268512; rev:1;)
alert tcp $HOME_NET any -> [3.67.62.142] 14420  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268539; rev:1;)
alert tcp $HOME_NET any -> [18.158.58.205] 14420  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268540/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268540; rev:1;)
alert tcp $HOME_NET any -> [3.67.161.133] 14420  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268541/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268541; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"consultantinsurance.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268544; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.162] 4781  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268549; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.54] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268547; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.55] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268548; rev:1;)
alert tcp $HOME_NET any -> [81.70.189.76] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"81.70.189.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268545; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.55] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268543; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.184] 1199  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268542; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.54] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.138.188.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"49.232.208.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"175.178.242.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.102.156.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"175.178.242.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"49.235.187.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"54.244.147.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"3se9ewodke339f0e83.connectivitytests.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"newstatisc.googleinfo.se"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"54.244.147.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"39.104.230.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"js.msedgeupdate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"112.124.65.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.102.156.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"52.190.15.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"156.224.20.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"investment.kumbaraan.biz.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"111.230.12.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a6fa9b7c.php"; depth:13; nocase; http.host; content:"a0945627.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268508; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.38] 10443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268507; rev:1;)
alert tcp $HOME_NET any -> [45.141.215.44] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268506/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268506; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.7] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268505; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.7] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268504; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.116] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268503; rev:1;)
alert tcp $HOME_NET any -> [35.86.153.6] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268502; rev:1;)
alert tcp $HOME_NET any -> [174.138.103.97] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268501; rev:1;)
alert tcp $HOME_NET any -> [47.236.36.46] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268500; rev:1;)
alert tcp $HOME_NET any -> [99.79.63.116] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268499; rev:1;)
alert tcp $HOME_NET any -> [20.83.27.106] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268498; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.156] 64447  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268497; rev:1;)
alert tcp $HOME_NET any -> [194.190.220.7] 10250  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie3/five/fre.php"; depth:19; nocase; http.host; content:"rocheholding.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268495/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268495; rev:1;)
alert tcp $HOME_NET any -> [93.95.115.2] 9462  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268494/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268494; rev:1;)
alert tcp $HOME_NET any -> [172.93.222.220] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268493/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar/understanding-ohio-forced-medication-laws-what-you-need-to-know/"; depth:68; nocase; http.host; content:"smallders.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/11/legal-responsibility-of-a-when-a-dog-attacks-a-cat/"; depth:63; nocase; http.host; content:"www.mindelscott.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-traffic-laws-in-grenada-a-complete-guide/64592/"; depth:62; nocase; http.host; content:"ecoprotection.in"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-false-advertising-laws-in-ohio-what-you-need-to-know/"; depth:68; nocase; http.host; content:"www.plugh.co.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/12/10/do-you-qualify-for-bereavement-leave-for-grandparents-in-law"; depth:72; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-a-collaborative-practice-agreement-required-in-texas-for-physician-assistant/"; depth:81; nocase; http.host; content:"larryslocksmith.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/2023/03/20/pros-and-cons-of-multilateral-trade-agreements/"; depth:69; nocase; http.host; content:"awadhshreehospital.in"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/10/12/understanding-the-lebanese-legal-system-laws-courts-and-rights/"; depth:75; nocase; http.host; content:"ngsindia.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abm/disagreement-has-how-many-syllables/"; depth:41; nocase; http.host; content:"theelegant.co.uk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/california-law-essential-break-room-requirements-explained/"; depth:60; nocase; http.host; content:"mysmartbox.solutions"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/03/31/washington-state-medical-assistant-scope-of-practice-laws-legal-overview/"; depth:85; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/02/26/humana-medicare-tier-exception-form/"; depth:48; nocase; http.host; content:"pinkfinancialbank.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/03/31/washington-state-medical-assistant-scope-of-practice-laws-legal-overview/"; depth:85; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/what-is-the-difference-between-appointment-letter-and-employment-contract/"; depth:75; nocase; http.host; content:"pt-tkbi.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-traffic-laws-in-grenada-a-complete-guide/64592/"; depth:62; nocase; http.host; content:"ecoprotection.in"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/common-law-marriage-military-recognition-and-legal-rights"; depth:58; nocase; http.host; content:"norholmgods.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/free-online-company-secretary-courses-legal-training-certification/"; depth:68; nocase; http.host; content:"krushinews18.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/resignation-letter-template-mutual-agreement/"; depth:51; nocase; http.host; content:"www.travisshoots.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/12/04/ver-saldo-do-nota-legal/"; depth:36; nocase; http.host; content:"americanepoxy.bond10templates.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2021/12/30/ukraine-staff-level-agreement-legal-guidelines-and-requirements/"; depth:76; nocase; http.host; content:"ngsindia.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vps-enterprise-agreement-2016-schedule-b/"; depth:42; nocase; http.host; content:"museocambellotti.cittadifondazione.it"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scaffolding-agreement/"; depth:23; nocase; http.host; content:"pt-tkbi.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/legalisation-of-documents-a-guide-to-authenticating-legal-papers/"; depth:66; nocase; http.host; content:"lotbuds.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft-enterprise-purchase-agreement/"; depth:41; nocase; http.host; content:"studiolegalefalco-masi.it"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-a-collaborative-practice-agreement-required-in-texas-for-physician-assistant"; depth:80; nocase; http.host; content:"larryslocksmith.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mcmaster-collective-agreement-faculty/"; depth:39; nocase; http.host; content:"bigcheeserodents.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/13/legal-valuation-group-valuation-sap/"; depth:48; nocase; http.host; content:"pptribe.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-legal-entity-hierarchy-a-comprehensive-guide/"; depth:60; nocase; http.host; content:"tcl.brandshop.ke"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/general-manager-role-key-responsibilities-and-legal-implications/"; depth:66; nocase; http.host; content:"signcitysa.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abm/disagreement-has-how-many-syllables/"; depth:41; nocase; http.host; content:"theelegant.co.uk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/13/legal-valuation-group-valuation-sap/"; depth:48; nocase; http.host; content:"pptribe.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ny-car-lease-tax-calculator/"; depth:29; nocase; http.host; content:"urbedu.live"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/california-law-essential-break-room-requirements-explained/"; depth:60; nocase; http.host; content:"mysmartbox.solutions"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ifrs-16-legal-fees-understanding-the-implications-for-businesses"; depth:65; nocase; http.host; content:"mctools.co"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mutual-agreement-resignation-letter-sample"; depth:43; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/12/10/do-you-qualify-for-bereavement-leave-for-grandparents-in-law/"; depth:73; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/11/legal-responsibility-of-a-when-a-dog-attacks-a-cat/"; depth:63; nocase; http.host; content:"www.mindelscott.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/03/31/washington-state-medical-assistant-scope-of-practice-laws-legal-overview/"; depth:85; nocase; http.host; content:"asleman.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sample-general-manager-employment-contract-for-a-company/"; depth:58; nocase; http.host; content:"you-green.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/what-is-in-the-new-nafta-agreement/"; depth:36; nocase; http.host; content:"phutungotochinhhang.vn"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/01/20/sample-physician-assistant-practice-agreement-california/"; depth:69; nocase; http.host; content:"jcfpa.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/how-contract-research-organizations-profit-business-model-analysis/"; depth:68; nocase; http.host; content:"alphacleantech.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/01/20/sample-physician-assistant-practice-agreement-california/"; depth:69; nocase; http.host; content:"jcfpa.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scaffolding-agreement/"; depth:23; nocase; http.host; content:"pt-tkbi.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"artlab.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"arts-npo.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.gxtfinance.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"artlab.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.hu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.dismerchandise.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.penhaligonsfriends.org.uk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.petrolpower.de"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.metalhoz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.anettelonnsfotvard.se"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.chanderbhushan.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"2015.artencounters.ro"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.chanderbhushan.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"4dgamers.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.penhaligonsfriends.org.uk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"4dgamers.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.chanderbhushan.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.miketrees.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.anettelonnsfotvard.se"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.fastex.se"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.hu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"4dgamers.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"artlab.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.hu"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"auto-coop.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.finaltolightspeed.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.penhaligonsfriends.org.uk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"artlab.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"artlab.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"artlab.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.medischdrukwerk.nl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.fastex.se"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/english.php"; depth:12; nocase; http.host; content:"www.gxtfinance.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/2023/06/04/nbu-msp-collective-agreement/"; depth:51; nocase; http.host; content:"conyers.biz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fha-cash-reserve-requirements-everything-you-need-to-know/"; depth:59; nocase; http.host; content:"overhplusproperties.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bcnu-collective-agreement-bereavement-leave/"; depth:45; nocase; http.host; content:"bellbaker.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/11/legal-responsibility-of-a-when-a-dog-attacks-a-cat/"; depth:63; nocase; http.host; content:"www.mindelscott.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ema-guidance-on-quality-agreements"; depth:35; nocase; http.host; content:"reiner.nrha.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gun-laws-in-denmark-understanding-regulations-and-restrictions"; depth:63; nocase; http.host; content:"produtoresflorestais.pt"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/05/what-is-the-benefit-of-a-tolling-agreement/"; depth:52; nocase; http.host; content:"www.paloubis.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/withdrawal-agreement-free-movement/"; depth:36; nocase; http.host; content:"lareplica.es"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/how-contract-research-organizations-profit-business-model-analysis"; depth:67; nocase; http.host; content:"alphacleantech.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/what-is-in-the-new-nafta-agreement"; depth:35; nocase; http.host; content:"phutungotochinhhang.vn"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/2023/06/04/nbu-msp-collective-agreement"; depth:50; nocase; http.host; content:"conyers.biz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/withdrawal-agreement-free-movement"; depth:35; nocase; http.host; content:"lareplica.es"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scaffolding-agreement"; depth:22; nocase; http.host; content:"pt-tkbi.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2023/01/20/sample-physician-assistant-practice-agreement-california"; depth:68; nocase; http.host; content:"jcfpa.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vps-enterprise-agreement-2016-schedule-b"; depth:41; nocase; http.host; content:"museocambellotti.cittadifondazione.it"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gun-laws-in-denmark-understanding-regulations-and-restrictions"; depth:63; nocase; http.host; content:"produtoresflorestais.pt"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abm/disagreement-has-how-many-syllables"; depth:40; nocase; http.host; content:"theelegant.co.uk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/02/26/humana-medicare-tier-exception-form"; depth:47; nocase; http.host; content:"pinkfinancialbank.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/california-law-essential-break-room-requirements-explained"; depth:59; nocase; http.host; content:"mysmartbox.solutions"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mutual-agreement-resignation-letter-sample"; depth:43; nocase; http.host; content:"goodstos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understanding-false-advertising-laws-in-ohio-what-you-need-to-know"; depth:67; nocase; http.host; content:"plugh.co.in"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/manual.php"; depth:11; nocase; http.host; content:"aynasy.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/13/legal-valuation-group-valuation-sap"; depth:47; nocase; http.host; content:"pptribe.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tenancy-agreement-sample-guyana"; depth:32; nocase; http.host; content:"eberlie.ca"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bcnu-collective-agreement-bereavement-leave"; depth:44; nocase; http.host; content:"bellbaker.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"tavimtopindomiz.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268297/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"harmancomesdel.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268289/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"gabirezdolirezdomez.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268290/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"tahtalivilazdolezdominez.xyz"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268291/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"tahirbankobinezcomez.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268292/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"demetakbaslobinezdomez.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"sahrayedcomineztopes.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268294/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"tekireztokirezdomez.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268295/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"takhoplikezdomez.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268296/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"caymahedsocyescez.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268298/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"tahirwolwerdoviz.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268299/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"hatipbabagelipdol.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268300/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"terektorekdomirez.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268286/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"hahyolkabinezlokezdo.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268287/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"salihogobinezdolinez.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268285/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"teyfangobinezdo.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268288/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"sayrodfalireznolere.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268282/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"tarakomizdolirez.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268283/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdgynwm4zjc4ngu2/"; depth:18; nocase; http.host; content:"caymedcoymenconez.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268284/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_09; classtype:trojan-activity; sid:91268284; rev:1;)
alert tcp $HOME_NET any -> [41.249.40.69] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268466/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268466; rev:1;)
alert tcp $HOME_NET any -> [45.32.124.195] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268469; rev:1;)
alert tcp $HOME_NET any -> [167.71.205.181] 2096  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268470; rev:1;)
alert tcp $HOME_NET any -> [8.219.229.99] 11111  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268471; rev:1;)
alert tcp $HOME_NET any -> [159.65.12.129] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268472; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 11168  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268490/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268490; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 11168  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268491/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"skylinehigh.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"skylinehigh.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268264; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.58] 60195  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268265; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"minuoddos.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268266/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_09; classtype:trojan-activity; sid:91268266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1dad0133.php"; depth:13; nocase; http.host; content:"a0951529.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0950683.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythontrack.php"; depth:16; nocase; http.host; content:"005514cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/967d93f7.php"; depth:13; nocase; http.host; content:"a0951137.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d1/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_09; classtype:trojan-activity; sid:91268464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.89.178.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_09; classtype:trojan-activity; sid:91268463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/python4/cdndownloads/basejavascript/provider5trafficwindows/5dump/7windowswindowsdatalife/auth8/generatorvideobasephp/mariadbphp/multidefault/1dumpcentral5/flowerapitrackprocessor/cpujsmultibetter/3uploads/dleuploads0multi/sqlpython/4external/http/better8geo/phprequestlinuxpublic.php"; depth:285; nocase; http.host; content:"77.221.157.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268462; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"53473cm.easyswap.space"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268461; rev:1;)
alert tcp $HOME_NET any -> [101.43.186.30] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268460; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.117] 3232  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268459; rev:1;)
alert tcp $HOME_NET any -> [83.229.87.144] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268458; rev:1;)
alert tcp $HOME_NET any -> [143.92.56.50] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268457; rev:1;)
alert tcp $HOME_NET any -> [193.38.34.125] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268456; rev:1;)
alert tcp $HOME_NET any -> [156.195.80.192] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268454; rev:1;)
alert tcp $HOME_NET any -> [156.195.80.192] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268455; rev:1;)
alert tcp $HOME_NET any -> [128.90.123.108] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268453; rev:1;)
alert tcp $HOME_NET any -> [64.23.156.73] 4047  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268355; rev:1;)
alert tcp $HOME_NET any -> [54.39.216.104] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268354; rev:1;)
alert tcp $HOME_NET any -> [47.245.105.90] 9876  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268353; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.18] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268352; rev:1;)
alert tcp $HOME_NET any -> [34.41.72.142] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268351; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beamazyn.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268350; rev:1;)
alert tcp $HOME_NET any -> [18.232.156.244] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268349; rev:1;)
alert tcp $HOME_NET any -> [185.93.221.118] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268346; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.195] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268347/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268347; rev:1;)
alert tcp $HOME_NET any -> [193.168.141.196] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268348/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268348; rev:1;)
alert tcp $HOME_NET any -> [154.44.24.21] 1111  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268345; rev:1;)
alert tcp $HOME_NET any -> [13.212.154.138] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"52.215.189.95"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268329; rev:1;)
alert tcp $HOME_NET any -> [52.215.189.95] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"54.67.45.193"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268326; rev:1;)
alert tcp $HOME_NET any -> [54.67.45.193] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268325; rev:1;)
alert tcp $HOME_NET any -> [54.67.45.193] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268324; rev:1;)
alert tcp $HOME_NET any -> [107.173.57.243] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268322; rev:1;)
alert tcp $HOME_NET any -> [107.172.191.222] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268321; rev:1;)
alert tcp $HOME_NET any -> [23.226.54.25] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268318; rev:1;)
alert tcp $HOME_NET any -> [121.37.137.69] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268317; rev:1;)
alert tcp $HOME_NET any -> [110.41.136.69] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.92.96.144"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268315; rev:1;)
alert tcp $HOME_NET any -> [47.92.96.144] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.130.133.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268313; rev:1;)
alert tcp $HOME_NET any -> [8.130.133.34] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"8.130.102.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268311; rev:1;)
alert tcp $HOME_NET any -> [8.130.102.101] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"111.231.15.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268309; rev:1;)
alert tcp $HOME_NET any -> [111.231.15.198] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268308; rev:1;)
alert tcp $HOME_NET any -> [118.25.85.49] 6443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"119.91.231.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268306; rev:1;)
alert tcp $HOME_NET any -> [119.91.231.57] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268305; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-izlolzm0-1318382624.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268304; rev:1;)
alert tcp $HOME_NET any -> [175.178.128.143] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268303; rev:1;)
alert tcp $HOME_NET any -> [162.14.69.252] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268302; rev:1;)
alert tcp $HOME_NET any -> [159.75.93.32] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0950998.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268281; rev:1;)
alert tcp $HOME_NET any -> [101.34.235.206] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"49.235.118.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268279; rev:1;)
alert tcp $HOME_NET any -> [49.235.118.195] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268278; rev:1;)
alert tcp $HOME_NET any -> [43.136.64.163] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268277; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.126] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268276; rev:1;)
alert tcp $HOME_NET any -> [94.102.59.173] 58943  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268275; rev:1;)
alert tcp $HOME_NET any -> [91.219.62.14] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268274; rev:1;)
alert tcp $HOME_NET any -> [91.142.77.140] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268273/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268273; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.137] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268272/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268272; rev:1;)
alert tcp $HOME_NET any -> [146.56.200.201] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268271; rev:1;)
alert tcp $HOME_NET any -> [120.46.37.189] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268270; rev:1;)
alert tcp $HOME_NET any -> [39.40.189.62] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268269; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.156] 55295  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268268; rev:1;)
alert tcp $HOME_NET any -> [8.129.77.150] 10004  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91268267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"debtavailable.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"debtavailable.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"debtavailable.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268260; rev:1;)
alert tcp $HOME_NET any -> [103.14.226.21] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268261; rev:1;)
alert tcp $HOME_NET any -> [67.207.161.230] 16769  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268262; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.nperm.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268259; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poor-indians-tax-me.icu"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268257; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scan.nperm.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268258; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.124] 7287  (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.hta"; depth:6; nocase; http.host; content:"193.222.96.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1.hta"; depth:6; nocase; http.host; content:"193.222.96.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3.hta"; depth:6; nocase; http.host; content:"193.222.96.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5.hta"; depth:6; nocase; http.host; content:"193.222.96.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4.hta"; depth:6; nocase; http.host; content:"193.222.96.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xd.bat"; depth:7; nocase; http.host; content:"193.222.96.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xx.bat"; depth:7; nocase; http.host; content:"193.222.96.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"193.222.96.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268078; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.143] 7287  (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"voicelesson.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"voicelesson.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268226; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.143] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2022/11/26/pet-skunk-legal-in-california"; depth:41; nocase; http.host; content:"trustadvisorygroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1268248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268248; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voicelesson.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268247; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superkart.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268252; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getintothe.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268253; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"safetheworld.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1268254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91268254; rev:1;)
alert tcp $HOME_NET any -> [103.142.244.19] 7771  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268249; rev:1;)
alert tcp $HOME_NET any -> [47.57.184.164] 7771  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268250; rev:1;)
alert tcp $HOME_NET any -> [47.57.7.44] 7771  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1268251/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91268251; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.124] 5050  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267976/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267976; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.77] 6541  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267974; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.93] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"listwisconsin.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267973; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"listwisconsin.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"listwisconsin.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"210.114.11.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267970; rev:1;)
alert tcp $HOME_NET any -> [47.109.178.63] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-b0kt7bkd-1307485220.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.221.181.157"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.43.43.245"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.99.177.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267965; rev:1;)
alert tcp $HOME_NET any -> [101.200.86.179] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.109.49.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267961; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-b0kt7bkd-1307485220.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267959; rev:1;)
alert tcp $HOME_NET any -> [47.109.178.63] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-b0kt7bkd-1307485220.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267958; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 47021  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267955/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267955; rev:1;)
alert tcp $HOME_NET any -> [15.165.134.129] 8649  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0944507.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267956; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"teachabletutorials.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"teachabletutorials.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"teachabletutorials.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267931; rev:1;)
alert tcp $HOME_NET any -> [77.83.199.148] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267954; rev:1;)
alert tcp $HOME_NET any -> [77.83.199.148] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267953; rev:1;)
alert tcp $HOME_NET any -> [213.159.68.64] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267952; rev:1;)
alert tcp $HOME_NET any -> [172.245.5.4] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267951; rev:1;)
alert tcp $HOME_NET any -> [185.142.184.203] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267950; rev:1;)
alert tcp $HOME_NET any -> [107.175.229.141] 46613  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267949; rev:1;)
alert tcp $HOME_NET any -> [62.102.148.189] 11274  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267948/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.116.211.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"120.27.131.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"111.230.12.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.222.141.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"3se9ewodke339f0e83.connectivitytests.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.222.141.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267939; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cn1.cdngw.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2024/05/9dv7ayhg1ag2kwo30_"; depth:54; nocase; http.host; content:"117.72.8.192"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromeupdate/shellex/index.php"; depth:31; nocase; http.host; content:"8.134.80.227"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/d4/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267933; rev:1;)
alert tcp $HOME_NET any -> [12.202.180.134] 8797  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267932; rev:1;)
alert tcp $HOME_NET any -> [185.29.9.120] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267928; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.26] 1177  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"waytowealth.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"waytowealth.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"waytowealth.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267924; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seadrill.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267923; rev:1;)
alert tcp $HOME_NET any -> [96.47.233.137] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267921; rev:1;)
alert tcp $HOME_NET any -> [107.173.4.16] 2560  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelvin/five/fre.php"; depth:20; nocase; http.host; content:"seadrill.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalvmsecuresqlwindowstrackdatalife.php"; depth:44; nocase; http.host; content:"065963cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267918; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"currentsilverprice.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"currentsilverprice.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"currentsilverprice.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/42public4/base/test0centralvideo/datalifepythondbflower/bigloadprovider/2dle/0private/authline6/request4/providervideorequestflowertraffictesttracktemporary.php"; depth:161; nocase; http.host; content:"199.231.191.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267914; rev:1;)
alert tcp $HOME_NET any -> [67.211.218.147] 4001  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267913; rev:1;)
alert tcp $HOME_NET any -> [154.38.104.54] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267912; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.39] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267911; rev:1;)
alert tcp $HOME_NET any -> [89.116.193.177] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267910; rev:1;)
alert tcp $HOME_NET any -> [47.108.229.11] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267909; rev:1;)
alert tcp $HOME_NET any -> [69.162.96.30] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267908; rev:1;)
alert tcp $HOME_NET any -> [121.41.18.122] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267907; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.7] 9000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267906; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.7] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267905; rev:1;)
alert tcp $HOME_NET any -> [41.99.118.137] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267904; rev:1;)
alert tcp $HOME_NET any -> [94.98.69.74] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267903; rev:1;)
alert tcp $HOME_NET any -> [2.50.39.105] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267902; rev:1;)
alert tcp $HOME_NET any -> [82.157.173.114] 8443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267901; rev:1;)
alert tcp $HOME_NET any -> [31.214.157.49] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267900; rev:1;)
alert tcp $HOME_NET any -> [143.110.211.214] 50001  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267899; rev:1;)
alert tcp $HOME_NET any -> [103.82.194.41] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267898; rev:1;)
alert tcp $HOME_NET any -> [195.80.148.170] 9090  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267897; rev:1;)
alert tcp $HOME_NET any -> [64.95.13.226] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267896; rev:1;)
alert tcp $HOME_NET any -> [2.58.15.151] 13576  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267895; rev:1;)
alert tcp $HOME_NET any -> [5.8.18.9] 20000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267894; rev:1;)
alert tcp $HOME_NET any -> [45.41.187.220] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_08; classtype:trojan-activity; sid:91267893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje3ztbjn2rmm2m4/"; depth:18; nocase; http.host; content:"kyrtasarim22.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_08; classtype:trojan-activity; sid:91267878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"valentinedaycard.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267884; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.11] 65024  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"valentinedaycard.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje3ztbjn2rmm2m4/"; depth:18; nocase; http.host; content:"kyrtasarim22.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_08; classtype:trojan-activity; sid:91267879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje3ztbjn2rmm2m4/"; depth:18; nocase; http.host; content:"kyrtasarim33.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_08; classtype:trojan-activity; sid:91267880; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.operationanonrecoil.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267881; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trailshop.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267603; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"realbumblebee.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267604; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recentbee.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267605; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"investrealtydom.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267606; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webnubee.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267607; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artspathgroup.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267608; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buyblocknow.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267609; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"currentbee.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267610; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modernbeem.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267611; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"startupbusiness24.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267612; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magentoengineers.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267614; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"childrensdolls.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267613; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myfinancialexperts.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267615; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"limitedtoday.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267616; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kekeoamigo.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267617; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nebraska-lawyers.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tomlawcenter.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267619; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thesmartcloudusa.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267620; rev:1;)
alert tcp $HOME_NET any -> [103.174.73.185] 45456  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267621/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267621; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.heleh.com.vn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267622/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_08; classtype:trojan-activity; sid:91267622; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasapool.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267600; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artspathgroupe.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267602; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"specialdrills.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267599; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thetrailbig.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267601; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.132] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267562; rev:1;)
alert tcp $HOME_NET any -> [178.159.39.40] 19667  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267570; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.41] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267571; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"itemsdostawa.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267573; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"masterokrwh.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267597; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"valentinedaycard.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_08; classtype:trojan-activity; sid:91267598; rev:1;)
alert tcp $HOME_NET any -> [45.148.244.102] 6395  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267891; rev:1;)
alert tcp $HOME_NET any -> [114.132.87.123] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267890; rev:1;)
alert tcp $HOME_NET any -> [159.223.86.73] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee"; depth:3; nocase; http.host; content:"otomotif.kumbaraan.biz.id"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267888; rev:1;)
alert tcp $HOME_NET any -> [207.246.64.185] 6161  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267887; rev:1;)
alert tcp $HOME_NET any -> [178.215.236.110] 3050  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267886; rev:1;)
alert tcp $HOME_NET any -> [5.189.217.203] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267885/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_07; classtype:trojan-activity; sid:91267885; rev:1;)
alert tcp $HOME_NET any -> [77.75.230.59] 445  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267882; rev:1;)
alert tcp $HOME_NET any -> [154.53.43.84] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267877; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.113] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267876; rev:1;)
alert tcp $HOME_NET any -> [38.45.124.235] 30100  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267875; rev:1;)
alert tcp $HOME_NET any -> [139.9.105.56] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267874; rev:1;)
alert tcp $HOME_NET any -> [117.72.33.6] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267873; rev:1;)
alert tcp $HOME_NET any -> [86.98.18.48] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267872; rev:1;)
alert tcp $HOME_NET any -> [159.65.12.129] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267871; rev:1;)
alert tcp $HOME_NET any -> [194.246.114.20] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267870; rev:1;)
alert tcp $HOME_NET any -> [64.95.13.226] 1433  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267869; rev:1;)
alert tcp $HOME_NET any -> [18.134.60.47] 8084  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.212.101.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"54.82.65.203"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267623; rev:1;)
alert tcp $HOME_NET any -> [54.244.147.176] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"54.244.147.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267595; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proya.cyou"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267593; rev:1;)
alert tcp $HOME_NET any -> [114.132.120.166] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.3.min.js"; depth:20; nocase; http.host; content:"proya.cyou"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"54.244.147.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267590; rev:1;)
alert tcp $HOME_NET any -> [54.244.147.176] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"www.testtttt.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267588; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.testtttt.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267587; rev:1;)
alert tcp $HOME_NET any -> [79.132.142.65] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/content/stream-9a42d411-e060-49be-8cd9-9a15d111ea30/f29df6de-5918-46d2-a4b8-157990ed06ab"; depth:94; nocase; http.host; content:"79.132.142.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267585; rev:1;)
alert tcp $HOME_NET any -> [172.81.132.113] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"172.81.132.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.200.176.50"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267582/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267582; rev:1;)
alert tcp $HOME_NET any -> [116.203.12.249] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267580; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tstarks.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.12.249"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267577; rev:1;)
alert tcp $HOME_NET any -> [116.203.7.126] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267578; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.112] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.7.126"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tstarks.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cj32434.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/display/chan/ib61i7mya"; depth:23; nocase; http.host; content:"74.91.29.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/722c81812703a73d.php"; depth:21; nocase; http.host; content:"193.163.7.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"91.92.249.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"111.230.12.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267566; rev:1;)
alert tcp $HOME_NET any -> [113.31.106.106] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preserve/extranet/lff00fq6u2h0"; depth:31; nocase; http.host; content:"113.31.106.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/display/chan/ib61i7mya"; depth:23; nocase; http.host; content:"74.91.29.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/share/ms_excel_document_helper.hta"; depth:35; nocase; http.host; content:"77.75.230.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267561; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bandarsport.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267555; rev:1;)
alert tcp $HOME_NET any -> [50.114.177.189] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267551; rev:1;)
alert tcp $HOME_NET any -> [156.253.8.166] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267560; rev:1;)
alert tcp $HOME_NET any -> [13.77.123.222] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267559; rev:1;)
alert tcp $HOME_NET any -> [195.26.240.251] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267558; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.172] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267557; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.172] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267556; rev:1;)
alert tcp $HOME_NET any -> [14.164.99.119] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267554; rev:1;)
alert tcp $HOME_NET any -> [222.108.86.185] 8888  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267553; rev:1;)
alert tcp $HOME_NET any -> [191.82.203.72] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267552; rev:1;)
alert tcp $HOME_NET any -> [175.137.217.143] 9876  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267550; rev:1;)
alert tcp $HOME_NET any -> [143.92.56.46] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267548; rev:1;)
alert tcp $HOME_NET any -> [143.92.56.60] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267546; rev:1;)
alert tcp $HOME_NET any -> [192.121.102.3] 19933  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"1.117.232.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267543; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.82] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"175.178.242.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"175.178.242.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267540; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.83] 34568  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2024/05/9dv7ayhg1ag2kwo30_"; depth:54; nocase; http.host; content:"117.72.8.192"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267537; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.122] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"52.190.15.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267534; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.195] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267532; rev:1;)
alert tcp $HOME_NET any -> [89.39.106.35] 1339  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"a2ef406e2c2351e0b9e80029c909242d.melonhack.top"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267530; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a2ef406e2c2351e0b9e80029c909242d.melonhack.top"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267529; rev:1;)
alert tcp $HOME_NET any -> [89.213.184.158] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267527; rev:1;)
alert tcp $HOME_NET any -> [154.44.24.21] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267528; rev:1;)
alert tcp $HOME_NET any -> [154.40.46.121] 8848  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267525; rev:1;)
alert tcp $HOME_NET any -> [154.9.254.227] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267526; rev:1;)
alert tcp $HOME_NET any -> [142.171.224.212] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267520; rev:1;)
alert tcp $HOME_NET any -> [52.234.248.198] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267519; rev:1;)
alert tcp $HOME_NET any -> [52.234.248.198] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267518; rev:1;)
alert tcp $HOME_NET any -> [20.102.88.44] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"mystoreanandhelens.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267516; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mystoreanandhelens.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267515; rev:1;)
alert tcp $HOME_NET any -> [4.157.67.191] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267514; rev:1;)
alert tcp $HOME_NET any -> [4.149.228.118] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267513; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apt.daili778.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.128.113.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267511; rev:1;)
alert tcp $HOME_NET any -> [43.128.113.251] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267510; rev:1;)
alert tcp $HOME_NET any -> [43.128.113.251] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.236.52.108"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267508; rev:1;)
alert tcp $HOME_NET any -> [47.236.52.108] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267506; rev:1;)
alert tcp $HOME_NET any -> [47.236.52.108] 7000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"8.219.204.94"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267505; rev:1;)
alert tcp $HOME_NET any -> [8.219.204.94] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267504; rev:1;)
alert tcp $HOME_NET any -> [14.5.161.232] 8008  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googleapi/affiliation/v1/affiliation:lookupbyhashprefix"; depth:56; nocase; http.host; content:"139.159.183.48"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267502/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_07; classtype:trojan-activity; sid:91267502; rev:1;)
alert tcp $HOME_NET any -> [139.159.183.48] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267501; rev:1;)
alert tcp $HOME_NET any -> [121.36.75.121] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267500; rev:1;)
alert tcp $HOME_NET any -> [47.109.48.193] 2345  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267499; rev:1;)
alert tcp $HOME_NET any -> [47.109.70.202] 32680  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267498; rev:1;)
alert tcp $HOME_NET any -> [123.57.59.76] 8999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267497; rev:1;)
alert tcp $HOME_NET any -> [124.221.181.157] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.220.62.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267493; rev:1;)
alert tcp $HOME_NET any -> [124.220.62.60] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"120.53.249.27"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267491; rev:1;)
alert tcp $HOME_NET any -> [120.53.249.27] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267490; rev:1;)
alert tcp $HOME_NET any -> [119.91.236.91] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267489; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otomotif.kumbaraan.biz.id"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"otomotif.kumbaraan.biz.id"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267487; rev:1;)
alert tcp $HOME_NET any -> [111.230.12.238] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267486; rev:1;)
alert tcp $HOME_NET any -> [1.117.232.76] 4880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267485; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdjgh29387y29ws.group-networks.ru"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267480; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdiufgsdugif.group-networks.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267481; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tracking-alert.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267482; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zsu-ua-gov.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267483; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-network-rebirthltd.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267484; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net.kovey-net.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267472; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbmarket-place.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267473; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fbmarket-place.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267474; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zimbralet.x24hr.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267475; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.verminteam.link"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267476; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.ib-comm-gateway.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirai-nro.space"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boats.voidnet.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raw.mezo-api.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267465; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.secure-network-rebirthltd.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267466; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.secure-core-rebirthltd.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps.rebirth-network.su"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267468; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.rebirth-network.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267469; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sex.secure-cyber-security-rebirthltd.su"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267470; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xkoic3y.dekma-gay.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs.proxy1.bf"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267458; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hismokes.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267459; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267460; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ooguy.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267461; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aiko-network.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267462; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"domain-botnet.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267463; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qngxgw.eu.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267464; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sro3ga.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"2moneycsasfasfh.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267453/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_07; classtype:trojan-activity; sid:91267453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wasabi-2.0.7.msi"; depth:17; nocase; http.host; content:"filesclubspot.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"wasabiwallet.is"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"2moneycsasfasfh.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267454/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_07; classtype:trojan-activity; sid:91267454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"3moneycsasfasfh.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267455/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_07; classtype:trojan-activity; sid:91267455; rev:1;)
alert tcp $HOME_NET any -> [45.150.67.118] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267450; rev:1;)
alert tcp $HOME_NET any -> [45.83.31.137] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267449; rev:1;)
alert tcp $HOME_NET any -> [185.173.36.11] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267448; rev:1;)
alert tcp $HOME_NET any -> [79.137.162.53] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267447; rev:1;)
alert tcp $HOME_NET any -> [198.46.143.196] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267446; rev:1;)
alert tcp $HOME_NET any -> [154.198.224.105] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267445; rev:1;)
alert tcp $HOME_NET any -> [189.140.17.93] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267444; rev:1;)
alert tcp $HOME_NET any -> [79.107.156.73] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267443; rev:1;)
alert tcp $HOME_NET any -> [75.173.16.24] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267442; rev:1;)
alert tcp $HOME_NET any -> [189.176.230.210] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267441; rev:1;)
alert tcp $HOME_NET any -> [77.124.170.112] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267440; rev:1;)
alert tcp $HOME_NET any -> [86.98.19.216] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267439; rev:1;)
alert tcp $HOME_NET any -> [45.152.85.10] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267438; rev:1;)
alert tcp $HOME_NET any -> [107.175.115.199] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267437; rev:1;)
alert tcp $HOME_NET any -> [103.151.111.138] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267436/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267436; rev:1;)
alert tcp $HOME_NET any -> [85.31.238.253] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267435/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267435; rev:1;)
alert tcp $HOME_NET any -> [143.110.211.214] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267434/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267434; rev:1;)
alert tcp $HOME_NET any -> [64.95.13.226] 5060  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267433; rev:1;)
alert tcp $HOME_NET any -> [38.60.223.86] 53  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267432; rev:1;)
alert tcp $HOME_NET any -> [163.181.105.70] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_07; classtype:trojan-activity; sid:91267431; rev:1;)
alert tcp $HOME_NET any -> [185.202.173.179] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267430/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_07; classtype:trojan-activity; sid:91267430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0947994.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267429; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updateleft.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"libidotechnexus.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267418; rev:1;)
alert tcp $HOME_NET any -> [194.26.232.43] 20746  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"libidotechnexus.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/per.php"; depth:15; nocase; http.host; content:"libidotechnexus.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267419; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"findyourbackups.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267425; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267426/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_07; classtype:trojan-activity; sid:91267426; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"djanic.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267427/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_07; classtype:trojan-activity; sid:91267427; rev:1;)
alert tcp $HOME_NET any -> [178.73.192.210] 7045  (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_07; classtype:trojan-activity; sid:91267428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awzk"; depth:5; nocase; http.host; content:"14.5.161.232"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267423/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"91.92.244.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267422; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.126] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267421; rev:1;)
alert tcp $HOME_NET any -> [196.65.165.110] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267420; rev:1;)
alert tcp $HOME_NET any -> [47.116.211.207] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.116.211.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267415; rev:1;)
alert tcp $HOME_NET any -> [47.113.118.200] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"47.113.118.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267413; rev:1;)
alert tcp $HOME_NET any -> [193.149.185.14] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267412; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.microsoftsendtime.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/promote/static/xv4splmog"; depth:25; nocase; http.host; content:"www.microsoftsendtime.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267410; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.247] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.196.10.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267408; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.126] 58709  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267406; rev:1;)
alert tcp $HOME_NET any -> [20.100.11.101] 42074  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tolongpollbasetemporary.php"; depth:28; nocase; http.host; content:"046408cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267404; rev:1;)
alert tcp $HOME_NET any -> [193.233.254.16] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267403; rev:1;)
alert tcp $HOME_NET any -> [85.208.69.48] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267402; rev:1;)
alert tcp $HOME_NET any -> [172.234.250.178] 2222  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267401; rev:1;)
alert tcp $HOME_NET any -> [49.232.18.28] 65458  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267400; rev:1;)
alert tcp $HOME_NET any -> [83.229.122.141] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267399; rev:1;)
alert tcp $HOME_NET any -> [169.255.58.218] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267398; rev:1;)
alert tcp $HOME_NET any -> [148.74.227.176] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267397; rev:1;)
alert tcp $HOME_NET any -> [94.49.41.130] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267396; rev:1;)
alert tcp $HOME_NET any -> [45.121.147.114] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267395; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20038  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267394; rev:1;)
alert tcp $HOME_NET any -> [45.152.85.10] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267393; rev:1;)
alert tcp $HOME_NET any -> [45.200.8.75] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267392; rev:1;)
alert tcp $HOME_NET any -> [3.109.78.6] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267391; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 46584  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267188/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267188; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"few-madrid.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267189/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267189; rev:1;)
alert tcp $HOME_NET any -> [5.182.211.142] 47925  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267190/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267190; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"comfortel.cloud"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267191/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267191; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.241] 47925  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1267192/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267192; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.fungoa.kro.kr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267193/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91267193; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bola.kumbaraan.biz.id"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1267195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee"; depth:3; nocase; http.host; content:"bola.kumbaraan.biz.id"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"zepwk111.uk"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267187/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"xmr.r4nd0m.anondns.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"xm.centralmarketingkur.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267185/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"x3qc.com"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.x3qc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.trustabletechsupport.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.telefonemusk.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.smartpanel.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.servermethod.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.rede.tphost.com.br"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.paquerasfacilitadas.fun.g10corretora.com.br"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.panitor.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.panel.52jfg.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.ok.adaklab.ir"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.muiairdrop.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.krypto.itwu.pl"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.koldiv.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.kaspersky-secure.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.fortunagamez.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.dontdoxme.space"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267168/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.controlpanel29.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267167/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.cdnupdateservice.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267166/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.blablaminions.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.badtrippaap.store"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267164/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.akunet.host"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.52jfg.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267162/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"vps-zap998573-1.zap-srv.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267161/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"trustabletechsupport.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267160/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"telefonemusk.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267159/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"smartpanel.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267158/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"sh4945832.c.had.su"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267157/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"servermethod.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267156/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"sec-1-min.usevm.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267155/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"seanhenning-101.ddns.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267154/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"satoshisbeck.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267153/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"rede.tphost.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267152/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"paquerasfacilitadas.fun.g10corretora.com.br"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267151/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"panitor.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267150/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"panfsaafcxzelkfsha31523.xyz"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267149/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"panelyapiinsaat.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267148/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"onedrive.cam"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267147/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"ok.adaklab.ir"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267146/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"ns3109813.ip-54-36-127.eu"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267145/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"netmatic.gr"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267144/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"muiairdrop.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267143/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mrzopr.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267142/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"monerominer.ddns.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267141/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"modules.su"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267140/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"miner.sjzh.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267139/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mail.ok.adaklab.ir"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"main-node.incaves.fr"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267138/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mail.52jfg.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"lozak.site"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"klanox.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"kaspersky-secure.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"fortunagamez.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"demo.citichoice.ca"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"data.shopvigil.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"controlpanel29.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"cf-protected-l7.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"cdnupdateservice.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"caboshed-rations.000webhostapp.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"blablg.site.transip.me"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"blablaminions.online"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"badtrippaap.store"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"aquaop.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"akunet.host"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"82.66.185.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"54.36.127.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"52jfg.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"45.9.150.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"185.125.50.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"176.119.35.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"106.54.200.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267114/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"104759689316.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"zepwk111.uk"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"x3qc.com"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"xmr.r4nd0m.anondns.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267111/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.x3qc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.trustabletechsupport.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.smartpanel.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.servermethod.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.paquerasfacilitadas.fun.g10corretora.com.br"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.rede.tphost.com.br"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.panitor.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.panel.52jfg.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267102/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.ok.adaklab.ir"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267101/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.koldiv.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.kaspersky-secure.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267099/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.controlpanel29.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"www.data.shopvigil.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267098/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.badtrippaap.store"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"www.52jfg.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"vps-zap998573-1.zap-srv.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"trustabletechsupport.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267093/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"static.55.253.216.95.clients.your-server.de"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267091/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"striperouter.supelle.co"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267092/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"static.254.146.21.65.clients.your-server.de"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267090/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"static.254.146.21.65.clients.your-server.de"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267089/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"servermethod.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"sh4945832.c.had.su"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267088/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"rustbakingtable.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"rede.tphost.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"paquerasfacilitadas.fun.g10corretora.com.br"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"panitor.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"panel.52jfg.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267081/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"panfsaafcxzelkfsha31523.xyz"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"ok.adaklab.ir"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267080/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"ns3109813.ip-54-36-127.eu"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267079/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"netmatic.gr"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267077/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"newstroczvmonmy3ne1w.su"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267078/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"muiairdrop.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267076/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"minernumberone.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267075/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"minerchenzhi888.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267074/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mainnet-rpc.rupayx.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267072/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mainnet-rpc.rupayx.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267073/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"main-node.incaves.fr"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267071/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mail.52jfg.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267069/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"mail.ok.adaklab.ir"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267070/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"klanox.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"lavender-leopard-40929.zap.cloud"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267068/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"jk013.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"kaspersky-secure.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"jk006.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"jk005.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"data.shopvigil.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"device-679f12e8-5521-4674-9797-cc5c04ee4213.remotewd.com"; depth:56; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"controlpanel29.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"caboshed-rations.000webhostapp.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"cf-protected-l7.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"aquaop.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"82.66.185.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"82.66.185.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"70.225.125.34.bc.googleusercontent.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"66.78.40.230.kyun.network"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"65.21.146.254.sslip.io"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"65.21.146.254.sslip.io"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"54.36.127.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"52jfg.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"51.195.211.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"31.27.151.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"34.125.225.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"185.125.50.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"185.112.147.62"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"176.119.35.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"172-104-103-158.ip.linodeusercontent.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"16.171.137.228"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"144920-1-76bedd-01.services.oktawave.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"116.204.132.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"107.175.202.158"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"112.78.3.100"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"106.54.200.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"103.106.189.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"102.50.247.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91267034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"whitedesk.cow-procyon.ts.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"nocomp.freeboxos.fr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"mythic.pcfindercentral.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"m.agorasecurity.it"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"ip14.ip-51-254-53.eu"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"data.iexcom.de"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"c2.rmrf.one"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"95.217.6.101"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"95.164.19.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"83.244.163.202"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"82.97.251.102"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"82.65.203.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"78.47.48.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"64.23.196.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"64.23.155.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"62.210.188.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"61.162.223.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"54.168.147.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"51.254.53.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"45.95.174.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"45.137.118.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"3.146.206.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"217.12.200.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"193.201.126.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"188.166.153.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"185.16.43.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"178.128.92.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"165.227.90.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"158.160.71.51"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"154.38.167.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"149.248.21.89"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"149.104.26.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"139.144.117.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"138.197.156.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1267000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91267000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"137.184.39.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"134.209.171.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"129.226.154.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"104.37.190.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"104.156.255.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/login"; depth:10; nocase; http.host; content:"c2.rmrf.one"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"thecookoutcaterer.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"thecookoutcaterer.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/per.php"; depth:15; nocase; http.host; content:"thecookoutcaterer.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"trxu.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"trxq.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"trxu.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"trxq.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"trxh.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"trxh.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ujs/9adbbdfd-2661-43e4-8280-7f9a9698f912"; depth:41; nocase; http.host; content:"trxh.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"veronicabal.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"veronicabal.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"iicc.fun"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"iicc.fun"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ujs/10924410-23ef-465e-a794-c614640e2bf2"; depth:41; nocase; http.host; content:"iicc.fun"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up/b"; depth:5; nocase; http.host; content:"dervinko.biz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ujs/8921e7ad-5b9e-4fca-97e6-c631b2636cc9"; depth:41; nocase; http.host; content:"dervinko.biz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/up"; depth:3; nocase; http.host; content:"dervinko.biz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199621302269"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199621451974"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199609719039"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266972; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dervinko.biz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266966; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iicc.fun"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266967; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veronicabal.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266968; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trxh.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266969; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trxq.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266970; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trxu.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266971; rev:1;)
alert tcp $HOME_NET any -> [47.237.82.113] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"91.92.244.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266960; rev:1;)
alert tcp $HOME_NET any -> [134.122.130.186] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266959; rev:1;)
alert tcp $HOME_NET any -> [185.29.10.215] 15548  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266958; rev:1;)
alert tcp $HOME_NET any -> [87.121.105.244] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"42.140.200.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.139.235.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"149.104.25.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"149.104.25.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"156.224.20.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266952; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poopy.aarkhipov.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"poopy.aarkhipov.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266950; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comm.sells-it.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266946; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coms.sells-it.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266947; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comss.sells-it.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266948; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comas.sells-it.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266949; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nerakar.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266945; rev:1;)
alert tcp $HOME_NET any -> [121.43.146.19] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/crush/v10.60/u23vvqgxfwvv"; depth:26; nocase; http.host; content:"121.43.146.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"14.5.161.232"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266942; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mybackups.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266902; rev:1;)
alert tcp $HOME_NET any -> [5.39.43.50] 1337  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266849/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91266849; rev:1;)
alert tcp $HOME_NET any -> [95.164.89.184] 41653  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266865; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eastcoastrest.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266848/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91266848; rev:1;)
alert tcp $HOME_NET any -> [158.160.8.110] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266846/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91266846; rev:1;)
alert tcp $HOME_NET any -> [198.144.229.143] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91266847; rev:1;)
alert tcp $HOME_NET any -> [193.124.22.107] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"123.60.182.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266941; rev:1;)
alert tcp $HOME_NET any -> [43.143.121.107] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.143.121.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"141.164.52.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266937; rev:1;)
alert tcp $HOME_NET any -> [141.164.52.164] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"117.72.36.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"117.72.47.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"147.135.211.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"123.60.182.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266933; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.49] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266930; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.67] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266931; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.70] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266932; rev:1;)
alert tcp $HOME_NET any -> [4.233.217.192] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.108.152.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266926; rev:1;)
alert tcp $HOME_NET any -> [23.88.46.51] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266927; rev:1;)
alert tcp $HOME_NET any -> [65.108.152.56] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.46.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266925; rev:1;)
alert tcp $HOME_NET any -> [105.101.132.10] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266924; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-cycxnhe5-1302650299.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266923; rev:1;)
alert tcp $HOME_NET any -> [38.6.177.42] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266922; rev:1;)
alert tcp $HOME_NET any -> [172.247.123.87] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266921; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftsoftwave.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266919; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azure.microsoftsoftwave.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.slim.min.js"; depth:25; nocase; http.host; content:"azure.microsoftsoftwave.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266918; rev:1;)
alert tcp $HOME_NET any -> [154.198.245.62] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266917; rev:1;)
alert tcp $HOME_NET any -> [124.70.102.58] 9876  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266916; rev:1;)
alert tcp $HOME_NET any -> [64.188.26.202] 1604  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_06; classtype:trojan-activity; sid:91266915; rev:1;)
alert tcp $HOME_NET any -> [121.40.146.236] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.220.21.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266913; rev:1;)
alert tcp $HOME_NET any -> [124.220.21.75] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266912; rev:1;)
alert tcp $HOME_NET any -> [43.140.200.250] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266911; rev:1;)
alert tcp $HOME_NET any -> [86.104.74.31] 9981  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266910; rev:1;)
alert tcp $HOME_NET any -> [23.224.233.76] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91266909; rev:1;)
alert tcp $HOME_NET any -> [66.42.49.63] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91266908; rev:1;)
alert tcp $HOME_NET any -> [41.97.25.181] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91266907; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20048  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91266906; rev:1;)
alert tcp $HOME_NET any -> [36.150.240.37] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91266905; rev:1;)
alert tcp $HOME_NET any -> [111.6.178.72] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_06; classtype:trojan-activity; sid:91266904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"144.48.9.242"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c035a2f2.php"; depth:13; nocase; http.host; content:"a0951158.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cf5cbdf706840b3f.php"; depth:21; nocase; http.host; content:"okkolus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_06; classtype:trojan-activity; sid:91266900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cn80908.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervmpipepollpacketgamedatalifepublic.php"; depth:47; nocase; http.host; content:"937039cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266864; rev:1;)
alert tcp $HOME_NET any -> [45.150.67.229] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266862; rev:1;)
alert tcp $HOME_NET any -> [104.236.199.233] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266861; rev:1;)
alert tcp $HOME_NET any -> [154.88.23.34] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266860; rev:1;)
alert tcp $HOME_NET any -> [47.109.29.37] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266859; rev:1;)
alert tcp $HOME_NET any -> [65.20.85.135] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266858; rev:1;)
alert tcp $HOME_NET any -> [149.109.132.237] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266857; rev:1;)
alert tcp $HOME_NET any -> [197.87.143.78] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266856; rev:1;)
alert tcp $HOME_NET any -> [86.166.47.91] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266855; rev:1;)
alert tcp $HOME_NET any -> [155.138.128.220] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266854; rev:1;)
alert tcp $HOME_NET any -> [20.93.16.228] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266853; rev:1;)
alert tcp $HOME_NET any -> [99.83.229.219] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266851; rev:1;)
alert tcp $HOME_NET any -> [111.31.37.38] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266850/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266850; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.181] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266843; rev:1;)
alert tcp $HOME_NET any -> [216.238.88.174] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266844; rev:1;)
alert tcp $HOME_NET any -> [5.42.96.3] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266845; rev:1;)
alert tcp $HOME_NET any -> [146.59.3.38] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266842; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.142] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"94.156.68.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"123.57.59.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266839; rev:1;)
alert tcp $HOME_NET any -> [167.71.242.213] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"149.104.25.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266836; rev:1;)
alert tcp $HOME_NET any -> [80.87.206.203] 8956  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jilkqypt.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266820/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jivmzylf.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kipxfuvz.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266819/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"bluzgipx.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zwolkrip.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266822/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zyrmjuxp.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266823/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"fqunpluz.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266824/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zixpjovr.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266825/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"qyrlzymp.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266826/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet2.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266828/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet.com.tr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet3.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266829/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet4.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266830/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet5.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266831/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet6.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266832/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet7.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266833/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ngi0mwewzji4zgq2/"; depth:18; nocase; http.host; content:"rabaffet8.com.tr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266834/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"ploxqenj.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266817/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kuplzavn.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266814/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"fruzjenk.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266816/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"zyptqalv.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266812/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"fwizjexy.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266813/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"plimqylx.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266815/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"klurjorp.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266811/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"gufxdixt.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266810/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"jiqkkuzn.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266808/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"fpyxzorv.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266807/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"qwipblom.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266809/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_05; classtype:trojan-activity; sid:91266809; rev:1;)
alert tcp $HOME_NET any -> [209.25.141.212] 32243  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266758; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"july-pty.at.ply.gg"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266759; rev:1;)
alert tcp $HOME_NET any -> [45.146.234.130] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266806/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_05; classtype:trojan-activity; sid:91266806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/category/research-2/"; depth:21; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hubcap/mayo-clinic-radio-full-shows/"; depth:37; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"149.104.25.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266798; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eve.now-dns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266797; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linux-treatment.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266796; rev:1;)
alert tcp $HOME_NET any -> [84.46.255.42] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266795; rev:1;)
alert tcp $HOME_NET any -> [38.6.193.7] 3588  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266794; rev:1;)
alert tcp $HOME_NET any -> [45.125.67.207] 50070  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266793; rev:1;)
alert tcp $HOME_NET any -> [45.61.141.37] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266791; rev:1;)
alert tcp $HOME_NET any -> [45.61.141.37] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266792; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 15443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266788; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 23142  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266789; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 51200  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266790; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266785; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 5222  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266786; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 8636  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266787; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 49501  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266778; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 6007  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266779; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 8081  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266780; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 1080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266781; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 6540  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266782; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 8159  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266783; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 51269  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266784; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 22206  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266769; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 44770  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266770; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 58603  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266771; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 30827  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266772; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 33786  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266773; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 88  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266774; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 939  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266775; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 8545  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266776; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 25616  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266777; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 28888  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266760; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 38519  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266761; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 2762  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266762; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 6697  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266763; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 45835  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266764; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 50995  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266765; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 51601  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266766; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 52200  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266767; rev:1;)
alert tcp $HOME_NET any -> [176.241.64.239] 831  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266768; rev:1;)
alert tcp $HOME_NET any -> [193.123.61.173] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266757; rev:1;)
alert tcp $HOME_NET any -> [192.121.102.103] 19933  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266756; rev:1;)
alert tcp $HOME_NET any -> [145.220.74.183] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266755; rev:1;)
alert tcp $HOME_NET any -> [45.86.162.215] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266753; rev:1;)
alert tcp $HOME_NET any -> [45.86.162.215] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pollgeodatalifepublic.php"; depth:26; nocase; http.host; content:"630004cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/longpollprivateasync/1testdump/traffic/flowerserverbase/test/trafficwordpressdatalifedlelocalprivatecdnuploadsdownloads.php"; depth:131; nocase; http.host; content:"147.45.44.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266751; rev:1;)
alert tcp $HOME_NET any -> [23.226.54.31] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.237.65.40"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266749; rev:1;)
alert tcp $HOME_NET any -> [47.237.65.40] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"110.41.21.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266747; rev:1;)
alert tcp $HOME_NET any -> [110.41.21.173] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266746; rev:1;)
alert tcp $HOME_NET any -> [101.35.250.49] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266745; rev:1;)
alert tcp $HOME_NET any -> [35.157.111.131] 14964  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_05; classtype:trojan-activity; sid:91266706; rev:1;)
alert tcp $HOME_NET any -> [3.125.188.168] 14964  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_05; classtype:trojan-activity; sid:91266707; rev:1;)
alert tcp $HOME_NET any -> [82.197.93.75] 19851  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_05; classtype:trojan-activity; sid:91266735; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"custom-packaging-products.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266737/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_05; classtype:trojan-activity; sid:91266737; rev:1;)
alert tcp $HOME_NET any -> [95.216.210.70] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266744; rev:1;)
alert tcp $HOME_NET any -> [80.253.246.96] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266743; rev:1;)
alert tcp $HOME_NET any -> [154.204.57.58] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266742; rev:1;)
alert tcp $HOME_NET any -> [41.99.250.77] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266741; rev:1;)
alert tcp $HOME_NET any -> [197.86.195.39] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266740; rev:1;)
alert tcp $HOME_NET any -> [80.210.56.248] 587  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266739; rev:1;)
alert tcp $HOME_NET any -> [36.147.2.78] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_05; classtype:trojan-activity; sid:91266738; rev:1;)
alert tcp $HOME_NET any -> [45.8.145.158] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266734/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266734; rev:1;)
alert tcp $HOME_NET any -> [80.76.49.5] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266733/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266733; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.91] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266732/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266732; rev:1;)
alert tcp $HOME_NET any -> [54.37.74.73] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266731/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266731; rev:1;)
alert tcp $HOME_NET any -> [8.218.163.207] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266730/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266730; rev:1;)
alert tcp $HOME_NET any -> [138.124.180.93] 7443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266729/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iopsmxt.a3x"; depth:12; nocase; http.host; content:"45.154.98.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test.txt"; depth:9; nocase; http.host; content:"45.154.98.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pqkizk.exe"; depth:11; nocase; http.host; content:"45.154.98.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-ops/yreuit.a3x"; depth:17; nocase; http.host; content:"194.26.192.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-ops/test.txt"; depth:15; nocase; http.host; content:"194.26.192.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r-ops/ncvui.exe"; depth:16; nocase; http.host; content:"194.26.192.57"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266723; rev:1;)
alert tcp $HOME_NET any -> [1.34.91.90] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266722/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266722; rev:1;)
alert tcp $HOME_NET any -> [167.179.81.150] 800  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266721/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_04; classtype:trojan-activity; sid:91266721; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.171] 8094  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266720; rev:1;)
alert tcp $HOME_NET any -> [104.248.7.62] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266719; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.5] 3000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266718; rev:1;)
alert tcp $HOME_NET any -> [187.170.72.64] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266717; rev:1;)
alert tcp $HOME_NET any -> [41.99.71.194] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266716; rev:1;)
alert tcp $HOME_NET any -> [52.51.249.79] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266715; rev:1;)
alert tcp $HOME_NET any -> [121.127.33.246] 38442  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266714; rev:1;)
alert tcp $HOME_NET any -> [91.210.107.202] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266713; rev:1;)
alert tcp $HOME_NET any -> [5.104.80.155] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266712; rev:1;)
alert tcp $HOME_NET any -> [182.176.35.160] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266711; rev:1;)
alert tcp $HOME_NET any -> [121.36.16.229] 8080  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266710; rev:1;)
alert tcp $HOME_NET any -> [185.209.31.28] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266709; rev:1;)
alert tcp $HOME_NET any -> [185.209.31.28] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266708; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.120] 1312  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266202/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266202; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chatgpt-app.cloud"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/reactivate/encryption/lkpfsfmbp"; depth:32; nocase; http.host; content:"106.54.41.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"84.46.255.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"113.125.18.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"113.125.18.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266507; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.29] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11836452.php"; depth:13; nocase; http.host; content:"a0949002.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266505; rev:1;)
alert tcp $HOME_NET any -> [80.76.49.6] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266504; rev:1;)
alert tcp $HOME_NET any -> [85.209.133.240] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266503; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.41] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266501; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.41] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266502; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.41] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266498; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.41] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266499; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.41] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266500; rev:1;)
alert tcp $HOME_NET any -> [105.102.94.27] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266497; rev:1;)
alert tcp $HOME_NET any -> [105.101.125.80] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266496; rev:1;)
alert tcp $HOME_NET any -> [118.68.145.50] 9000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266495; rev:1;)
alert tcp $HOME_NET any -> [45.145.43.183] 9955  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266494; rev:1;)
alert tcp $HOME_NET any -> [42.119.107.175] 9000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266493; rev:1;)
alert tcp $HOME_NET any -> [202.188.41.179] 9876  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266492; rev:1;)
alert tcp $HOME_NET any -> [191.82.192.124] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266491; rev:1;)
alert tcp $HOME_NET any -> [181.162.177.31] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266490; rev:1;)
alert tcp $HOME_NET any -> [181.162.143.146] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266489; rev:1;)
alert tcp $HOME_NET any -> [177.68.45.3] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266488; rev:1;)
alert tcp $HOME_NET any -> [45.125.44.78] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266487; rev:1;)
alert tcp $HOME_NET any -> [101.43.49.80] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266486; rev:1;)
alert tcp $HOME_NET any -> [65.109.22.155] 7777  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266485; rev:1;)
alert tcp $HOME_NET any -> [137.175.123.61] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266480; rev:1;)
alert tcp $HOME_NET any -> [137.175.123.62] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266481; rev:1;)
alert tcp $HOME_NET any -> [137.175.123.63] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266482; rev:1;)
alert tcp $HOME_NET any -> [137.175.123.64] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266483; rev:1;)
alert tcp $HOME_NET any -> [137.175.123.65] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266484; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.118] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266472; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.119] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266473; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.120] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266474; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.121] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266475; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.122] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266476; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.123] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266477; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.124] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266478; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.125] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266479; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.111] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266465; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.112] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266466; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.113] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266467; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.114] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266468; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.115] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266469; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.116] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266470; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.117] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266471; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.103] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266457; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.104] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266458; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.105] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266459; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.106] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266460; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.107] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266461; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.108] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266462; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.109] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266463; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.110] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266464; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.95] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266449; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.96] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266450; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.97] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266451; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.98] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266452; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.99] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266453; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.100] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266454; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.101] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266455; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.102] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266456; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.85] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266440; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.86] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266441; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.87] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266442; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.88] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266443; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.89] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266444; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.90] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266445; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.91] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266446; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.92] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266447; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.93] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266448; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.76] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266431; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.77] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266432; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.78] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266433; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.79] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266434; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.80] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266435; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.81] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266436; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.82] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266437; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.83] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266438; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.84] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266439; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.67] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266422; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.68] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266423; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.69] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266424; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.70] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266425; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.71] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266426; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.72] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266427; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.73] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266428; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.74] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266429; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.75] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266430; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.121] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266415; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.122] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266416; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.123] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266417; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.124] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266418; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.125] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266419; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.65] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266420; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.66] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266421; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.113] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266407; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.114] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266408; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.115] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266409; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.116] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266410; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.117] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266411; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.118] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266412; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.119] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266413; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.120] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266414; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.106] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266400; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.107] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266401; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.108] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266402; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.109] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266403; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.110] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266404; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.111] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266405; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.112] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266406; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.99] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266393; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.100] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266394; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.101] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266395; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.102] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266396; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.103] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266397; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.104] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266398; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.105] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266399; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.90] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266384; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.91] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266385; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.92] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266386; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.93] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266387; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.94] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266388; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.95] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266389; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.96] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266390; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.97] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266391; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.98] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266392; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.81] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266375; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.82] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266376; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.83] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266377; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.84] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266378; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.85] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266379; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.86] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266380; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.87] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266381; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.88] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266382; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.89] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266383; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.73] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266367; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.74] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266368; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.75] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266369; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.76] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266370; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.77] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266371; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.78] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266372; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.79] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266373; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.80] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266374; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.125] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266358; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.65] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266359; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.66] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266360; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.67] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266361; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.68] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266362; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.69] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266363; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.70] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266364; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.71] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266365; rev:1;)
alert tcp $HOME_NET any -> [137.175.73.72] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266366; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.117] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266350; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.118] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266351; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.119] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266352; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.120] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266353; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.121] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266354; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.122] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266355; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.123] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266356; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.124] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266357; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.111] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266344; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.112] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266345; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.113] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266346; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.114] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266347; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.115] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266348; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.116] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266349; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.104] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266337; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.105] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266338; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.106] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266339; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.107] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266340; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.108] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266341; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.109] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266342; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.110] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266343; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.95] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266328; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.96] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266329; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.97] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266330; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.98] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266331; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.99] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266332; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.100] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266333; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.101] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266334; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.102] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266335; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.103] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266336; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.87] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266320; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.88] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266321; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.89] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266322; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.90] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266323; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.91] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266324; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.92] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266325; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.93] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266326; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.94] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266327; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.78] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266311; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.79] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266312; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.80] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266313; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.81] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266314; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.82] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266315; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.83] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266316; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.84] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266317; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.85] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266318; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.86] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266319; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.69] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266302; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.70] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266303; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.71] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266304; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.72] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266305; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.73] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266306; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.74] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266307; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.75] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266308; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.76] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266309; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.77] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266310; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.250] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266294; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.251] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266295; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.252] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266296; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.253] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266297; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.65] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266298; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.66] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266299; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.67] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266300; rev:1;)
alert tcp $HOME_NET any -> [137.175.70.68] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266301; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.243] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266287; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.244] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266288; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.245] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266289; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.246] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266290; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.247] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266291; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.248] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266292; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.249] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266293; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.235] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266279; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.236] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266280; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.237] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266281; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.238] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266282; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.239] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266283; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.240] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266284; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.241] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266285; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.242] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266286; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.232] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266276; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.233] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266277; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.234] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266278; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.225] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266269; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.226] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266270; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.227] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266271; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.228] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266272; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.229] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266273; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.230] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266274; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.231] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266275; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.218] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266262; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.219] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266263; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.220] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266264; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.221] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266265; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.222] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266266; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.223] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266267; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.224] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266268; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.210] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266254; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.211] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266255; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.212] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266256; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.213] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266257; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.214] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266258; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.215] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266259; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.216] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266260; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.217] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266261; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.203] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266247; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.204] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266248; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.205] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266249; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.206] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266250; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.207] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266251; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.208] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266252; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.209] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266253; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.195] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266239; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.196] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266240; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.197] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266241; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.198] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266242; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.199] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266243; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.200] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266244; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.201] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266245; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.202] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266246; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.193] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266237; rev:1;)
alert tcp $HOME_NET any -> [137.175.68.194] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266238; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beshomandotestbesnd.run.place"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266236; rev:1;)
alert tcp $HOME_NET any -> [186.137.33.82] 2112  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266235; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"strekhost2085.con-ip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266234; rev:1;)
alert tcp $HOME_NET any -> [178.73.192.2] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266233; rev:1;)
alert tcp $HOME_NET any -> [128.90.103.39] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266231; rev:1;)
alert tcp $HOME_NET any -> [128.90.123.87] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266232; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.216] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266230; rev:1;)
alert tcp $HOME_NET any -> [85.107.228.217] 20000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266229; rev:1;)
alert tcp $HOME_NET any -> [85.107.228.217] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266227; rev:1;)
alert tcp $HOME_NET any -> [85.107.228.217] 7070  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266228; rev:1;)
alert tcp $HOME_NET any -> [51.81.105.250] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266226; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.21] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266222; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.21] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266223; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.21] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266224; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.21] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266225; rev:1;)
alert tcp $HOME_NET any -> [62.133.60.240] 3000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266221; rev:1;)
alert tcp $HOME_NET any -> [195.10.205.74] 3000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266220; rev:1;)
alert tcp $HOME_NET any -> [168.100.9.207] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266219; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.214] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266215; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.214] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266216; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.214] 6006  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266217; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.214] 8008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266218; rev:1;)
alert tcp $HOME_NET any -> [82.176.208.14] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266213; rev:1;)
alert tcp $HOME_NET any -> [54.82.65.203] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266212; rev:1;)
alert tcp $HOME_NET any -> [34.193.50.197] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266211; rev:1;)
alert tcp $HOME_NET any -> [45.136.15.209] 60050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266210; rev:1;)
alert tcp $HOME_NET any -> [45.136.14.91] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"172.245.228.91"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266208; rev:1;)
alert tcp $HOME_NET any -> [172.245.228.91] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.70.154.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"senkiv.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"senkiv.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"18.167.36.79"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266201; rev:1;)
alert tcp $HOME_NET any -> [18.163.119.175] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266199; rev:1;)
alert tcp $HOME_NET any -> [18.163.119.175] 6443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266200; rev:1;)
alert tcp $HOME_NET any -> [54.67.45.193] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"d30eev9g4ojzqi.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266197; rev:1;)
alert tcp $HOME_NET any -> [13.39.182.141] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266196; rev:1;)
alert tcp $HOME_NET any -> [207.148.30.221] 23392  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266195; rev:1;)
alert tcp $HOME_NET any -> [158.247.250.186] 5004  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266194; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8996djnv.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266192; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.8996djnv.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266193; rev:1;)
alert tcp $HOME_NET any -> [23.226.54.38] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"1.92.91.192"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266190; rev:1;)
alert tcp $HOME_NET any -> [1.92.91.192] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/dark.hta"; depth:43; nocase; http.host; content:"linktoxic34.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266188; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dogmupdate.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266187; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y0ue7nc4v.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266159; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c3x5wqfqd.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266160; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p9m9as6rc.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266161; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5yv0b66c5.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266162; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8s75cl4j9.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266163; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x7ir6c3dp.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266164; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8jcl1fkor.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266165; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prl7fpdgq.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266166; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uvx6qjirx.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266167; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mei2hlvph.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266168; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"497hssmh9.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266169; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vjgmo889e.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266170; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wox5mblpd.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266171; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4kqz7kqt2.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266172; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pzhihpnt2.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266173; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lcd7igvud.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266174; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"99t9f8t4c.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266175; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axqje16l4.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266176; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wp9wddjn4.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266177; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gmsjfazpo.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266178; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8fqxxf116.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266179; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ezsj23n67.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266180; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z75717vaj.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266181; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3rldogkrx.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266182; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s7n9pjbnl.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266183; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o3f4d47j3.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266184; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cj87mkoo4.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266185; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"govntutzt.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266186; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"un5nke6rt.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266131; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yombx43uh.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266132; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awjjbslep.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266133; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arl8xdy0i.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266134; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m460p6w8i.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266135; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ulfv8hiv3.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266136; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5hsghdbng.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266137; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awmv2d35g.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266138; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l9w8yn2fo.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266139; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jzvx353vf.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266140; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inekdxiil.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266141; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x5zxvz2yn.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266142; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xszhjlyga.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266143; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k4ikh1i8s.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266144; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8t8g8jquy.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266145; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lgu7drz5a.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266146; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2jlczycvw.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266147; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tcyvzdeex.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266148; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"49jw256uc.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266149; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oqfb13om6.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266150; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rm43ln1wn.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266151; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1d98d2w0k.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266152; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"43dtvcgy6.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266153; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2x5cn12li.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266154; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"j2hsoa4va.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266155; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trfy09x33.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266156; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lnoz4exs6.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266157; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"y7mmp6opv.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266158; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pltfrvss1.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266103; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z4aarde49.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266104; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4hdkyh1ns.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266105; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crbk7hduu.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266106; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p5zhkxu7x.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266107; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v4wlbpzf0.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266108; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qm4hupdsq.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266109; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"go6nu8hgl.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266110; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gaamc74sm.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266111; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23b3imkqh.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266112; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9qf9v3tgq.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266113; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yg7kcxnie.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266114; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gebj02y46.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266115; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f0a3myb17.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266116; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"donkvamcz.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266117; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c231spcbk.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266118; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tdyfmnlvv.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266119; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2niq3fv8t.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266120; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"44uegsxdd.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266121; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"8nrjr6hc4.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266122; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jvmzaf24a.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266123; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9f8srknbf.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266124; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gpoxpkoiy.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266125; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ynnlb3rus.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266126; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"292edkjz6.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266127; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ofav9exew.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266128; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uaeo95mzk.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266129; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"db9oyi6b2.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266130; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d00d7ks32.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266087; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"11qet4bgg.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266088; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2a6m2wkiq.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xky2lv24m.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266090; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmau5xobd.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266091; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"upxamcuma.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266092; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z1hf83vee.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266093; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yk37wagdg.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266094; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ajl0toabj.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266095; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qqpjqdylr.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266096; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1wrap3lnr.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266097; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z8g4klplp.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266098; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7clm8w86o.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266099; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nii34kqrw.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266100; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dl23dcg0p.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266101; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pwfkwiup6.life"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.109.192.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266086; rev:1;)
alert tcp $HOME_NET any -> [47.109.192.10] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.108.252.63"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266084; rev:1;)
alert tcp $HOME_NET any -> [47.108.252.63] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266083; rev:1;)
alert tcp $HOME_NET any -> [85.197.93.75] 19851  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266036/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266036; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.19] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266042/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whserver.exe"; depth:13; nocase; http.host; content:"1.92.90.232"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266047; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 39657  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266051/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266051; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"these-accommodation.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1266052/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266052; rev:1;)
alert tcp $HOME_NET any -> [141.8.193.79] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266077; rev:1;)
alert tcp $HOME_NET any -> [47.99.152.157] 7894  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266082; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.245] 5801  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91265811; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brownselocalsz.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91265812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klikkancontrolsx.ddnsfree.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91265813; rev:1;)
alert tcp $HOME_NET any -> [47.92.149.15] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266080; rev:1;)
alert tcp $HOME_NET any -> [47.92.149.15] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266081; rev:1;)
alert tcp $HOME_NET any -> [47.92.149.15] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266079; rev:1;)
alert tcp $HOME_NET any -> [8.130.134.5] 6000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266078; rev:1;)
alert tcp $HOME_NET any -> [124.221.226.243] 1414  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266076; rev:1;)
alert tcp $HOME_NET any -> [120.53.87.29] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"106.54.23.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266074; rev:1;)
alert tcp $HOME_NET any -> [106.54.23.53] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266073; rev:1;)
alert tcp $HOME_NET any -> [49.232.236.209] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.139.120.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266071; rev:1;)
alert tcp $HOME_NET any -> [43.139.120.180] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266069; rev:1;)
alert tcp $HOME_NET any -> [43.139.120.180] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.139.107.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266068; rev:1;)
alert tcp $HOME_NET any -> [43.139.107.213] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266067; rev:1;)
alert tcp $HOME_NET any -> [1.117.230.165] 5578  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266066; rev:1;)
alert tcp $HOME_NET any -> [65.21.147.214] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266064; rev:1;)
alert tcp $HOME_NET any -> [185.186.25.42] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266063; rev:1;)
alert tcp $HOME_NET any -> [185.186.25.33] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266062; rev:1;)
alert tcp $HOME_NET any -> [147.45.41.2] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266061; rev:1;)
alert tcp $HOME_NET any -> [124.223.40.156] 10000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266060; rev:1;)
alert tcp $HOME_NET any -> [39.40.174.210] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266059; rev:1;)
alert tcp $HOME_NET any -> [166.62.100.52] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266058; rev:1;)
alert tcp $HOME_NET any -> [93.127.194.22] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_04; classtype:trojan-activity; sid:91266057; rev:1;)
alert tcp $HOME_NET any -> [185.223.28.15] 4483  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266056; rev:1;)
alert tcp $HOME_NET any -> [45.61.150.201] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266055/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266055; rev:1;)
alert tcp $HOME_NET any -> [45.61.150.201] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266054/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266054; rev:1;)
alert tcp $HOME_NET any -> [45.61.150.201] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266053/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_04; classtype:trojan-activity; sid:91266053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edb7233b.php"; depth:13; nocase; http.host; content:"a0950024.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_04; classtype:trojan-activity; sid:91266050; rev:1;)
alert tcp $HOME_NET any -> [109.120.178.235] 26632  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91266048; rev:1;)
alert tcp $HOME_NET any -> [146.19.143.134] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91266046; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 39717  (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91266045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/authdefaultdle.php"; depth:19; nocase; http.host; content:"reallysrv.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91266044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0947008.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1266043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91266043; rev:1;)
alert tcp $HOME_NET any -> [144.76.71.93] 313  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91266041; rev:1;)
alert tcp $HOME_NET any -> [139.59.110.64] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91266040; rev:1;)
alert tcp $HOME_NET any -> [51.15.225.131] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91266039; rev:1;)
alert tcp $HOME_NET any -> [99.83.190.128] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91266038; rev:1;)
alert tcp $HOME_NET any -> [185.107.56.48] 443  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1266037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91266037; rev:1;)
alert tcp $HOME_NET any -> [8.218.228.15] 60478  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265808; rev:1;)
alert tcp $HOME_NET any -> [68.168.211.94] 2052  (msg:"ThreatFox SparkRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265809; rev:1;)
alert tcp $HOME_NET any -> [89.105.201.183] 2023  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265810/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_03; classtype:trojan-activity; sid:91265810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265807; rev:1;)
alert tcp $HOME_NET any -> [194.140.198.234] 9993  (msg:"ThreatFox DynamicStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265790; rev:1;)
alert tcp $HOME_NET any -> [217.138.215.79] 80  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sig32.gif"; depth:10; nocase; http.host; content:"207.148.109.8"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265797; rev:1;)
alert tcp $HOME_NET any -> [207.148.109.8] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265798; rev:1;)
alert tcp $HOME_NET any -> [109.120.133.115] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"120.25.2.115"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.109.48.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"103.234.54.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265804; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.popuiarenlinea.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265802; rev:1;)
alert tcp $HOME_NET any -> [142.171.104.108] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lv"; depth:3; nocase; http.host; content:"support.popuiarenlinea.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"114.132.62.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/p7mi"; depth:5; nocase; http.host; content:"47.96.174.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265795/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265795; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cecilio.one"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265793; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bobs.kraken11op.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265794; rev:1;)
alert tcp $HOME_NET any -> [101.99.93.222] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"101.99.93.222"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"207.148.109.8"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265789/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265789; rev:1;)
alert tcp $HOME_NET any -> [37.120.235.122] 2269  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265788/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265788; rev:1;)
alert tcp $HOME_NET any -> [8.218.244.117] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265743; rev:1;)
alert tcp $HOME_NET any -> [103.158.190.167] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265744; rev:1;)
alert tcp $HOME_NET any -> [47.242.52.22] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265745; rev:1;)
alert tcp $HOME_NET any -> [193.56.255.142] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265746; rev:1;)
alert tcp $HOME_NET any -> [8.210.167.64] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265749; rev:1;)
alert tcp $HOME_NET any -> [8.210.4.242] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265747; rev:1;)
alert tcp $HOME_NET any -> [38.60.193.62] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265748; rev:1;)
alert tcp $HOME_NET any -> [8.210.134.47] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265750; rev:1;)
alert tcp $HOME_NET any -> [139.180.208.107] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265751; rev:1;)
alert tcp $HOME_NET any -> [8.210.174.168] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265752; rev:1;)
alert tcp $HOME_NET any -> [8.217.84.192] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265754; rev:1;)
alert tcp $HOME_NET any -> [8.218.17.11] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265753; rev:1;)
alert tcp $HOME_NET any -> [8.218.163.77] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265755; rev:1;)
alert tcp $HOME_NET any -> [8.218.248.158] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265756; rev:1;)
alert tcp $HOME_NET any -> [8.218.56.204] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265757; rev:1;)
alert tcp $HOME_NET any -> [8.218.217.76] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265758; rev:1;)
alert tcp $HOME_NET any -> [8.217.0.193] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265759; rev:1;)
alert tcp $HOME_NET any -> [8.217.96.167] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265760; rev:1;)
alert tcp $HOME_NET any -> [94.131.110.28] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265761; rev:1;)
alert tcp $HOME_NET any -> [64.176.8.105] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265762; rev:1;)
alert tcp $HOME_NET any -> [128.14.105.154] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265763; rev:1;)
alert tcp $HOME_NET any -> [45.116.78.250] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265764; rev:1;)
alert tcp $HOME_NET any -> [146.70.157.115] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265765; rev:1;)
alert tcp $HOME_NET any -> [45.32.115.37] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265766; rev:1;)
alert tcp $HOME_NET any -> [207.148.95.161] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265767; rev:1;)
alert tcp $HOME_NET any -> [185.167.61.21] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265768; rev:1;)
alert tcp $HOME_NET any -> [164.215.103.248] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265769; rev:1;)
alert tcp $HOME_NET any -> [173.199.71.24] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265770; rev:1;)
alert tcp $HOME_NET any -> [8.217.107.25] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265771; rev:1;)
alert tcp $HOME_NET any -> [47.243.60.4] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265772; rev:1;)
alert tcp $HOME_NET any -> [8.210.168.192] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265773; rev:1;)
alert tcp $HOME_NET any -> [8.218.193.197] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265774; rev:1;)
alert tcp $HOME_NET any -> [8.218.128.35] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265776; rev:1;)
alert tcp $HOME_NET any -> [8.210.74.92] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265775; rev:1;)
alert tcp $HOME_NET any -> [8.218.213.245] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265777; rev:1;)
alert tcp $HOME_NET any -> [8.210.221.119] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265778; rev:1;)
alert tcp $HOME_NET any -> [45.159.250.235] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265779; rev:1;)
alert tcp $HOME_NET any -> [8.217.122.135] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265781; rev:1;)
alert tcp $HOME_NET any -> [185.81.114.45] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265780; rev:1;)
alert tcp $HOME_NET any -> [193.124.41.246] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"chniabank.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265787; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"investment.kumbaraan.biz.id"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"investment.kumbaraan.biz.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265784; rev:1;)
alert tcp $HOME_NET any -> [193.142.146.21] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265728; rev:1;)
alert tcp $HOME_NET any -> [185.234.67.47] 4047  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265729; rev:1;)
alert tcp $HOME_NET any -> [172.111.244.68] 4047  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265730; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quickdatenight.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265731; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laitheliar.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265732; rev:1;)
alert tcp $HOME_NET any -> [198.98.59.177] 8848  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265742/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265742; rev:1;)
alert tcp $HOME_NET any -> [139.59.110.64] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265741; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minuoddos.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265740; rev:1;)
alert tcp $HOME_NET any -> [217.165.15.83] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265739; rev:1;)
alert tcp $HOME_NET any -> [147.45.136.226] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265738; rev:1;)
alert tcp $HOME_NET any -> [39.185.245.204] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265737; rev:1;)
alert tcp $HOME_NET any -> [77.37.43.47] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265736; rev:1;)
alert tcp $HOME_NET any -> [193.3.19.136] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265734/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265734; rev:1;)
alert tcp $HOME_NET any -> [193.3.19.136] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_03; classtype:trojan-activity; sid:91265735; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.74] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265733; rev:1;)
alert tcp $HOME_NET any -> [45.152.115.131] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265574; rev:1;)
alert tcp $HOME_NET any -> [62.234.180.14] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265575; rev:1;)
alert tcp $HOME_NET any -> [54.255.171.65] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265571; rev:1;)
alert tcp $HOME_NET any -> [110.41.184.136] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265572; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.paamsa.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265573; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"empames.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265569; rev:1;)
alert tcp $HOME_NET any -> [54.205.59.212] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265570; rev:1;)
alert tcp $HOME_NET any -> [38.6.193.9] 3588  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265565; rev:1;)
alert tcp $HOME_NET any -> [59.110.91.44] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265567; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.appxoxo.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265563; rev:1;)
alert tcp $HOME_NET any -> [103.40.161.161] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265564; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gp.miaoys.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265556; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.data.nextb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265558; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77mh.icu"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265559; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cargillrewards.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265554; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcftjs8112.woodensunbeds.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265557; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"appxoxo.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265553; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dexhub.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265555; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c2.sns-labs.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265550; rev:1;)
alert tcp $HOME_NET any -> [185.91.127.221] 1340  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265576; rev:1;)
alert tcp $HOME_NET any -> [47.120.16.255] 7000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265577; rev:1;)
alert tcp $HOME_NET any -> [20.41.84.113] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265578; rev:1;)
alert tcp $HOME_NET any -> [188.116.22.177] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265579; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.12] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265580; rev:1;)
alert tcp $HOME_NET any -> [47.96.252.193] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265581; rev:1;)
alert tcp $HOME_NET any -> [45.12.53.231] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265582; rev:1;)
alert tcp $HOME_NET any -> [36.111.191.33] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265583; rev:1;)
alert tcp $HOME_NET any -> [212.64.24.30] 18080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265584; rev:1;)
alert tcp $HOME_NET any -> [212.64.24.30] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265585; rev:1;)
alert tcp $HOME_NET any -> [47.115.215.30] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265587; rev:1;)
alert tcp $HOME_NET any -> [119.45.21.247] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265586; rev:1;)
alert tcp $HOME_NET any -> [114.55.116.176] 6000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265588; rev:1;)
alert tcp $HOME_NET any -> [120.78.3.11] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265589; rev:1;)
alert tcp $HOME_NET any -> [150.158.75.102] 15478  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265590; rev:1;)
alert tcp $HOME_NET any -> [123.57.205.182] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265592; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.maasssa.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265560; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test2.tcash.sigmacomp.pl"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265561; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.binarycode.vip"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265562; rev:1;)
alert tcp $HOME_NET any -> [24.144.96.216] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265566; rev:1;)
alert tcp $HOME_NET any -> [123.57.205.182] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265591; rev:1;)
alert tcp $HOME_NET any -> [18.167.36.79] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265593; rev:1;)
alert tcp $HOME_NET any -> [18.167.36.79] 6443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265594; rev:1;)
alert tcp $HOME_NET any -> [180.210.220.75] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265595; rev:1;)
alert tcp $HOME_NET any -> [103.234.54.136] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265596; rev:1;)
alert tcp $HOME_NET any -> [147.135.211.38] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265597; rev:1;)
alert tcp $HOME_NET any -> [38.181.57.174] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265598; rev:1;)
alert tcp $HOME_NET any -> [101.43.43.245] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265599; rev:1;)
alert tcp $HOME_NET any -> [18.162.61.95] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265601; rev:1;)
alert tcp $HOME_NET any -> [13.212.24.201] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265600; rev:1;)
alert tcp $HOME_NET any -> [38.6.193.10] 3588  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265602; rev:1;)
alert tcp $HOME_NET any -> [103.150.10.45] 9443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265603; rev:1;)
alert tcp $HOME_NET any -> [194.36.178.33] 37732  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265722; rev:1;)
alert tcp $HOME_NET any -> [154.198.227.90] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265604; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 42294  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265726/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265726; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tkanilux.com.ua"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265725/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265725; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"reviews-christians.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265727/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_03; classtype:trojan-activity; sid:91265727; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 33587  (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_03; classtype:trojan-activity; sid:91265723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bogote.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"davltp.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265720; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"davltp.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265718; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bogote.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265719; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"eprst431.boo"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265713/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265713; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"msq2323232300000.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265714/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265714; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"static.cdn40.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265715/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265715; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"statistic.cdn47.space"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265716/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265716; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"storage.cdn48f.space"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265717/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265717; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn1704.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265690/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265690; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn25.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265691/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265691; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn2525.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265692; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn27.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265693/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265693; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn30.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265694/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265694; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn31.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265695/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265695; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn32.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265696/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265696; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn33.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265697/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265697; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn34.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265698/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265698; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn35.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265699/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265699; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn36.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265700/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265700; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn37.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265701; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn38.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265702/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265702; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn40.click"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265703/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265703; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn41.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265704/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265704; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn42.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265705/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265705; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn44.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265706; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn45.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265707; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn46.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265708/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265708; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn47.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265709; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn48f.space"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265710/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265710; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"eprst251.boo"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265711/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265711; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"eprst281.boo"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265712; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"pdfreader.link"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265670/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265670; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"quicken-install.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265671/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265671; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"vkontakte.in"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265672; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"wall-street-journal.link"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265673/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265673; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"workable.uk.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265674/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265674; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"wsj.pm"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265675/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265675; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"wsj.re"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265676/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265676; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"wsj.wales"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265677/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265677; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"wsj.wf"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265678/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265678; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"www.blackrock.wf"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265679/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265679; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"www.concur.pm"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265680/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265680; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"www.concur.re"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265681/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265681; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"www.wsj.re"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265682/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265682; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"www.wsj.wf"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265683/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265683; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"wwwlegals.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265684/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265684; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn1102.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265685/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265685; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn1124.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265686/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265686; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn1168.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265687/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265687; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn1701.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265688/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265688; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"cdn1702.click"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265689; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"7-zip.cfd"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265646/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265646; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"7-zip.day"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265647/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265647; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-ip-scanner.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265648/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265648; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advanced-ip-scanner.link"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265649/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265649; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"advancedipscannerapp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265650/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265650; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"aimp.day"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265651/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265651; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"aimp.pm"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265652/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265652; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"asana.tel"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265653/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265653; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"asana.wf"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265654/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265654; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"autodesk.pm"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265655/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265655; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"blackrock.re"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265656/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265656; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"blackrock.wf"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265657/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265657; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"concur.cfd"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265658/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265658; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"concur.pm"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265659/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265659; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"concur.re"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265660/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265660; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"concur.skin"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265661/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265661; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"hidifypro.turkalphapro.ir"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265662; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"hubspot.pm"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265663/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265663; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"hubspot.wf"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265664/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265664; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"lexisnexis.day"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265665/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265665; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"meet-go.click"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265666/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265666; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"meet-go.day"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265667/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265667; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"meet-go.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265668/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265668; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"meet-go.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265669/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265669; rev:1;)
alert tcp $HOME_NET any -> [141.98.168.16] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265641/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265641; rev:1;)
alert tcp $HOME_NET any -> [141.98.168.106] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265642/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265642; rev:1;)
alert tcp $HOME_NET any -> [176.120.75.247] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265643; rev:1;)
alert tcp $HOME_NET any -> [193.233.205.45] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265644; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 75%)"; dns_query; content:"138.124.183.79.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265645/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265645; rev:1;)
alert tcp $HOME_NET any -> [138.124.184.247] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265638/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265638; rev:1;)
alert tcp $HOME_NET any -> [138.124.184.249] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265639/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265639; rev:1;)
alert tcp $HOME_NET any -> [138.124.184.250] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265640/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265640; rev:1;)
alert tcp $HOME_NET any -> [138.124.183.95] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265634/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265634; rev:1;)
alert tcp $HOME_NET any -> [138.124.183.175] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265635/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265635; rev:1;)
alert tcp $HOME_NET any -> [138.124.183.176] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265636/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265636; rev:1;)
alert tcp $HOME_NET any -> [138.124.184.64] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265637/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265637; rev:1;)
alert tcp $HOME_NET any -> [109.107.170.81] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265630/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265630; rev:1;)
alert tcp $HOME_NET any -> [138.124.180.85] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265631/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265631; rev:1;)
alert tcp $HOME_NET any -> [138.124.183.79] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265632; rev:1;)
alert tcp $HOME_NET any -> [138.124.183.91] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265633; rev:1;)
alert tcp $HOME_NET any -> [103.113.70.68] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265627; rev:1;)
alert tcp $HOME_NET any -> [103.113.70.134] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265628; rev:1;)
alert tcp $HOME_NET any -> [103.113.70.142] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265629; rev:1;)
alert tcp $HOME_NET any -> [103.35.191.28] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265623; rev:1;)
alert tcp $HOME_NET any -> [103.35.191.53] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265624; rev:1;)
alert tcp $HOME_NET any -> [103.35.191.56] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265625; rev:1;)
alert tcp $HOME_NET any -> [103.35.191.76] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265626; rev:1;)
alert tcp $HOME_NET any -> [91.149.239.120] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265620/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265620; rev:1;)
alert tcp $HOME_NET any -> [94.131.101.65] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265621/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265621; rev:1;)
alert tcp $HOME_NET any -> [103.35.188.98] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265622/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265622; rev:1;)
alert tcp $HOME_NET any -> [86.104.72.154] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265616/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265616; rev:1;)
alert tcp $HOME_NET any -> [86.104.72.155] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265617; rev:1;)
alert tcp $HOME_NET any -> [86.104.72.157] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265618; rev:1;)
alert tcp $HOME_NET any -> [86.104.72.158] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265619/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265619; rev:1;)
alert tcp $HOME_NET any -> [45.142.212.150] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265612/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265612; rev:1;)
alert tcp $HOME_NET any -> [45.152.113.251] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265613/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265613; rev:1;)
alert tcp $HOME_NET any -> [45.159.211.211] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265614/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265614; rev:1;)
alert tcp $HOME_NET any -> [77.105.162.54] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265615/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265615; rev:1;)
alert tcp $HOME_NET any -> [23.170.40.136] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265608/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265608; rev:1;)
alert tcp $HOME_NET any -> [45.67.229.73] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265609/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265609; rev:1;)
alert tcp $HOME_NET any -> [45.89.53.223] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265610/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265610; rev:1;)
alert tcp $HOME_NET any -> [45.89.53.244] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265611/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265611; rev:1;)
alert tcp $HOME_NET any -> [5.180.24.160] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265606/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265606; rev:1;)
alert tcp $HOME_NET any -> [23.133.88.190] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265607/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"masterokrwh.duckdns.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265605; rev:1;)
alert tcp $HOME_NET any -> [89.110.68.218] 21572  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265549; rev:1;)
alert tcp $HOME_NET any -> [5.189.253.247] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265548/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265548; rev:1;)
alert tcp $HOME_NET any -> [159.89.186.168] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265547; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.59] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265546; rev:1;)
alert tcp $HOME_NET any -> [37.60.252.83] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265545; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.47] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265544; rev:1;)
alert tcp $HOME_NET any -> [142.171.184.166] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265543; rev:1;)
alert tcp $HOME_NET any -> [2.88.123.80] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265542; rev:1;)
alert tcp $HOME_NET any -> [41.96.176.247] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265541; rev:1;)
alert tcp $HOME_NET any -> [85.99.29.198] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265540/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265540; rev:1;)
alert tcp $HOME_NET any -> [175.10.45.89] 4432  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265539/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265539; rev:1;)
alert tcp $HOME_NET any -> [86.98.19.98] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265538; rev:1;)
alert tcp $HOME_NET any -> [189.140.8.160] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265537/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265537; rev:1;)
alert tcp $HOME_NET any -> [103.195.6.58] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265536/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265536; rev:1;)
alert tcp $HOME_NET any -> [170.64.140.92] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265535/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265535; rev:1;)
alert tcp $HOME_NET any -> [138.197.28.158] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265534/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265534; rev:1;)
alert tcp $HOME_NET any -> [138.197.28.158] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265533/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265533; rev:1;)
alert tcp $HOME_NET any -> [5.42.85.10] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265531; rev:1;)
alert tcp $HOME_NET any -> [147.45.149.10] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265530/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265530; rev:1;)
alert tcp $HOME_NET any -> [50.114.37.38] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265529/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265529; rev:1;)
alert tcp $HOME_NET any -> [13.82.179.86] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265528/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265528; rev:1;)
alert tcp $HOME_NET any -> [31.192.107.143] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265527/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265527; rev:1;)
alert tcp $HOME_NET any -> [134.122.85.18] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265526/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265526; rev:1;)
alert tcp $HOME_NET any -> [135.181.119.247] 26827  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dbbaseflowerdatalife.php"; depth:25; nocase; http.host; content:"45.141.102.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265524; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nandos.hopto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265307/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265307; rev:1;)
alert tcp $HOME_NET any -> [103.77.208.150] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265306/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.116.213.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265305; rev:1;)
alert tcp $HOME_NET any -> [94.241.142.87] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"149.104.25.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"149.104.25.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"156.231.64.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265301; rev:1;)
alert tcp $HOME_NET any -> [31.128.32.22] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"31.128.32.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265299; rev:1;)
alert tcp $HOME_NET any -> [156.251.172.80] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"156.251.172.80"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265297; rev:1;)
alert tcp $HOME_NET any -> [64.23.165.12] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"aawwn.azureedge.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265294; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aawwn.azureedge.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"49.235.187.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"193.143.1.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"207.154.255.140"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265291; rev:1;)
alert tcp $HOME_NET any -> [185.241.225.213] 3389  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265289; rev:1;)
alert tcp $HOME_NET any -> [43.136.38.59] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265288; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dahuatec.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"1488.winstate.cc"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"zirbnarg.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265233/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"jilepofk.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265234/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"wustyelk.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265235/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"mixylozt.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265236/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"quoxvebz.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265237/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"hifkxarp.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265238/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"dultzown.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265239/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"kervplun.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265240/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"vikexems.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265241/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"bontmawy.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265242/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"sirljufi.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265243/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"zoxtneep.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265246/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"glaxwimb.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265244/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"fruljilk.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265245/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"yampdrik.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265247/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"zorbpuft.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265248/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"riltshuv.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265249/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"vempyurt.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"dyltwerm.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265252/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmzmzgvlmji3nzu0/"; depth:18; nocase; http.host; content:"hozzkwor.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265251/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_02; classtype:trojan-activity; sid:91265251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265284; rev:1;)
alert tcp $HOME_NET any -> [8.130.52.13] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternallowapiuniversallocal.php"; depth:32; nocase; http.host; content:"a0835675.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/noa.exe"; depth:8; nocase; http.host; content:"192.3.239.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265281; rev:1;)
alert tcp $HOME_NET any -> [154.12.31.24] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265280; rev:1;)
alert tcp $HOME_NET any -> [154.12.31.24] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"154.12.31.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"107.174.254.9"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265277; rev:1;)
alert tcp $HOME_NET any -> [107.174.254.9] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265276; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-inqt462u-1314366639.hk.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-inqt462u-1314366639.hk.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"23.95.166.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265272; rev:1;)
alert tcp $HOME_NET any -> [23.95.166.199] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"175.178.49.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265271; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbmarket-place.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265269; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fbmarket-place.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265270; rev:1;)
alert tcp $HOME_NET any -> [45.142.214.27] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265268; rev:1;)
alert tcp $HOME_NET any -> [146.19.247.126] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265267; rev:1;)
alert tcp $HOME_NET any -> [8.138.108.192] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265266; rev:1;)
alert tcp $HOME_NET any -> [16.16.233.72] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265265; rev:1;)
alert tcp $HOME_NET any -> [45.14.246.124] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265264; rev:1;)
alert tcp $HOME_NET any -> [103.82.195.234] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265263; rev:1;)
alert tcp $HOME_NET any -> [45.14.246.53] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265262; rev:1;)
alert tcp $HOME_NET any -> [18.177.137.182] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265261; rev:1;)
alert tcp $HOME_NET any -> [222.186.17.75] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265260; rev:1;)
alert tcp $HOME_NET any -> [138.197.66.41] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265259/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265259; rev:1;)
alert tcp $HOME_NET any -> [104.37.190.52] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265258/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265258; rev:1;)
alert tcp $HOME_NET any -> [47.251.12.23] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265257/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265257; rev:1;)
alert tcp $HOME_NET any -> [45.76.53.16] 443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265256/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265256; rev:1;)
alert tcp $HOME_NET any -> [143.110.151.209] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265255/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_02; classtype:trojan-activity; sid:91265255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.185.228"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265254; rev:1;)
alert tcp $HOME_NET any -> [116.202.185.228] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265253; rev:1;)
alert tcp $HOME_NET any -> [65.108.19.51] 37149  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265232; rev:1;)
alert tcp $HOME_NET any -> [154.9.246.151] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265231; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"28489294.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"28489294.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265229; rev:1;)
alert tcp $HOME_NET any -> [34.91.32.224] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265227/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265227; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"abscete.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265228/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"84.247.155.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bu2t"; depth:5; nocase; http.host; content:"84.247.155.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265225/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265225; rev:1;)
alert tcp $HOME_NET any -> [84.247.155.115] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265224; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.187] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265223/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265223; rev:1;)
alert tcp $HOME_NET any -> [46.41.139.162] 4444  (msg:"ThreatFox ConnectBack botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265222/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265222; rev:1;)
alert tcp $HOME_NET any -> [176.123.1.127] 666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265209/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265209; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.95] 6666  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265210; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.95] 6655  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91265211; rev:1;)
alert tcp $HOME_NET any -> [193.142.146.181] 6655  (msg:"ThreatFox DynamicStealer botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265212; rev:1;)
alert tcp $HOME_NET any -> [157.10.45.238] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265218/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265218; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"apibnng.servehttp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265219/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91265219; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"teaching-wireless.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264961/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91264961; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 39289  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264960/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_02; classtype:trojan-activity; sid:91264960; rev:1;)
alert tcp $HOME_NET any -> [12.221.146.138] 8450  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91264958; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aprilxrwonew8450.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_02; classtype:trojan-activity; sid:91264959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265221; rev:1;)
alert tcp $HOME_NET any -> [163.5.210.97] 3307  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265220; rev:1;)
alert tcp $HOME_NET any -> [104.236.69.99] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"54.82.65.203"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265216; rev:1;)
alert tcp $HOME_NET any -> [154.9.246.151] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.9.246.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265214; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.188] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nevers.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265204; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nevers.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265205; rev:1;)
alert tcp $HOME_NET any -> [95.217.245.42] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265206; rev:1;)
alert tcp $HOME_NET any -> [159.69.102.118] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265207; rev:1;)
alert tcp $HOME_NET any -> [88.198.124.238] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.124.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.102.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.245.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265201; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.78] 1337  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265199; rev:1;)
alert tcp $HOME_NET any -> [128.199.74.55] 3778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265200; rev:1;)
alert tcp $HOME_NET any -> [103.67.163.33] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265198/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265198; rev:1;)
alert tcp $HOME_NET any -> [141.95.109.73] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265197/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265197; rev:1;)
alert tcp $HOME_NET any -> [162.33.177.157] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265196/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265196; rev:1;)
alert tcp $HOME_NET any -> [86.126.231.249] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265195; rev:1;)
alert tcp $HOME_NET any -> [41.99.16.165] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265194/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265194; rev:1;)
alert tcp $HOME_NET any -> [142.247.217.110] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265193/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265193; rev:1;)
alert tcp $HOME_NET any -> [1.161.71.160] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265192/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265192; rev:1;)
alert tcp $HOME_NET any -> [80.76.32.4] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265191; rev:1;)
alert tcp $HOME_NET any -> [222.186.17.75] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265190; rev:1;)
alert tcp $HOME_NET any -> [162.0.230.176] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265189/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91265189; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"craf.kro.kr"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1265188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265188; rev:1;)
alert tcp $HOME_NET any -> [54.39.249.56] 61562  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0949584.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1265186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265186; rev:1;)
alert tcp $HOME_NET any -> [2.57.149.77] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1265185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91265185; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.108] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264962; rev:1;)
alert tcp $HOME_NET any -> [146.19.143.186] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264849/; target:src_ip; metadata: confidence_level 60, first_seen 2024_05_01; classtype:trojan-activity; sid:91264849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"seniseverdimbenenaz.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"yenihacamattedavicisi.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264828/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"benkadereyenikdustum.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264829/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"asperonilaclari.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264830/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"fitildeyenilerdin.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264831/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kaderbizegulmezmi.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264832/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"seningibiadamlarbenisev.top"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264833/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"saglemkzanlar.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264834/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"akuaakveryum.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264835/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"yeniseylerdenememelan.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264837/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"bebeklerdeoynarx.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264836/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"atasehirkkuaforu.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264838/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"canankarataylabebek.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264839/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"sevsenneolurduuuu.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264840/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"sevmesenneeeolur.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264841/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"kopekuyuztedavicisi.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"hayvanyemekveriyoruz.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"topcularaktaricisisedat.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"evcilkusbesleme.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"verdilerbizeikiadam.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"tokatmotorcukuryesi.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotlk/"; depth:18; nocase; http.host; content:"arackiralamacankiri.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264848; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.8] 58267  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264795/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"80.66.89.146"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xijinping.mov"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264796/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264796; rev:1;)
alert tcp $HOME_NET any -> [185.35.4.119] 5678  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vm_longpollbasetraffictrackwordpressprivateuploads.php"; depth:55; nocase; http.host; content:"remotetable.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zomgapt"; depth:8; nocase; http.host; content:"106.14.141.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/mqseries/d7w0gtjfy"; depth:27; nocase; http.host; content:"ikea0.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/mqseries/d7w0gtjfy"; depth:27; nocase; http.host; content:"lebondogicoin.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/mqseries/d7w0gtjfy"; depth:27; nocase; http.host; content:"91.238.181.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"43.140.37.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264819; rev:1;)
alert tcp $HOME_NET any -> [43.140.37.49] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"159.75.104.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264818; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 12088  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264817; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 12088  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264816; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 12088  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264815; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 12088  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264814; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.36] 39849  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"120.48.96.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.99.182.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbgrw1.azurefd.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"dbgrw1.azurefd.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.48.96.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"sz-sourcetail-v4.volcmlt.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264804; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sz-sourcetail-v4.volcmlt.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"8.147.132.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"60.204.220.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-8lop3tot-1321953982.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264800; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-8lop3tot-1321953982.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264801; rev:1;)
alert tcp $HOME_NET any -> [170.106.169.138] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/462c30d592f23b18/jquery/3.7.1/jquery.min.js"; depth:44; nocase; http.host; content:"update.micromain.cfd"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264797; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.micromain.cfd"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otm5zwjizgqynzjh/"; depth:18; nocase; http.host; content:"adiletasarim.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otm5zwjizgqynzjh/"; depth:18; nocase; http.host; content:"3adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otm5zwjizgqynzjh/"; depth:18; nocase; http.host; content:"2adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otm5zwjizgqynzjh/"; depth:18; nocase; http.host; content:"4adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264764/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/otm5zwjizgqynzjh/"; depth:18; nocase; http.host; content:"5adiletasarim.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264765/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"karakutuoynlar.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264767/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"karaaslancamping.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264766/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"oyunlarlemmi.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264768/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"candancanda.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"kaderdegulmzx.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"sevmekdeacilar.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264771/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"huzunluponsimm.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264772/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"kaderimyaziklar.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264773/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"mkkaoooama.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264774/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"ataseiorunaa.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264775/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"oyungouardman.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264776/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"sevmenenenaaa.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264777/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"canozturkkaka.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264778/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"biggiyenim.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264779/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"cigkoftebedavahizmetim.top"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264780/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"vasathastalari.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264781/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"kenedabirnumaratedavicisi.xyz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264782/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"kediseakiyoruz.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264783/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"yavuzllarmarketim.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264784/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"yeniuygarckaportaci.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264785/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"servisdepaketlemem.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264786/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"panssiyoncukuryesi.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264787/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mje2ytczy2mxnja0/"; depth:18; nocase; http.host; content:"hizlimkaretdealisveris.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264788/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzg2ogjiogu5owqy/"; depth:18; nocase; http.host; content:"45.88.91.119"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264789/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzg2ogjiogu5owqy/"; depth:18; nocase; http.host; content:"agambenikoviyoryav.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264790/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzg2ogjiogu5owqy/"; depth:18; nocase; http.host; content:"agambeniseviyoryav.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264791/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzg2ogjiogu5owqy/"; depth:18; nocase; http.host; content:"kardesimbenikoviyoryav.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264792/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzg2ogjiogu5owqy/"; depth:18; nocase; http.host; content:"kardesimbeniseviyoryav.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264793/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzg2ogjiogu5owqy/"; depth:18; nocase; http.host; content:"kekembeniseviyoryav.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264794/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"marababrtdakand4.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264759/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"marabkanatlarda2.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264760/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264760; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.76] 33966  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264758; rev:1;)
alert tcp $HOME_NET any -> [5.180.154.53] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264756; rev:1;)
alert tcp $HOME_NET any -> [91.245.225.7] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.96.252.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a69d09b357e06b52.php"; depth:21; nocase; http.host; content:"193.163.7.88"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264753; rev:1;)
alert tcp $HOME_NET any -> [45.140.146.209] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264752; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.22] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264751; rev:1;)
alert tcp $HOME_NET any -> [141.8.199.126] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264750; rev:1;)
alert tcp $HOME_NET any -> [41.99.220.227] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264749; rev:1;)
alert tcp $HOME_NET any -> [63.35.228.8] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264748; rev:1;)
alert tcp $HOME_NET any -> [45.32.100.118] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264747; rev:1;)
alert tcp $HOME_NET any -> [77.91.74.239] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264746; rev:1;)
alert tcp $HOME_NET any -> [23.95.61.136] 29443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264745; rev:1;)
alert tcp $HOME_NET any -> [81.43.24.55] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264744; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.2] 4433  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264743; rev:1;)
alert tcp $HOME_NET any -> [91.238.181.233] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264742; rev:1;)
alert tcp $HOME_NET any -> [87.121.69.206] 3306  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264741; rev:1;)
alert tcp $HOME_NET any -> [142.93.109.84] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264740; rev:1;)
alert tcp $HOME_NET any -> [157.245.70.79] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264739; rev:1;)
alert tcp $HOME_NET any -> [163.181.39.72] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264738; rev:1;)
alert tcp $HOME_NET any -> [149.104.26.229] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264737; rev:1;)
alert tcp $HOME_NET any -> [72.14.186.33] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264736; rev:1;)
alert tcp $HOME_NET any -> [144.202.125.45] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_05_01; classtype:trojan-activity; sid:91264735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/private/wordpress3/vmmariadbsecureflower/cdnsecure/multiimagesqlphp/6secure3vm/gamepythonmultidownloads/externalgeneratorjavascript8/testtest8/0providercdn/58/cpupollpoll/5/imagelocal/tracklongpoll/multidleuploads/localcdn.php"; depth:230; nocase; http.host; content:"89.23.98.112"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/evie1/five/fre.php"; depth:19; nocase; http.host; content:"ebnsina.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.22"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.221.151.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.15.156.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"185.172.128.65"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.142.146.101"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.47"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"147.45.47.102"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.156.64.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.217"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"38.92.40.19"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"64.94.85.165"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"147.45.47.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"147.45.47.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.221.151.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"217.195.207.156"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.101"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.221.151.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teamb/five/pvqdq929bsx_a_d_m1n_a.php"; depth:37; nocase; http.host; content:"tampabayllc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dtyedh/five/pvqdq929bsx_a_d_m1n_a.php"; depth:38; nocase; http.host; content:"91.92.253.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264713/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dek/vv5/pvqdq929bsx_a_d_m1n_a.php"; depth:34; nocase; http.host; content:"alphaumi.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264714/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpha/five/pvqdq929bsx_a_d_m1n_a.php"; depth:37; nocase; http.host; content:"roof.spencerstuartllc.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264715/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kioy/five/pvqdq929bsx_a_d_m1n_a.php"; depth:36; nocase; http.host; content:"91.92.252.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264716/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/pvqdq929bsx_a_d_m1n_a.php"; depth:30; nocase; http.host; content:"altaskifer.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264717/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ob/pvqdq929bsx_a_d_m1n_a.php"; depth:29; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264718/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/project/five/pvqdq929bsx_a_d_m1n_a.php"; depth:39; nocase; http.host; content:"ebnsina.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264719/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c13/pvqdq929bsx_a_d_m1n_a.php"; depth:30; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t/project/five/pvqdq929bsx_a_d_m1n_a.php"; depth:41; nocase; http.host; content:"saldanha.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/five/pvqdq929bsx_a_d_m1n_a.php"; depth:40; nocase; http.host; content:"meridianresourcellc.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264722/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264722; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 12194  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264726/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264726; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.126] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264727; rev:1;)
alert tcp $HOME_NET any -> [45.133.174.75] 8426  (msg:"ThreatFox Houdini botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"masterokrwh.duckdns.org"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1264729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264729; rev:1;)
alert tcp $HOME_NET any -> [38.45.200.163] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"teckmarkanmdas4.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"marababrtdas.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content/images/size/w256h256/2021/03/favicon.png"; depth:49; nocase; http.host; content:"alphaumi.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264692; rev:1;)
alert tcp $HOME_NET any -> [45.145.166.210] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"teckmarkanary1.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_05_01; classtype:trojan-activity; sid:91264674; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"justloki.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264653/; target:src_ip; metadata: confidence_level 75, first_seen 2024_05_01; classtype:trojan-activity; sid:91264653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nanoderecho.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dinets.best"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"pdd888167.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264657; rev:1;)
alert tcp $HOME_NET any -> [185.215.113.117] 30711  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264662; rev:1;)
alert tcp $HOME_NET any -> [45.137.22.186] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"ytere.elementfx.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_05_01; classtype:trojan-activity; sid:91264731; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 12194  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264725; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 12194  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264724; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 12194  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/pttfrp.php"; depth:42; nocase; http.host; content:"unokodkelas.cl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/hello-elementor/t745ny.php"; depth:45; nocase; http.host; content:"www.judicialconsulting.es"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ph/wp-content/themes/twentytwentythree/6rndt2.php"; depth:50; nocase; http.host; content:"rariate.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/qshgfl.php"; depth:46; nocase; http.host; content:"polarishousingsystems.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/i4imyy.php"; depth:42; nocase; http.host; content:"dorseydorse.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ph/wp-content/themes/twentytwentythree/plxka3.php"; depth:50; nocase; http.host; content:"barliam.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/hello-elementor/t745ny.php"; depth:45; nocase; http.host; content:"www.judicialconsulting.es"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ph/wp-content/themes/twentytwentythree/6rndt2.php"; depth:50; nocase; http.host; content:"rariate.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ph/wp-content/themes/twentytwentythree/plxka3.php"; depth:50; nocase; http.host; content:"barliam.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/qshgfl.php"; depth:46; nocase; http.host; content:"polarishousingsystems.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/hello-elementor/t745ny.php"; depth:45; nocase; http.host; content:"www.judicialconsulting.es"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/pttfrp.php"; depth:42; nocase; http.host; content:"unokodkelas.cl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264679; rev:1;)
alert tcp $HOME_NET any -> [45.156.23.186] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_30; classtype:trojan-activity; sid:91264677; rev:1;)
alert tcp $HOME_NET any -> [5.42.107.163] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264673; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.182] 34419  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264672; rev:1;)
alert tcp $HOME_NET any -> [216.83.42.230] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264671; rev:1;)
alert tcp $HOME_NET any -> [45.195.54.195] 2558  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264670; rev:1;)
alert tcp $HOME_NET any -> [2.31.159.11] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264669; rev:1;)
alert tcp $HOME_NET any -> [14.1.98.189] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264668; rev:1;)
alert tcp $HOME_NET any -> [31.192.107.143] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264667; rev:1;)
alert tcp $HOME_NET any -> [159.223.220.207] 1433  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264666; rev:1;)
alert tcp $HOME_NET any -> [164.92.231.251] 10000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264665; rev:1;)
alert tcp $HOME_NET any -> [128.14.237.229] 8888  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264664; rev:1;)
alert tcp $HOME_NET any -> [148.135.40.198] 5004  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hobobo.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264659; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"racess.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264660; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hobobo.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"racess.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264658; rev:1;)
alert tcp $HOME_NET any -> [154.19.164.108] 446  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264656; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zoomus.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264649; rev:1;)
alert tcp $HOME_NET any -> [135.148.153.89] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.3.min.js"; depth:20; nocase; http.host; content:"114.132.120.166"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264648; rev:1;)
alert tcp $HOME_NET any -> [45.149.172.101] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.36.117.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264646; rev:1;)
alert tcp $HOME_NET any -> [5.161.191.120] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ch"; depth:3; nocase; http.host; content:"fibersee.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fibersee.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264644; rev:1;)
alert tcp $HOME_NET any -> [152.42.128.17] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/i3less01"; depth:9; nocase; http.host; content:"178.208.87.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"107.175.158.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.222.56.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"117.72.65.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.69.129.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264635; rev:1;)
alert tcp $HOME_NET any -> [103.69.129.34] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264636; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shaffatta.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264631; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apidevwa.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264632; rev:1;)
alert tcp $HOME_NET any -> [31.220.40.22] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fdca69ae739b4897.php"; depth:21; nocase; http.host; content:"shaffatta.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/return-of-space-setup.rar"; depth:35; nocase; http.host; content:"returnofspace.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264612; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"returnofspace.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264613; rev:1;)
alert tcp $HOME_NET any -> [31.41.44.97] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264616; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apidevst.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"45.158.21.47"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"107.173.30.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264633; rev:1;)
alert tcp $HOME_NET any -> [119.91.229.161] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264628; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns4.tencentupdate.buzz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264627; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.tencentupdate.buzz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264625; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.tencentupdate.buzz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264626; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.tencentupdate.buzz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264624; rev:1;)
alert tcp $HOME_NET any -> [111.229.214.58] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264623; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chat.icbcbc.com.cn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264622; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oss.icbcbc.com.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264620; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.icbcbc.com.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264621; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailtest.icbcbc.com.cn"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264619; rev:1;)
alert tcp $HOME_NET any -> [64.44.83.130] 2465  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264618; rev:1;)
alert tcp $HOME_NET any -> [192.144.233.13] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"192.144.233.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"116.62.197.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"60.204.220.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.113.195.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.130.60.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"finance.kumbaraan.biz.id"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"128.199.178.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.220.28.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264603; rev:1;)
alert tcp $HOME_NET any -> [192.253.251.131] 1780  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264600; rev:1;)
alert tcp $HOME_NET any -> [159.65.236.136] 8080  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264599; rev:1;)
alert tcp $HOME_NET any -> [88.255.228.65] 22222  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264590; rev:1;)
alert tcp $HOME_NET any -> [88.255.228.67] 22222  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264591; rev:1;)
alert tcp $HOME_NET any -> [88.255.228.71] 22222  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264592; rev:1;)
alert tcp $HOME_NET any -> [88.255.228.87] 22222  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264593; rev:1;)
alert tcp $HOME_NET any -> [188.166.233.47] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264594; rev:1;)
alert tcp $HOME_NET any -> [139.59.244.228] 9043  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264595; rev:1;)
alert tcp $HOME_NET any -> [152.42.162.206] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264596; rev:1;)
alert tcp $HOME_NET any -> [128.199.77.233] 80  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264597; rev:1;)
alert tcp $HOME_NET any -> [134.209.93.75] 4546  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264598; rev:1;)
alert tcp $HOME_NET any -> [185.178.231.9] 42167  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264583; rev:1;)
alert tcp $HOME_NET any -> [185.178.231.9] 48129  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264584; rev:1;)
alert tcp $HOME_NET any -> [37.120.247.189] 5432  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264585; rev:1;)
alert tcp $HOME_NET any -> [156.247.10.49] 443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264586; rev:1;)
alert tcp $HOME_NET any -> [111.230.102.189] 10233  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264587; rev:1;)
alert tcp $HOME_NET any -> [194.76.225.12] 48129  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264588; rev:1;)
alert tcp $HOME_NET any -> [85.243.246.80] 11117  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264589; rev:1;)
alert tcp $HOME_NET any -> [192.210.243.200] 21  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264576; rev:1;)
alert tcp $HOME_NET any -> [101.35.153.30] 60030  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264577; rev:1;)
alert tcp $HOME_NET any -> [101.35.153.30] 61122  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264578; rev:1;)
alert tcp $HOME_NET any -> [147.45.75.169] 1234  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264579; rev:1;)
alert tcp $HOME_NET any -> [194.27.78.73] 443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264580; rev:1;)
alert tcp $HOME_NET any -> [91.212.166.11] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264581; rev:1;)
alert tcp $HOME_NET any -> [185.178.231.9] 37582  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264582; rev:1;)
alert tcp $HOME_NET any -> [80.78.23.130] 32579  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264567; rev:1;)
alert tcp $HOME_NET any -> [185.81.29.119] 888  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264568; rev:1;)
alert tcp $HOME_NET any -> [88.255.228.75] 22222  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264569; rev:1;)
alert tcp $HOME_NET any -> [95.179.161.101] 8088  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264570; rev:1;)
alert tcp $HOME_NET any -> [147.135.92.133] 9001  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264571; rev:1;)
alert tcp $HOME_NET any -> [51.79.147.232] 8848  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264572; rev:1;)
alert tcp $HOME_NET any -> [51.79.147.232] 8849  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264573; rev:1;)
alert tcp $HOME_NET any -> [87.240.92.152] 8089  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264574; rev:1;)
alert tcp $HOME_NET any -> [124.117.212.178] 17885  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264575; rev:1;)
alert tcp $HOME_NET any -> [143.42.77.165] 4003  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264560; rev:1;)
alert tcp $HOME_NET any -> [124.156.213.48] 9190  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264561; rev:1;)
alert tcp $HOME_NET any -> [124.156.213.48] 9195  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264562; rev:1;)
alert tcp $HOME_NET any -> [106.14.90.167] 54321  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264563; rev:1;)
alert tcp $HOME_NET any -> [143.107.118.119] 1337  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264564; rev:1;)
alert tcp $HOME_NET any -> [194.164.198.171] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264565; rev:1;)
alert tcp $HOME_NET any -> [132.232.207.111] 2012  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264566; rev:1;)
alert tcp $HOME_NET any -> [124.221.85.42] 59326  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264550; rev:1;)
alert tcp $HOME_NET any -> [90.58.232.165] 2404  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264551; rev:1;)
alert tcp $HOME_NET any -> [106.249.249.42] 69  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264552; rev:1;)
alert tcp $HOME_NET any -> [123.56.214.38] 8520  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264553; rev:1;)
alert tcp $HOME_NET any -> [138.128.245.94] 80  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264554; rev:1;)
alert tcp $HOME_NET any -> [94.237.26.141] 8443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264555; rev:1;)
alert tcp $HOME_NET any -> [101.200.86.179] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264556; rev:1;)
alert tcp $HOME_NET any -> [134.195.90.65] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264557; rev:1;)
alert tcp $HOME_NET any -> [71.226.250.46] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264558; rev:1;)
alert tcp $HOME_NET any -> [143.42.77.165] 4001  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264559; rev:1;)
alert tcp $HOME_NET any -> [23.168.152.123] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264541; rev:1;)
alert tcp $HOME_NET any -> [152.136.174.227] 111  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264542; rev:1;)
alert tcp $HOME_NET any -> [189.130.114.202] 8443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264543; rev:1;)
alert tcp $HOME_NET any -> [189.130.114.202] 9090  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264544; rev:1;)
alert tcp $HOME_NET any -> [122.10.12.198] 7777  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264545; rev:1;)
alert tcp $HOME_NET any -> [122.10.12.198] 8866  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264546; rev:1;)
alert tcp $HOME_NET any -> [188.132.165.122] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264547; rev:1;)
alert tcp $HOME_NET any -> [45.120.177.168] 20491  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264548; rev:1;)
alert tcp $HOME_NET any -> [54.77.163.254] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264549; rev:1;)
alert tcp $HOME_NET any -> [8.134.151.154] 443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264533; rev:1;)
alert tcp $HOME_NET any -> [52.204.15.224] 443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264534; rev:1;)
alert tcp $HOME_NET any -> [5.181.23.2] 17482  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264535; rev:1;)
alert tcp $HOME_NET any -> [47.108.137.180] 8888  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264536; rev:1;)
alert tcp $HOME_NET any -> [69.197.135.34] 8000  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264537; rev:1;)
alert tcp $HOME_NET any -> [69.197.135.34] 9999  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264538; rev:1;)
alert tcp $HOME_NET any -> [189.130.141.19] 8443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264539; rev:1;)
alert tcp $HOME_NET any -> [189.130.141.19] 9090  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264540; rev:1;)
alert tcp $HOME_NET any -> [180.168.35.68] 17885  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264526; rev:1;)
alert tcp $HOME_NET any -> [170.244.164.110] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264527; rev:1;)
alert tcp $HOME_NET any -> [147.78.47.184] 1443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264528; rev:1;)
alert tcp $HOME_NET any -> [49.89.136.49] 7890  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264529; rev:1;)
alert tcp $HOME_NET any -> [148.135.35.177] 80  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264530; rev:1;)
alert tcp $HOME_NET any -> [148.135.35.177] 90  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264531; rev:1;)
alert tcp $HOME_NET any -> [179.60.150.151] 8080  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264532; rev:1;)
alert tcp $HOME_NET any -> [111.42.219.3] 18002  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264517; rev:1;)
alert tcp $HOME_NET any -> [123.60.148.51] 4621  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264518; rev:1;)
alert tcp $HOME_NET any -> [123.60.148.51] 4622  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264519; rev:1;)
alert tcp $HOME_NET any -> [90.188.237.87] 4443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264520; rev:1;)
alert tcp $HOME_NET any -> [45.61.136.150] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264521; rev:1;)
alert tcp $HOME_NET any -> [45.118.145.224] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264522; rev:1;)
alert tcp $HOME_NET any -> [88.214.24.119] 9393  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264523; rev:1;)
alert tcp $HOME_NET any -> [192.3.103.58] 20024  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264524; rev:1;)
alert tcp $HOME_NET any -> [154.92.22.143] 8088  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264525; rev:1;)
alert tcp $HOME_NET any -> [65.108.5.194] 9043  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264511; rev:1;)
alert tcp $HOME_NET any -> [37.135.123.157] 443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264512; rev:1;)
alert tcp $HOME_NET any -> [45.145.43.140] 8888  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264513; rev:1;)
alert tcp $HOME_NET any -> [52.31.159.183] 443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264514; rev:1;)
alert tcp $HOME_NET any -> [88.255.228.74] 22222  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264515; rev:1;)
alert tcp $HOME_NET any -> [197.46.143.141] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264516; rev:1;)
alert tcp $HOME_NET any -> [112.74.55.109] 19002  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264501; rev:1;)
alert tcp $HOME_NET any -> [112.74.55.109] 20002  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264502; rev:1;)
alert tcp $HOME_NET any -> [206.42.37.212] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264503; rev:1;)
alert tcp $HOME_NET any -> [37.1.200.46] 4446  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264504; rev:1;)
alert tcp $HOME_NET any -> [18.141.129.246] 18080  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264505; rev:1;)
alert tcp $HOME_NET any -> [144.76.155.4] 11117  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264506; rev:1;)
alert tcp $HOME_NET any -> [216.137.179.214] 1337  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264507; rev:1;)
alert tcp $HOME_NET any -> [51.161.194.168] 5  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264508; rev:1;)
alert tcp $HOME_NET any -> [146.70.54.90] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264509; rev:1;)
alert tcp $HOME_NET any -> [65.108.5.194] 8043  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264510; rev:1;)
alert tcp $HOME_NET any -> [39.108.246.91] 16202  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264498; rev:1;)
alert tcp $HOME_NET any -> [193.188.22.9] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264499; rev:1;)
alert tcp $HOME_NET any -> [112.74.55.109] 18602  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"visualstudio.microsoft.com.volcgslb-mlt.com"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dhl"; depth:4; nocase; http.host; content:"finance.kumbaraan.biz.id"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264495; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance.kumbaraan.biz.id"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee"; depth:3; nocase; http.host; content:"breakingnews.kumbaraan.biz.id"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264493; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"breakingnews.kumbaraan.biz.id"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.116.79.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264489; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.crnbchina.buzz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264488; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.crnbchina.buzz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"jyjgoyydia.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264481/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_30; classtype:trojan-activity; sid:91264481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8cgp/"; depth:6; nocase; http.host; content:"www.arilyfarlico.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264484; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arilyfarlico.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264485; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.arilyfarlico.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264486; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"herioscheats.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264483; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xkoic3y.dekma-gay.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264482; rev:1;)
alert tcp $HOME_NET any -> [163.5.160.27] 51523  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264480; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.secure-network-rebirthltd.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264475; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.secure-core-rebirthltd.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264476; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps.rebirth-network.su"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.rebirth-network.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sex.secure-cyber-security-rebirthltd.su"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xysk5eeyj0j5n.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264473; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps.rebirth-network.su"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_30; classtype:trojan-activity; sid:91264474; rev:1;)
alert tcp $HOME_NET any -> [5.182.87.218] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264472; rev:1;)
alert tcp $HOME_NET any -> [5.42.101.189] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264471; rev:1;)
alert tcp $HOME_NET any -> [5.42.101.184] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264470; rev:1;)
alert tcp $HOME_NET any -> [45.204.153.249] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264469; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 888  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264468; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 6001  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264467; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 22222  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264466; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 222  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264465; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 993  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264464; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 17150  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264463; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 15284  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264462/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264462; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 56670  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264461/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264461; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 1200  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264460/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264460; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.14] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264459; rev:1;)
alert tcp $HOME_NET any -> [20.117.109.69] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264458; rev:1;)
alert tcp $HOME_NET any -> [159.223.220.207] 5060  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264457/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264457; rev:1;)
alert tcp $HOME_NET any -> [159.223.220.207] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264456/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264456; rev:1;)
alert tcp $HOME_NET any -> [164.92.231.251] 5060  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264455; rev:1;)
alert tcp $HOME_NET any -> [164.92.231.251] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_30; classtype:trojan-activity; sid:91264454; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"berlyn777.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264453/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264453; rev:1;)
alert tcp $HOME_NET any -> [45.141.215.185] 7777  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264452/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264452; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 39209  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264419/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264419; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"analysis-minolta.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264420/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264420; rev:1;)
alert tcp $HOME_NET any -> [45.13.227.201] 33966  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264423/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264423; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.197] 60195  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264430/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264430; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xkoic3y.dekma-gay.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_30; classtype:trojan-activity; sid:91264431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagevmpipepythonjavascriptauthlocal.php"; depth:41; nocase; http.host; content:"994609cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264451; rev:1;)
alert tcp $HOME_NET any -> [45.32.196.110] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"45.32.196.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264449; rev:1;)
alert tcp $HOME_NET any -> [85.159.231.54] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264448; rev:1;)
alert tcp $HOME_NET any -> [5.75.213.100] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264445; rev:1;)
alert tcp $HOME_NET any -> [95.217.242.142] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264446; rev:1;)
alert tcp $HOME_NET any -> [49.12.115.59] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.115.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264443; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graims.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199680449169"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r1g1o"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.100"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"graims.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bim.msi"; depth:8; nocase; http.host; content:"185.219.220.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/security_check/"; depth:16; nocase; http.host; content:"dimozti1.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/case-419310.appspot.com/o/czczc1lrbt%2fdocument_b48_15w635167-5740247h6548-3238a9.js"; depth:90; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0948640.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264434; rev:1;)
alert tcp $HOME_NET any -> [94.232.45.84] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264432/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264432; rev:1;)
alert tcp $HOME_NET any -> [85.239.33.247] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264433/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"192.252.182.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/mqseries/d7w0gtjfy"; depth:27; nocase; http.host; content:"lebondogicoin.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264427; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lebondogicoin.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/mqseries/d7w0gtjfy"; depth:27; nocase; http.host; content:"ikea0.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264425; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikea0.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dequeue/mqseries/d7w0gtjfy"; depth:27; nocase; http.host; content:"91.238.181.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264424; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirai-nro.space"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264421; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cecilio.pro"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264422; rev:1;)
alert tcp $HOME_NET any -> [45.67.229.3] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264418; rev:1;)
alert tcp $HOME_NET any -> [104.238.161.101] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264417; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 995  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264416; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 502  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264415; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.14] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264414; rev:1;)
alert tcp $HOME_NET any -> [2.88.152.124] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264413; rev:1;)
alert tcp $HOME_NET any -> [78.167.159.0] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264412; rev:1;)
alert tcp $HOME_NET any -> [50.60.142.192] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264411; rev:1;)
alert tcp $HOME_NET any -> [164.92.231.251] 1433  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264410; rev:1;)
alert tcp $HOME_NET any -> [38.6.199.111] 29903  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264409; rev:1;)
alert tcp $HOME_NET any -> [77.68.73.99] 8080  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264408; rev:1;)
alert tcp $HOME_NET any -> [163.181.141.79] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264407; rev:1;)
alert tcp $HOME_NET any -> [35.171.228.255] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264406; rev:1;)
alert tcp $HOME_NET any -> [195.189.96.70] 27443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264405; rev:1;)
alert tcp $HOME_NET any -> [38.207.179.24] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264404/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264404; rev:1;)
alert tcp $HOME_NET any -> [95.179.159.107] 443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91264403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpollprotecttrafficwordpresslocaltempdownloads.php"; depth:57; nocase; http.host; content:"055442cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264402; rev:1;)
alert tcp $HOME_NET any -> [47.243.26.247] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264400; rev:1;)
alert tcp $HOME_NET any -> [47.243.26.247] 5000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264401; rev:1;)
alert tcp $HOME_NET any -> [8.210.220.109] 50001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.99.188.195"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264398; rev:1;)
alert tcp $HOME_NET any -> [47.99.188.195] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264397; rev:1;)
alert tcp $HOME_NET any -> [39.104.66.132] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"52.190.15.163"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264395; rev:1;)
alert tcp $HOME_NET any -> [124.220.148.63] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//api/x"; depth:7; nocase; http.host; content:"service-hh4fmtad-1321953982.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264392; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hh4fmtad-1321953982.sh.tencentapigw.com/"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"nanoderecho.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"nanoderecho.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"dinets.best"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/per.php"; depth:15; nocase; http.host; content:"nanoderecho.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/original.js"; depth:19; nocase; http.host; content:"pixelread.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"pixelread.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/per.php"; depth:15; nocase; http.host; content:"pixelread.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/polldbsecureuploads/datalife21sql/58/5db/temporary4wordpress/image/videosecureauthbaseasynctrafficcdn.php"; depth:106; nocase; http.host; content:"85.159.231.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264391; rev:1;)
alert tcp $HOME_NET any -> [150.95.109.27] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264125/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264125; rev:1;)
alert tcp $HOME_NET any -> [85.60.29.68] 8889  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264124; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.113] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264117; rev:1;)
alert tcp $HOME_NET any -> [154.197.110.188] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264118; rev:1;)
alert tcp $HOME_NET any -> [31.220.1.44] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264119; rev:1;)
alert tcp $HOME_NET any -> [154.197.110.191] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264120; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.112] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264121; rev:1;)
alert tcp $HOME_NET any -> [94.156.248.20] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"156.245.13.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264123; rev:1;)
alert tcp $HOME_NET any -> [92.63.176.42] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264105; rev:1;)
alert tcp $HOME_NET any -> [141.8.198.223] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264106; rev:1;)
alert tcp $HOME_NET any -> [147.45.125.182] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264107; rev:1;)
alert tcp $HOME_NET any -> [5.42.100.119] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264108/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264108; rev:1;)
alert tcp $HOME_NET any -> [45.130.201.28] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264114; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"premium.davidabostic.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1264115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot5239412158:aahxn8rc3uvbhy_kv77gticxcuvbuxckd_8/"; depth:51; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"piratia.su"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264113/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"piratia-life.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264112/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"icebrasilpr.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264111/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"h-c-v.ru"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264110/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"cellc.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264109/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264109; rev:1;)
alert tcp $HOME_NET any -> [162.218.115.202] 26392  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1264104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91264104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.135.5.150"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264006/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"39.101.205.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.130.60.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"39.98.115.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264000/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"39.98.204.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264001/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"23.95.233.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263997/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"38.55.97.170"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263998/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"38.181.25.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263999/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"23.94.66.43"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263996/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.213.212.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263991/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.222.130.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263994/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"20.2.223.147"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263995/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.217.200.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.218.138.77"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263993/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.142.124.166"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.212.183.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263990/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"4.224.84.20"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"8.137.59.132"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"39.105.213.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264003/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.129.31.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.139.113.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264007/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.143.112.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264008/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.143.130.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264009/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.153.207.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264010/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.163.240.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264011/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.198.238.210"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.98.158.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264014/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.94.88.4"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264013/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.98.188.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264015/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.108.204.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264016/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.113.219.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264017/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.242.8.254"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264018/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.242.95.207"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264019/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"49.233.206.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264020/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"52.26.153.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264021/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"54.202.238.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264022/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"60.204.232.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264023/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"62.234.26.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264024/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"74.48.60.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264025/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"97.74.93.113"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264026/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"101.34.243.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"101.37.13.119"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264028/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"101.200.214.198"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264029/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"103.106.190.156"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264030/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"103.209.129.193"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264031/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"104.214.168.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264032/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"106.75.66.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264033/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.172.16.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264035/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.151.245.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264034/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.172.141.153"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264036/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.172.196.204"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264037/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.173.201.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.174.93.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.174.254.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264040/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"110.40.139.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264041/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.173.117.130"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264042/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.223.247.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.223.247.232"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264044/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.231.145.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"114.55.100.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"114.115.180.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264047/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"116.255.216.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264048/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"117.72.9.31"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264049/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"117.72.38.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264050/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"117.72.64.94"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264051/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"117.72.74.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264052/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"118.123.1.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264053/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"119.29.249.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264054/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"119.45.17.224"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264055/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"119.45.219.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264056/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"120.26.224.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264057/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"120.46.39.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264058/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"120.46.59.252"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264059/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"121.36.61.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264060/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"121.36.105.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264061/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"121.36.219.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"121.199.78.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264063/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"122.114.26.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264064/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.56.214.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264065/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.57.3.221"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264066/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.57.137.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264067/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.207.16.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264068/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.249.35.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264069/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.249.87.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264070/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"124.70.143.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264071/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"124.221.56.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264072/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"139.9.65.87"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264073/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"139.199.2.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264075/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"139.9.117.78"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264074/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"146.56.214.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264076/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"146.56.237.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264077/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"150.109.241.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"152.32.219.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"154.12.90.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264080/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"159.75.180.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264081/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.214.135.90"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264082/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.214.135.105"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264083/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"162.215.23.228"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264084/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.83"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264085/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264086/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264087/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264088/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264089/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264090/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264091/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264092/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264094/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264095/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264096/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.122"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264097/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264098/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264099/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264101/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"168.76.120.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264100/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"172.245.91.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264102/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"172.245.134.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1264103/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91264103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.220.6.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.115.215.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.139.52.213"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"157.245.12.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263982; rev:1;)
alert tcp $HOME_NET any -> [47.120.52.161] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263981; rev:1;)
alert tcp $HOME_NET any -> [42.193.128.153] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"42.193.128.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"123.206.115.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263978; rev:1;)
alert tcp $HOME_NET any -> [47.120.17.76] 55554  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.gfyl.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"162.14.73.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.115.215.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"35.229.251.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263973; rev:1;)
alert tcp $HOME_NET any -> [134.122.130.181] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.220.148.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263970; rev:1;)
alert tcp $HOME_NET any -> [134.122.130.184] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"134.122.130.181"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263968; rev:1;)
alert tcp $HOME_NET any -> [20.150.193.240] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263965; rev:1;)
alert tcp $HOME_NET any -> [87.120.84.5] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263966; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.22] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yi3h"; depth:5; nocase; http.host; content:"47.243.59.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263964/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263964; rev:1;)
alert tcp $HOME_NET any -> [124.223.176.109] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263962; rev:1;)
alert tcp $HOME_NET any -> [152.136.128.162] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263963; rev:1;)
alert tcp $HOME_NET any -> [117.72.38.14] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263961; rev:1;)
alert tcp $HOME_NET any -> [101.34.71.193] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263960; rev:1;)
alert tcp $HOME_NET any -> [45.207.36.33] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263957; rev:1;)
alert tcp $HOME_NET any -> [45.207.36.50] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263958; rev:1;)
alert tcp $HOME_NET any -> [97.74.93.113] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263959; rev:1;)
alert tcp $HOME_NET any -> [192.227.146.240] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263950; rev:1;)
alert tcp $HOME_NET any -> [195.128.249.114] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263951; rev:1;)
alert tcp $HOME_NET any -> [198.46.190.54] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263952; rev:1;)
alert tcp $HOME_NET any -> [202.44.54.13] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263953; rev:1;)
alert tcp $HOME_NET any -> [211.97.157.121] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263954; rev:1;)
alert tcp $HOME_NET any -> [211.97.157.140] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263955; rev:1;)
alert tcp $HOME_NET any -> [211.97.157.214] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263956; rev:1;)
alert tcp $HOME_NET any -> [180.101.25.48] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263945; rev:1;)
alert tcp $HOME_NET any -> [185.230.228.136] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263946; rev:1;)
alert tcp $HOME_NET any -> [185.230.228.140] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263947; rev:1;)
alert tcp $HOME_NET any -> [185.230.228.141] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263948; rev:1;)
alert tcp $HOME_NET any -> [192.187.126.122] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263949; rev:1;)
alert tcp $HOME_NET any -> [154.12.62.33] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263939; rev:1;)
alert tcp $HOME_NET any -> [154.205.138.88] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263940; rev:1;)
alert tcp $HOME_NET any -> [154.205.138.170] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263941; rev:1;)
alert tcp $HOME_NET any -> [154.222.233.40] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263942; rev:1;)
alert tcp $HOME_NET any -> [162.14.69.252] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263943; rev:1;)
alert tcp $HOME_NET any -> [167.88.177.160] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263944; rev:1;)
alert tcp $HOME_NET any -> [141.11.209.156] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263931; rev:1;)
alert tcp $HOME_NET any -> [141.164.43.11] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263932; rev:1;)
alert tcp $HOME_NET any -> [142.171.80.217] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263933; rev:1;)
alert tcp $HOME_NET any -> [149.88.77.142] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263934; rev:1;)
alert tcp $HOME_NET any -> [149.104.24.126] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263935; rev:1;)
alert tcp $HOME_NET any -> [149.104.31.71] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263936; rev:1;)
alert tcp $HOME_NET any -> [150.158.116.244] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263937; rev:1;)
alert tcp $HOME_NET any -> [154.8.182.3] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263938; rev:1;)
alert tcp $HOME_NET any -> [124.221.38.104] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263926; rev:1;)
alert tcp $HOME_NET any -> [124.222.125.194] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263927; rev:1;)
alert tcp $HOME_NET any -> [125.122.27.242] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263928; rev:1;)
alert tcp $HOME_NET any -> [129.226.215.171] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263929; rev:1;)
alert tcp $HOME_NET any -> [139.159.253.83] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263930; rev:1;)
alert tcp $HOME_NET any -> [122.51.223.224] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263920; rev:1;)
alert tcp $HOME_NET any -> [123.56.214.38] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263921; rev:1;)
alert tcp $HOME_NET any -> [123.60.104.67] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263922; rev:1;)
alert tcp $HOME_NET any -> [123.249.100.205] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263923; rev:1;)
alert tcp $HOME_NET any -> [124.70.99.224] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263924; rev:1;)
alert tcp $HOME_NET any -> [124.220.70.112] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263925; rev:1;)
alert tcp $HOME_NET any -> [119.91.49.77] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263912; rev:1;)
alert tcp $HOME_NET any -> [120.78.133.59] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263913; rev:1;)
alert tcp $HOME_NET any -> [120.78.147.247] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263914; rev:1;)
alert tcp $HOME_NET any -> [121.36.61.185] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263915; rev:1;)
alert tcp $HOME_NET any -> [121.40.131.173] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263916; rev:1;)
alert tcp $HOME_NET any -> [121.40.201.213] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263917; rev:1;)
alert tcp $HOME_NET any -> [121.127.252.74] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263918; rev:1;)
alert tcp $HOME_NET any -> [121.196.154.24] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263919; rev:1;)
alert tcp $HOME_NET any -> [111.231.145.137] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263905; rev:1;)
alert tcp $HOME_NET any -> [112.74.99.79] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263906; rev:1;)
alert tcp $HOME_NET any -> [116.204.211.118] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263907; rev:1;)
alert tcp $HOME_NET any -> [117.72.13.191] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263908; rev:1;)
alert tcp $HOME_NET any -> [118.24.35.49] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263909; rev:1;)
alert tcp $HOME_NET any -> [118.89.72.87] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263910; rev:1;)
alert tcp $HOME_NET any -> [119.3.157.129] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263911; rev:1;)
alert tcp $HOME_NET any -> [103.146.179.124] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263899; rev:1;)
alert tcp $HOME_NET any -> [103.147.13.101] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263900; rev:1;)
alert tcp $HOME_NET any -> [104.167.222.174] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263901; rev:1;)
alert tcp $HOME_NET any -> [106.75.30.18] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263902; rev:1;)
alert tcp $HOME_NET any -> [109.107.140.195] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263903; rev:1;)
alert tcp $HOME_NET any -> [110.41.46.45] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263904; rev:1;)
alert tcp $HOME_NET any -> [101.42.247.160] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263895; rev:1;)
alert tcp $HOME_NET any -> [101.200.121.185] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263896; rev:1;)
alert tcp $HOME_NET any -> [101.200.214.198] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263897; rev:1;)
alert tcp $HOME_NET any -> [103.140.249.174] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263898; rev:1;)
alert tcp $HOME_NET any -> [61.164.242.162] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263890; rev:1;)
alert tcp $HOME_NET any -> [65.49.202.75] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263891; rev:1;)
alert tcp $HOME_NET any -> [72.18.214.132] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263892; rev:1;)
alert tcp $HOME_NET any -> [74.48.183.150] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263893; rev:1;)
alert tcp $HOME_NET any -> [82.156.175.18] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263894; rev:1;)
alert tcp $HOME_NET any -> [47.108.69.93] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263883; rev:1;)
alert tcp $HOME_NET any -> [47.108.204.218] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263884; rev:1;)
alert tcp $HOME_NET any -> [47.109.69.222] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263885; rev:1;)
alert tcp $HOME_NET any -> [47.116.222.232] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263886; rev:1;)
alert tcp $HOME_NET any -> [47.120.74.19] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263887; rev:1;)
alert tcp $HOME_NET any -> [47.122.41.10] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263888; rev:1;)
alert tcp $HOME_NET any -> [47.122.62.76] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263889; rev:1;)
alert tcp $HOME_NET any -> [43.138.148.100] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263874; rev:1;)
alert tcp $HOME_NET any -> [43.139.67.72] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263875; rev:1;)
alert tcp $HOME_NET any -> [43.142.18.154] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263876; rev:1;)
alert tcp $HOME_NET any -> [43.143.165.189] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263877; rev:1;)
alert tcp $HOME_NET any -> [45.76.183.211] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263878; rev:1;)
alert tcp $HOME_NET any -> [45.76.204.225] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263879; rev:1;)
alert tcp $HOME_NET any -> [45.145.43.140] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263880; rev:1;)
alert tcp $HOME_NET any -> [45.152.64.127] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263881; rev:1;)
alert tcp $HOME_NET any -> [47.94.96.157] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263882; rev:1;)
alert tcp $HOME_NET any -> [38.55.234.102] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263862; rev:1;)
alert tcp $HOME_NET any -> [38.55.235.60] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263863; rev:1;)
alert tcp $HOME_NET any -> [38.181.57.174] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263864; rev:1;)
alert tcp $HOME_NET any -> [38.181.78.196] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263865; rev:1;)
alert tcp $HOME_NET any -> [38.242.201.243] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263866; rev:1;)
alert tcp $HOME_NET any -> [39.99.226.34] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263867; rev:1;)
alert tcp $HOME_NET any -> [39.100.80.109] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263868; rev:1;)
alert tcp $HOME_NET any -> [39.107.252.211] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263869; rev:1;)
alert tcp $HOME_NET any -> [39.164.4.253] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263870; rev:1;)
alert tcp $HOME_NET any -> [42.193.10.78] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263871; rev:1;)
alert tcp $HOME_NET any -> [43.129.26.123] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263872; rev:1;)
alert tcp $HOME_NET any -> [43.136.86.7] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263873; rev:1;)
alert tcp $HOME_NET any -> [23.91.97.35] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263850; rev:1;)
alert tcp $HOME_NET any -> [23.225.145.234] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263851; rev:1;)
alert tcp $HOME_NET any -> [23.225.145.235] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263852; rev:1;)
alert tcp $HOME_NET any -> [23.225.145.236] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263853; rev:1;)
alert tcp $HOME_NET any -> [23.225.145.237] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263854; rev:1;)
alert tcp $HOME_NET any -> [23.225.145.238] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263855; rev:1;)
alert tcp $HOME_NET any -> [34.121.199.39] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263856; rev:1;)
alert tcp $HOME_NET any -> [35.93.178.73] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263857; rev:1;)
alert tcp $HOME_NET any -> [36.133.104.222] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263858; rev:1;)
alert tcp $HOME_NET any -> [36.213.14.43] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263859; rev:1;)
alert tcp $HOME_NET any -> [38.6.216.10] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263860; rev:1;)
alert tcp $HOME_NET any -> [38.12.30.105] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263861; rev:1;)
alert tcp $HOME_NET any -> [1.94.183.97] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263840; rev:1;)
alert tcp $HOME_NET any -> [8.130.114.243] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263841; rev:1;)
alert tcp $HOME_NET any -> [8.130.126.41] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263842; rev:1;)
alert tcp $HOME_NET any -> [8.130.165.254] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263843; rev:1;)
alert tcp $HOME_NET any -> [8.134.57.136] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263844; rev:1;)
alert tcp $HOME_NET any -> [8.138.21.121] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263845; rev:1;)
alert tcp $HOME_NET any -> [8.138.87.249] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263846; rev:1;)
alert tcp $HOME_NET any -> [8.149.142.195] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263847; rev:1;)
alert tcp $HOME_NET any -> [8.210.53.160] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263848; rev:1;)
alert tcp $HOME_NET any -> [8.219.161.156] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263849; rev:1;)
alert tcp $HOME_NET any -> [1.92.112.211] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263839; rev:1;)
alert tcp $HOME_NET any -> [192.3.216.140] 22337  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263838; rev:1;)
alert tcp $HOME_NET any -> [187.135.142.149] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263837; rev:1;)
alert tcp $HOME_NET any -> [187.135.142.149] 1670  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263833; rev:1;)
alert tcp $HOME_NET any -> [187.135.142.149] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263834; rev:1;)
alert tcp $HOME_NET any -> [187.135.142.149] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263835; rev:1;)
alert tcp $HOME_NET any -> [187.135.142.149] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263836; rev:1;)
alert tcp $HOME_NET any -> [187.135.142.149] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263831; rev:1;)
alert tcp $HOME_NET any -> [187.135.142.149] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263832; rev:1;)
alert tcp $HOME_NET any -> [187.135.138.104] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263829; rev:1;)
alert tcp $HOME_NET any -> [187.135.138.104] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263830; rev:1;)
alert tcp $HOME_NET any -> [187.21.210.99] 8085  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263828; rev:1;)
alert tcp $HOME_NET any -> [123.207.198.252] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263827; rev:1;)
alert tcp $HOME_NET any -> [157.254.223.10] 8085  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263826; rev:1;)
alert tcp $HOME_NET any -> [111.173.116.29] 8541  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263825; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"visualstudio.microsoft.com.volcgslb-mlt.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263823; rev:1;)
alert tcp $HOME_NET any -> [39.100.109.229] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"visualstudio.microsoft.com.volcgslb-mlt.com"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263822; rev:1;)
alert tcp $HOME_NET any -> [202.188.41.26] 9876  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263821; rev:1;)
alert tcp $HOME_NET any -> [181.162.156.123] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263820; rev:1;)
alert tcp $HOME_NET any -> [121.184.1.234] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263819; rev:1;)
alert tcp $HOME_NET any -> [45.144.30.147] 4747  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263818; rev:1;)
alert tcp $HOME_NET any -> [78.185.140.143] 81  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263817; rev:1;)
alert tcp $HOME_NET any -> [41.43.199.238] 8000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263816; rev:1;)
alert tcp $HOME_NET any -> [194.147.115.133] 9282  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263815; rev:1;)
alert tcp $HOME_NET any -> [159.223.219.19] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263814; rev:1;)
alert tcp $HOME_NET any -> [128.90.159.240] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263813; rev:1;)
alert tcp $HOME_NET any -> [128.90.128.169] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"91.92.251.108"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263811; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.108] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"apolovapers.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263758/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263758; rev:1;)
alert tcp $HOME_NET any -> [46.226.160.88] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263801/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263801; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.164] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263809; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.12] 60000  (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263808; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.120] 60000  (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.139.235.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263806; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.244] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"45.116.79.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263804; rev:1;)
alert tcp $HOME_NET any -> [78.142.18.164] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"60.204.220.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263802; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.20] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263799; rev:1;)
alert tcp $HOME_NET any -> [51.159.234.90] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263796; rev:1;)
alert tcp $HOME_NET any -> [216.250.252.159] 50545  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263795/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.120.178.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"123.60.181.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263793; rev:1;)
alert tcp $HOME_NET any -> [45.120.178.47] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263792; rev:1;)
alert tcp $HOME_NET any -> [14.225.219.252] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"142.171.51.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263790; rev:1;)
alert tcp $HOME_NET any -> [142.171.51.229] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263789; rev:1;)
alert tcp $HOME_NET any -> [148.135.36.77] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263788; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"24kawys.onflashdrive.app"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263787; rev:1;)
alert tcp $HOME_NET any -> [193.134.209.59] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263786; rev:1;)
alert tcp $HOME_NET any -> [149.104.25.85] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263784; rev:1;)
alert tcp $HOME_NET any -> [149.104.25.85] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263785; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cms.nawwan.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263783; rev:1;)
alert tcp $HOME_NET any -> [45.152.64.87] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263782; rev:1;)
alert tcp $HOME_NET any -> [38.147.170.114] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263781; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"faceboy.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/udv4kciwnyksdzob3mbtibdhlviceevlp"; depth:51; nocase; http.host; content:"faceboy.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"149.88.82.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263776; rev:1;)
alert tcp $HOME_NET any -> [149.88.82.139] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263775; rev:1;)
alert tcp $HOME_NET any -> [34.65.208.232] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263774; rev:1;)
alert tcp $HOME_NET any -> [107.191.57.190] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263773; rev:1;)
alert tcp $HOME_NET any -> [64.176.56.196] 445  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263772; rev:1;)
alert tcp $HOME_NET any -> [207.154.255.140] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263771; rev:1;)
alert tcp $HOME_NET any -> [207.154.242.220] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263770; rev:1;)
alert tcp $HOME_NET any -> [103.14.226.21] 12345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263769; rev:1;)
alert tcp $HOME_NET any -> [142.93.43.244] 50000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263768; rev:1;)
alert tcp $HOME_NET any -> [47.237.93.202] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263767; rev:1;)
alert tcp $HOME_NET any -> [8.219.156.34] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263766; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.prsix.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263765; rev:1;)
alert tcp $HOME_NET any -> [8.217.109.157] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263764; rev:1;)
alert tcp $HOME_NET any -> [185.73.125.96] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263763; rev:1;)
alert tcp $HOME_NET any -> [123.60.182.74] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263762; rev:1;)
alert tcp $HOME_NET any -> [121.36.226.214] 5556  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"60.204.170.160"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263760; rev:1;)
alert tcp $HOME_NET any -> [60.204.170.160] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263759; rev:1;)
alert tcp $HOME_NET any -> [195.201.248.34] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263755; rev:1;)
alert tcp $HOME_NET any -> [95.217.242.142] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263751; rev:1;)
alert tcp $HOME_NET any -> [95.217.245.42] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263752; rev:1;)
alert tcp $HOME_NET any -> [128.140.8.170] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263753; rev:1;)
alert tcp $HOME_NET any -> [116.202.178.41] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.248.34"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.178.41"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.8.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.245.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/interface/picture/get"; depth:22; nocase; http.host; content:"service-rkcvh0tf-1252325407.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263745; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-rkcvh0tf-1252325407.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263746; rev:1;)
alert tcp $HOME_NET any -> [121.43.168.17] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"120.55.100.239"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263743; rev:1;)
alert tcp $HOME_NET any -> [120.55.100.239] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263742; rev:1;)
alert tcp $HOME_NET any -> [118.31.104.23] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263741; rev:1;)
alert tcp $HOME_NET any -> [114.55.112.203] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.109.134.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263739; rev:1;)
alert tcp $HOME_NET any -> [47.109.134.131] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.98.110.166"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263737; rev:1;)
alert tcp $HOME_NET any -> [47.98.110.166] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263736; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cuitikun.onflashdrive.app"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263735; rev:1;)
alert tcp $HOME_NET any -> [8.137.102.132] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263733; rev:1;)
alert tcp $HOME_NET any -> [8.137.102.132] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"175.178.49.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263732; rev:1;)
alert tcp $HOME_NET any -> [38.45.200.163] 3824  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263731; rev:1;)
alert tcp $HOME_NET any -> [175.178.49.159] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263730; rev:1;)
alert tcp $HOME_NET any -> [150.158.181.243] 15443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.223.213.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263728; rev:1;)
alert tcp $HOME_NET any -> [124.223.213.106] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263726; rev:1;)
alert tcp $HOME_NET any -> [124.223.213.106] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263727; rev:1;)
alert tcp $HOME_NET any -> [124.222.57.223] 64444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263725; rev:1;)
alert tcp $HOME_NET any -> [124.222.57.223] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"124.221.37.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263723; rev:1;)
alert tcp $HOME_NET any -> [124.221.37.195] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"118.195.209.57"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263721; rev:1;)
alert tcp $HOME_NET any -> [118.195.209.57] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263720; rev:1;)
alert tcp $HOME_NET any -> [118.25.173.248] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"106.54.211.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263718; rev:1;)
alert tcp $HOME_NET any -> [106.54.211.150] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263717; rev:1;)
alert tcp $HOME_NET any -> [101.35.255.91] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263716; rev:1;)
alert tcp $HOME_NET any -> [43.138.0.3] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"80.66.89.165"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"80.66.89.161"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263591; rev:1;)
alert tcp $HOME_NET any -> [80.66.89.161] 80  (msg:"ThreatFox SmartLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263592; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.150] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263296; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.151] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263297; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asero23.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263307/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263307; rev:1;)
alert tcp $HOME_NET any -> [80.66.89.165] 80  (msg:"ThreatFox SmartLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/delta-io/delta/files/15016110/delta.zip"; depth:40; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kampfkarren/roblox/files/15001743/roexec.zip"; depth:45; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263597; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"deltaexploits.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263599; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"roexec.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"80.66.89.146"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263601; rev:1;)
alert tcp $HOME_NET any -> [80.66.89.146] 80  (msg:"ThreatFox SmartLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263602; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"legendsworld.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_29; classtype:trojan-activity; sid:91263618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cecilio.network"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263711; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"retardedclassmate.dyn"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263712; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whitepeopleonly.dyn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263713; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servernoworky.geek"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263714; rev:1;)
alert tcp $HOME_NET any -> [103.216.51.35] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263710; rev:1;)
alert tcp $HOME_NET any -> [185.241.208.213] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263709; rev:1;)
alert tcp $HOME_NET any -> [38.55.97.170] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263708; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 55295  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263707; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 18351  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263706; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 16501  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263704; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 18082  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263705; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 2434  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263703; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 46829  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263701; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263702; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 34540  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263700; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 15443  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263698; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 29144  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263699; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263696; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 13760  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263697; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 6005  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263695; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 62422  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263693/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263693; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 4369  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263694; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 23019  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263691; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 36161  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263692; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 2323  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263690; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 1723  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263688/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263688; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 2096  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263689/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263689; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 23  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263686; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 389  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263687; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 52101  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263685/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263685; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 4840  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263683; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 10298  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263684/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263684; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 6009  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263681/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263681; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 28987  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263682; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 3306  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263680; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 41115  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263678/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263678; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 62757  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263679/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263679; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 2281  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263677; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 319  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263676; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 19181  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263674/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263674; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 61753  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263675; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 18084  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263673; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 52200  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263671; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 56512  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263672; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 5060  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263669; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 25290  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263670; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 51445  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263667; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 3318  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263668; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 830  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263666; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 12881  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263664; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 20815  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263665; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 5672  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263662; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 10258  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263663; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263661; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 33389  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263659; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 28983  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263660; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 5061  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263657/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263657; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263658; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 445  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263655/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263655; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 2077  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263656/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263656; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 53419  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263654/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263654; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 11112  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263652/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263652; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 18260  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263653; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 6697  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263650/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263650; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 7704  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263651; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 6006  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263649; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 56910  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263647; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 58000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263648; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 34365  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263646; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 49152  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263644; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 5905  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263645; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 20547  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263642; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 35062  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263643; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 8008  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263640; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 9024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263641; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 61616  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263639; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 9508  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263637; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 53151  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263638; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 6699  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263636; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263634; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 2762  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263635; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 831  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263633; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 11261  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263632; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 18245  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263630; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 49664  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263631; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 41909  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263628; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 8159  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263629; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 26350  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263627; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 5900  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263625; rev:1;)
alert tcp $HOME_NET any -> [154.248.27.182] 8010  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263626; rev:1;)
alert tcp $HOME_NET any -> [41.96.94.231] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263624; rev:1;)
alert tcp $HOME_NET any -> [185.244.208.251] 16013  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263623; rev:1;)
alert tcp $HOME_NET any -> [98.98.119.98] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263622; rev:1;)
alert tcp $HOME_NET any -> [163.181.88.76] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263621; rev:1;)
alert tcp $HOME_NET any -> [3.239.164.16] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263620; rev:1;)
alert tcp $HOME_NET any -> [52.193.137.127] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_29; classtype:trojan-activity; sid:91263619; rev:1;)
alert tcp $HOME_NET any -> [179.14.9.152] 2020  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_29; classtype:trojan-activity; sid:91263617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpollgeocpu.php"; depth:22; nocase; http.host; content:"intopart.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263616; rev:1;)
alert tcp $HOME_NET any -> [154.213.17.187] 90  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"62.234.180.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zomgapt"; depth:8; nocase; http.host; content:"106.14.141.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263612; rev:1;)
alert tcp $HOME_NET any -> [106.14.141.234] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263613; rev:1;)
alert tcp $HOME_NET any -> [154.213.17.174] 90  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263611; rev:1;)
alert tcp $HOME_NET any -> [43.140.37.49] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-jj4sc5n0-1325804472.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263608; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-jj4sc5n0-1325804472.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263609; rev:1;)
alert tcp $HOME_NET any -> [146.56.208.163] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"146.56.208.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263606; rev:1;)
alert tcp $HOME_NET any -> [45.125.67.49] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rn.js"; depth:6; nocase; http.host; content:"www.rollupdate.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263603; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.rollupdate.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263604; rev:1;)
alert tcp $HOME_NET any -> [185.123.53.157] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263590/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263590; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.114] 8082  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263589; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.114] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263588; rev:1;)
alert tcp $HOME_NET any -> [1.161.86.140] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263587; rev:1;)
alert tcp $HOME_NET any -> [170.64.210.247] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263586/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263586; rev:1;)
alert tcp $HOME_NET any -> [167.88.172.166] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263585/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263585; rev:1;)
alert tcp $HOME_NET any -> [93.88.74.63] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263335/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263335; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.46] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263334/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263334; rev:1;)
alert tcp $HOME_NET any -> [14.225.203.65] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263333/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263333; rev:1;)
alert tcp $HOME_NET any -> [59.175.126.222] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263332/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263332; rev:1;)
alert tcp $HOME_NET any -> [35.157.61.186] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263331/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263331; rev:1;)
alert tcp $HOME_NET any -> [94.49.189.224] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263330/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263330; rev:1;)
alert tcp $HOME_NET any -> [102.47.134.6] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263329/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263329; rev:1;)
alert tcp $HOME_NET any -> [156.222.129.192] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263328/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263328; rev:1;)
alert tcp $HOME_NET any -> [62.16.66.34] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263327/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0949502.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263326; rev:1;)
alert tcp $HOME_NET any -> [102.188.113.253] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263325; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.28] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263324/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263324; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.115] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263323/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263323; rev:1;)
alert tcp $HOME_NET any -> [116.198.232.233] 443  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263322/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263322; rev:1;)
alert tcp $HOME_NET any -> [47.103.91.191] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263321/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263321; rev:1;)
alert tcp $HOME_NET any -> [45.133.174.75] 8795  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263320; rev:1;)
alert tcp $HOME_NET any -> [124.71.106.234] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.71.106.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263318; rev:1;)
alert tcp $HOME_NET any -> [159.65.235.56] 9005  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263317/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263317; rev:1;)
alert tcp $HOME_NET any -> [87.121.105.212] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263316; rev:1;)
alert tcp $HOME_NET any -> [38.59.124.16] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263315/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263315; rev:1;)
alert tcp $HOME_NET any -> [38.59.124.49] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263314; rev:1;)
alert tcp $HOME_NET any -> [3.249.36.72] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263313/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263313; rev:1;)
alert tcp $HOME_NET any -> [54.78.161.42] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263312/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263312; rev:1;)
alert tcp $HOME_NET any -> [103.30.17.17] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263311/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263311; rev:1;)
alert tcp $HOME_NET any -> [172.210.41.151] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263310/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263310; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.107] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263309/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263309; rev:1;)
alert tcp $HOME_NET any -> [203.161.48.154] 443  (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263308/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iremotepanel"; depth:13; nocase; http.host; content:"38.60.254.86"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263306; rev:1;)
alert tcp $HOME_NET any -> [51.195.145.87] 7071  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263305/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263305; rev:1;)
alert tcp $HOME_NET any -> [95.211.208.153] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263304/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263304; rev:1;)
alert tcp $HOME_NET any -> [95.211.208.153] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263303/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263303; rev:1;)
alert tcp $HOME_NET any -> [95.211.208.153] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263302; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.227] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervideopythondefaultprivate.php"; depth:38; nocase; http.host; content:"796367cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263300; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.70] 3808  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263299; rev:1;)
alert tcp $HOME_NET any -> [178.128.228.252] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263298; rev:1;)
alert tcp $HOME_NET any -> [181.131.217.222] 4203  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263295; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.31] 3221  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263294/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263294; rev:1;)
alert tcp $HOME_NET any -> [5.253.246.39] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263293; rev:1;)
alert tcp $HOME_NET any -> [5.42.102.198] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263292/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c698e1bc8a2f5e6d.php"; depth:21; nocase; http.host; content:"185.172.128.150"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7043a0c6a68d9c65.php"; depth:21; nocase; http.host; content:"185.172.128.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalupdatebigloaduniversaldatalife.php"; depth:42; nocase; http.host; content:"550515cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"8.134.11.7"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.109.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"175.178.160.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.113.150.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"38.47.107.44"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"175.178.160.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"175.178.160.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"60.204.220.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/stream"; depth:11; nocase; http.host; content:"123.207.50.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.229.158.40"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.71.106.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263272; rev:1;)
alert tcp $HOME_NET any -> [47.120.52.161] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.120.52.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263270; rev:1;)
alert tcp $HOME_NET any -> [43.159.58.81] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"c.qqwhoami.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263267; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c.qqwhoami.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263268; rev:1;)
alert tcp $HOME_NET any -> [61.139.24.20] 8123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"www.qichen.fun"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263265; rev:1;)
alert tcp $HOME_NET any -> [41.199.23.195] 7000  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263258; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.236] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263262/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263262; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.220] 7000  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263257; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saveclinetsforme68465454711991.publicvm.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263259; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 10266  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263261; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"elamoto.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kongtuke.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263264; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"kindofwelcomeperspective.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263260; rev:1;)
alert tcp $HOME_NET any -> [157.230.232.41] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"powerbi3-dffqb3gfbudugyas.z03.azurefd.net"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"powerbi3-dffqb3gfbudugyas.z03.azurefd.net"; depth:41; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263254; rev:1;)
alert tcp $HOME_NET any -> [154.213.17.156] 90  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263253; rev:1;)
alert tcp $HOME_NET any -> [103.166.184.95] 12345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263252/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263252; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.108] 1111  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"45.116.79.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/googleapi/affiliation/v1/affiliation:lookupbyhashprefix"; depth:56; nocase; http.host; content:"121.37.230.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"123.60.181.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263242; rev:1;)
alert tcp $HOME_NET any -> [64.188.22.11] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263241/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odllnjm0owjknmu2/"; depth:18; nocase; http.host; content:"tecald.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263239/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263239; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"street.letmeshine.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/index.php"; depth:21; nocase; http.host; content:"kindofwelcomeperspective.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263238; rev:1;)
alert tcp $HOME_NET any -> [2.58.95.131] 65481  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263237/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/admin-ajax.php"; depth:24; nocase; http.host; content:"rakishevkenes.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"palmeventeryjusk.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"strollheavengwu.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"peanuearthflaxes.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"auctiongutollyjkui.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263223; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cleartotalfisherwo.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263224; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worryfillvolcawoi.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263225; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enthusiasimtitleow.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263226; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dismissalcylinderhostw.shop"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263227; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"affordcharmcropwo.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263228; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diskretainvigorousiw.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263229; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"communicationgenerwo.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263230; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pillowbrocccolipe.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263231; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"palmeventeryjusk.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263232; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"strollheavengwu.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263233; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peanuearthflaxes.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263234; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"auctiongutollyjkui.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263235; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"democraticseekysiwo.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263218; rev:1;)
alert tcp $HOME_NET any -> [87.121.105.4] 8797  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263219/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263219; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p.doxbin.uno"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263217; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.17] 4444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263216/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"worldbestipscan.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263166/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"worldscanipbest.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263168/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"ipworldbestscan.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"worldbestscanip.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263165/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"ipscanworldbest.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"ipworldscanbest.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263163/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"ipscanbestworld.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneycsasfasfh.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263158/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneycsasfasfh.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263159/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"scanworldbestip.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263160/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263160; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 36969  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263156/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263156; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"phentermine-partial.gl.at.ply.gg"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263157; rev:1;)
alert tcp $HOME_NET any -> [137.220.224.49] 9834  (msg:"ThreatFox KrBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"worldscanbestip.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263167/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"bestworldscanip.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263169/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"bestipworldscan.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263170/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme0n2ywowezmtm3/"; depth:18; nocase; http.host; content:"scanbestworldip.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263171/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_28; classtype:trojan-activity; sid:91263171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8681490a59ad0e34.php"; depth:21; nocase; http.host; content:"185.70.186.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263174; rev:1;)
alert tcp $HOME_NET any -> [185.70.186.153] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/902e53a07830e030.php"; depth:21; nocase; http.host; content:"139.60.162.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263177; rev:1;)
alert tcp $HOME_NET any -> [139.60.162.84] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263178; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.62] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263179; rev:1;)
alert tcp $HOME_NET any -> [185.161.248.78] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263182; rev:1;)
alert tcp $HOME_NET any -> [14.225.203.65] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263192/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263192; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"legendsworld.cloud"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263193/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_28; classtype:trojan-activity; sid:91263193; rev:1;)
alert tcp $HOME_NET any -> [147.45.78.74] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263214; rev:1;)
alert tcp $HOME_NET any -> [147.45.78.74] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263215/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263215; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.95] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263213/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263213; rev:1;)
alert tcp $HOME_NET any -> [45.91.8.8] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263212; rev:1;)
alert tcp $HOME_NET any -> [111.173.117.130] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263211; rev:1;)
alert tcp $HOME_NET any -> [111.229.211.161] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263210; rev:1;)
alert tcp $HOME_NET any -> [52.155.97.150] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263209; rev:1;)
alert tcp $HOME_NET any -> [65.109.58.235] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263208/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263208; rev:1;)
alert tcp $HOME_NET any -> [88.214.26.33] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263207/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263207; rev:1;)
alert tcp $HOME_NET any -> [170.64.231.144] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263206/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263206; rev:1;)
alert tcp $HOME_NET any -> [13.212.214.23] 10002  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263205/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_28; classtype:trojan-activity; sid:91263205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalpythonphpsecuretraffictestlocaltempuploadsdownloads.php"; depth:64; nocase; http.host; content:"188.120.242.235"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_28; classtype:trojan-activity; sid:91263204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"37.27.45.203"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/file.txt"; depth:11; nocase; http.host; content:"s2r.tn"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263202; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"surgical-farming-ca.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263201; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjdsasync.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263200; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"undjsj.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263199; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjxwrm5.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263198; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vbdsg.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263196; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nmds.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windows/downloadslongpoll/generatorimage/wordpress/wp6datalife0/phpjavascripthttpprotectflower.php"; depth:99; nocase; http.host; content:"212.113.106.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263195; rev:1;)
alert tcp $HOME_NET any -> [93.177.102.47] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263191; rev:1;)
alert tcp $HOME_NET any -> [103.146.179.123] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263190; rev:1;)
alert tcp $HOME_NET any -> [107.173.201.151] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263189/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263189; rev:1;)
alert tcp $HOME_NET any -> [41.98.13.101] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263188/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263188; rev:1;)
alert tcp $HOME_NET any -> [103.82.195.234] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263187/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263187; rev:1;)
alert tcp $HOME_NET any -> [45.152.85.10] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263186; rev:1;)
alert tcp $HOME_NET any -> [64.23.196.210] 3000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263185/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263185; rev:1;)
alert tcp $HOME_NET any -> [167.88.172.78] 65534  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263184; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"greatnessappreviews.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/teamb/five/fre.php"; depth:19; nocase; http.host; content:"tampabayllc.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamecentraluploads.php"; depth:23; nocase; http.host; content:"178546cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/902e53a07830e030.php"; depth:21; nocase; http.host; content:"185.172.128.62"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/index.php"; depth:21; nocase; http.host; content:"greatnessappreviews.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263172; rev:1;)
alert tcp $HOME_NET any -> [141.95.84.40] 1010  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8681490a59ad0e34.php"; depth:21; nocase; http.host; content:"185.172.128.76"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263153; rev:1;)
alert tcp $HOME_NET any -> [109.107.157.17] 15866  (msg:"ThreatFox MetaStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263060; rev:1;)
alert tcp $HOME_NET any -> [185.117.3.187] 1024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_27; classtype:trojan-activity; sid:91263151; rev:1;)
alert tcp $HOME_NET any -> [172.94.101.172] 6238  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263152/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_27; classtype:trojan-activity; sid:91263152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"104.214.168.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"38.47.107.44"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263148; rev:1;)
alert tcp $HOME_NET any -> [38.47.107.44] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.96.72.192"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"106.14.143.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263145; rev:1;)
alert tcp $HOME_NET any -> [124.223.9.21] 8085  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"213.1.229.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263144; rev:1;)
alert tcp $HOME_NET any -> [35.224.58.250] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.chinamobile.live"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263142; rev:1;)
alert tcp $HOME_NET any -> [38.60.217.159] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"38.60.217.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"116.205.185.98"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"116.62.197.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"54.37.226.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263137; rev:1;)
alert tcp $HOME_NET any -> [154.201.73.20] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"154.201.73.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263135; rev:1;)
alert tcp $HOME_NET any -> [35.224.58.250] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.chinamobile.live"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263132; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.chinamobile.live"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263133; rev:1;)
alert tcp $HOME_NET any -> [45.55.199.36] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263131; rev:1;)
alert tcp $HOME_NET any -> [47.96.72.192] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263130; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.137] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"91.92.255.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263128; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.137] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"91.92.255.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263126; rev:1;)
alert tcp $HOME_NET any -> [39.100.90.3] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery.com/"; depth:12; nocase; http.host; content:"39.100.90.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preserve/extranet/lff00fq6u2h0"; depth:31; nocase; http.host; content:"124.222.173.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.130.34.85"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"1488.winstate.cc"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"106.14.75.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.139.235.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"39.104.230.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.14.75.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"49.232.208.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"bb.makkgg.fyi"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"154.12.29.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.138.222.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.116.79.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"101.33.192.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"service-hzdzk12c-1318485841.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"156.224.20.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"37.27.11.209"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"128.199.178.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"116.205.189.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"bb.makkgg.fyi"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"111.230.12.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"c.hcgos.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263088; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c.hcgos.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"39.105.191.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"119.91.45.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"111.67.195.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/originate/v4.01/qgqtnora"; depth:25; nocase; http.host; content:"www.yamaxun.blog"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263082; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.yamaxun.blog"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"60.204.208.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"42.51.45.241"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263074; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"click.buys.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"click.buys.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263072; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-e22kp8jz-1259321672.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquerys-6.3.5.max.js"; depth:21; nocase; http.host; content:"service-e22kp8jz-1259321672.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/462c30d592f23b18/jquery/3.7.1/jquery.min.js"; depth:44; nocase; http.host; content:"qax.gsldedie.sbs"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263069; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"canarapay-f5hghmdjd7eddbb4.z02.azurefd.net"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safebrowsing/i7f9l/s0rm6wozidfyrb6yai2d"; depth:40; nocase; http.host; content:"canarapay-f5hghmdjd7eddbb4.z02.azurefd.net"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"logist.cct-logistics.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logist.cct-logistics.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"io.cy789.ml"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263061; rev:1;)
alert tcp $HOME_NET any -> [121.37.230.155] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/start/burst"; depth:12; nocase; http.host; content:"121.37.230.155"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.217.246.168"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1263006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"116.203.167.106"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1263007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263007; rev:1;)
alert tcp $HOME_NET any -> [3.124.67.191] 10250  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263035/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_27; classtype:trojan-activity; sid:91263035; rev:1;)
alert tcp $HOME_NET any -> [160.176.159.27] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263036/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_27; classtype:trojan-activity; sid:91263036; rev:1;)
alert tcp $HOME_NET any -> [167.71.169.160] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263054; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.186] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263053; rev:1;)
alert tcp $HOME_NET any -> [109.120.177.64] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263052; rev:1;)
alert tcp $HOME_NET any -> [101.200.121.56] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263051; rev:1;)
alert tcp $HOME_NET any -> [172.234.92.6] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263050; rev:1;)
alert tcp $HOME_NET any -> [178.62.55.204] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263049; rev:1;)
alert tcp $HOME_NET any -> [31.42.185.190] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263048; rev:1;)
alert tcp $HOME_NET any -> [43.132.130.145] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263047; rev:1;)
alert tcp $HOME_NET any -> [80.87.206.160] 2080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263046; rev:1;)
alert tcp $HOME_NET any -> [146.70.80.94] 20020  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263045; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20039  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263044; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20027  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263043; rev:1;)
alert tcp $HOME_NET any -> [216.153.61.72] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263042; rev:1;)
alert tcp $HOME_NET any -> [3.216.133.137] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263041; rev:1;)
alert tcp $HOME_NET any -> [138.124.183.209] 8443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_27; classtype:trojan-activity; sid:91263040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videosecureasyncdatalifeuploads.php"; depth:36; nocase; http.host; content:"842614cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263039; rev:1;)
alert tcp $HOME_NET any -> [87.251.67.95] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_27; classtype:trojan-activity; sid:91263038; rev:1;)
alert tcp $HOME_NET any -> [45.129.199.127] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263037/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_27; classtype:trojan-activity; sid:91263037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.120.17.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263034; rev:1;)
alert tcp $HOME_NET any -> [3.67.15.169] 10250  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263033; rev:1;)
alert tcp $HOME_NET any -> [3.125.188.168] 10250  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_27; classtype:trojan-activity; sid:91263032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"185.216.117.157"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263030; rev:1;)
alert tcp $HOME_NET any -> [185.216.117.157] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263031; rev:1;)
alert tcp $HOME_NET any -> [47.120.17.76] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263029; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gfyl.fun"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1263028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.gfyl.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263027; rev:1;)
alert tcp $HOME_NET any -> [139.159.241.73] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/industry_solutions/test"; depth:24; nocase; http.host; content:"139.159.241.73"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"bigwing.algoitsolutions.co.uk"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"newsmedia247.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"antvietnam.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"cbg.divineunveil.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"stgmountainair.wpengine.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"bissecci.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"eco-villas.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phs124168.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"saveutilitybills.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"rjjewelpk.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"www.pujamosporti.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"2mo.com"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/share-private-files/shared/"; depth:47; nocase; http.host; content:"metrobasket.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ugandainarabic.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/neo.msi"; depth:8; nocase; http.host; content:"146.19.106.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"startmast.shop"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1263009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91263009; rev:1;)
alert tcp $HOME_NET any -> [94.232.41.106] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263008/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91263008; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webcamcn.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262647; rev:1;)
alert tcp $HOME_NET any -> [156.248.54.11] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262648; rev:1;)
alert tcp $HOME_NET any -> [216.224.125.193] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262649; rev:1;)
alert tcp $HOME_NET any -> [38.181.20.8] 9227  (msg:"ThreatFox KrBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262650; rev:1;)
alert tcp $HOME_NET any -> [27.124.46.73] 9817  (msg:"ThreatFox KrBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"109.172.112.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262652; rev:1;)
alert tcp $HOME_NET any -> [109.172.112.246] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262653; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.111] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/koo1/decipher.csv"; depth:18; nocase; http.host; content:"nitio.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/koo/kpyqgtbbzswvoy6.bin"; depth:24; nocase; http.host; content:"nitio.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k1/fdoimu226.bin"; depth:17; nocase; http.host; content:"nitio.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/k2/unconscientiousness.jpb"; depth:27; nocase; http.host; content:"nitio.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262658; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nitio.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262659; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.104] 80  (msg:"ThreatFox CloudEyE payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yftql16.bin"; depth:12; nocase; http.host; content:"94.156.8.104"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262661; rev:1;)
alert tcp $HOME_NET any -> [94.156.128.246] 3323  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262662; rev:1;)
alert tcp $HOME_NET any -> [101.99.92.10] 13500  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262663; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tampabayllc.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91262701; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.26] 7719  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262739; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moranhq.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262740; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"156.248.54.11.webcamcn.xyz"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262646; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hm2.webcamcn.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262645; rev:1;)
alert tcp $HOME_NET any -> [154.53.42.53] 8448  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262644; rev:1;)
alert tcp $HOME_NET any -> [85.209.11.243] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262643; rev:1;)
alert tcp $HOME_NET any -> [93.71.184.63] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262642; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pronethellas.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dezx/oblqlsgpaa72.bin"; depth:22; nocase; http.host; content:"pronethellas.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.theertyuiergthjk.homes"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262633; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theertyuiergthjk.homes"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s8o3/"; depth:6; nocase; http.host; content:"www.theertyuiergthjk.homes"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262632; rev:1;)
alert tcp $HOME_NET any -> [49.233.206.56] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263005/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263005; rev:1;)
alert tcp $HOME_NET any -> [95.217.210.118] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263004/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263004; rev:1;)
alert tcp $HOME_NET any -> [34.210.168.103] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263003/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263003; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.182] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263002/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263002; rev:1;)
alert tcp $HOME_NET any -> [147.45.79.42] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263001; rev:1;)
alert tcp $HOME_NET any -> [51.15.249.226] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1263000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91263000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"185.104.181.135"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262998; rev:1;)
alert tcp $HOME_NET any -> [185.104.181.135] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262997; rev:1;)
alert tcp $HOME_NET any -> [88.214.27.89] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262996; rev:1;)
alert tcp $HOME_NET any -> [37.27.45.203] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262995; rev:1;)
alert tcp $HOME_NET any -> [37.27.11.209] 8023  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262994; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riptode.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262986; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oktes.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262987; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hypaton.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262988; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vances.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262989; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meday.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262990; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woo2tech.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262991; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yestohe.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262992; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vtlintro.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262993; rev:1;)
alert tcp $HOME_NET any -> [95.217.246.168] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262981; rev:1;)
alert tcp $HOME_NET any -> [78.47.186.226] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262982; rev:1;)
alert tcp $HOME_NET any -> [78.47.14.240] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262983; rev:1;)
alert tcp $HOME_NET any -> [37.27.11.177] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262984; rev:1;)
alert tcp $HOME_NET any -> [116.203.0.165] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262985; rev:1;)
alert tcp $HOME_NET any -> [116.203.167.106] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vtlintro.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"yestohe.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"woo2tech.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"meday.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hypaton.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vances.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"oktes.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"riptode.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.0.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.11.177"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.14.240"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.246.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.186.226"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.167.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262966; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sol.ethvseos.nl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262965; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.172] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262963; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.172] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262964; rev:1;)
alert tcp $HOME_NET any -> [159.89.124.149] 8085  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262962/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_26; classtype:trojan-activity; sid:91262962; rev:1;)
alert tcp $HOME_NET any -> [159.89.124.149] 8084  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262961/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_26; classtype:trojan-activity; sid:91262961; rev:1;)
alert tcp $HOME_NET any -> [94.232.45.77] 8085  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262960/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_26; classtype:trojan-activity; sid:91262960; rev:1;)
alert tcp $HOME_NET any -> [212.46.38.250] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262959/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91262959; rev:1;)
alert tcp $HOME_NET any -> [51.195.211.231] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262958; rev:1;)
alert tcp $HOME_NET any -> [149.88.82.88] 8888  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262957; rev:1;)
alert tcp $HOME_NET any -> [137.175.77.94] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262956; rev:1;)
alert tcp $HOME_NET any -> [38.180.25.208] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262955; rev:1;)
alert tcp $HOME_NET any -> [202.47.118.167] 80  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262954; rev:1;)
alert tcp $HOME_NET any -> [191.82.222.55] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262953; rev:1;)
alert tcp $HOME_NET any -> [177.102.67.107] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262952; rev:1;)
alert tcp $HOME_NET any -> [175.137.217.128] 9876  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262951; rev:1;)
alert tcp $HOME_NET any -> [187.135.138.133] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262947; rev:1;)
alert tcp $HOME_NET any -> [187.135.138.133] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262948; rev:1;)
alert tcp $HOME_NET any -> [187.135.138.133] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262949; rev:1;)
alert tcp $HOME_NET any -> [187.135.138.133] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262950; rev:1;)
alert tcp $HOME_NET any -> [187.135.138.133] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262944; rev:1;)
alert tcp $HOME_NET any -> [187.135.138.133] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262945; rev:1;)
alert tcp $HOME_NET any -> [187.135.138.133] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262946; rev:1;)
alert tcp $HOME_NET any -> [141.11.93.161] 80  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262942; rev:1;)
alert tcp $HOME_NET any -> [141.11.93.161] 443  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262943; rev:1;)
alert tcp $HOME_NET any -> [91.132.49.90] 81  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262941; rev:1;)
alert tcp $HOME_NET any -> [222.239.35.173] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262810; rev:1;)
alert tcp $HOME_NET any -> [173.249.52.60] 6000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262765; rev:1;)
alert tcp $HOME_NET any -> [184.174.96.94] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262759; rev:1;)
alert tcp $HOME_NET any -> [184.174.96.94] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262760; rev:1;)
alert tcp $HOME_NET any -> [184.174.96.94] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262761; rev:1;)
alert tcp $HOME_NET any -> [184.174.96.94] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262762; rev:1;)
alert tcp $HOME_NET any -> [184.174.96.94] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262763; rev:1;)
alert tcp $HOME_NET any -> [207.32.219.85] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262764; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.22] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262755; rev:1;)
alert tcp $HOME_NET any -> [88.229.18.221] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262756; rev:1;)
alert tcp $HOME_NET any -> [88.229.18.221] 20000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262757; rev:1;)
alert tcp $HOME_NET any -> [142.202.191.162] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262758; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.26] 6006  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262753; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.26] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262754; rev:1;)
alert tcp $HOME_NET any -> [94.154.172.83] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262752; rev:1;)
alert tcp $HOME_NET any -> [45.15.156.173] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262751; rev:1;)
alert tcp $HOME_NET any -> [116.196.82.90] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262750; rev:1;)
alert tcp $HOME_NET any -> [18.232.156.244] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262748; rev:1;)
alert tcp $HOME_NET any -> [44.221.39.41] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262749; rev:1;)
alert tcp $HOME_NET any -> [54.145.84.81] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"3.86.13.34"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262746; rev:1;)
alert tcp $HOME_NET any -> [3.86.13.34] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"154.201.83.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262744; rev:1;)
alert tcp $HOME_NET any -> [154.201.83.203] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"154.12.23.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262742; rev:1;)
alert tcp $HOME_NET any -> [154.12.23.153] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"www.nickelviper.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262738; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nickelviper.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262737; rev:1;)
alert tcp $HOME_NET any -> [18.132.148.106] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"ns1.anonymouskids.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262734; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srothanhlong.vn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262735; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.anonymouskids.uk"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262733; rev:1;)
alert tcp $HOME_NET any -> [3.132.209.99] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262731; rev:1;)
alert tcp $HOME_NET any -> [3.132.209.99] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/search/"; depth:12; nocase; http.host; content:"ao2gmabl4c.execute-api.us-east-1.amazonaws.com"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262730; rev:1;)
alert tcp $HOME_NET any -> [3.9.188.172] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262729; rev:1;)
alert tcp $HOME_NET any -> [3.0.50.245] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262728; rev:1;)
alert tcp $HOME_NET any -> [104.214.168.71] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"mail.metadate.services"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262726; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.metadate.services"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262725; rev:1;)
alert tcp $HOME_NET any -> [167.179.76.158] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"65.20.85.214"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262723; rev:1;)
alert tcp $HOME_NET any -> [65.20.85.214] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262722; rev:1;)
alert tcp $HOME_NET any -> [124.156.166.78] 7654  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.157.90.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262720; rev:1;)
alert tcp $HOME_NET any -> [43.157.90.6] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"192.227.137.122"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262718; rev:1;)
alert tcp $HOME_NET any -> [192.227.137.122] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262716; rev:1;)
alert tcp $HOME_NET any -> [192.227.137.122] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262717; rev:1;)
alert tcp $HOME_NET any -> [152.42.244.175] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oscp/"; depth:6; nocase; http.host; content:"134.209.27.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262714; rev:1;)
alert tcp $HOME_NET any -> [134.209.27.35] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.236.28.67"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262712; rev:1;)
alert tcp $HOME_NET any -> [47.236.28.67] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-qyygkf1k-1307679590.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262710; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-qyygkf1k-1307679590.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262709; rev:1;)
alert tcp $HOME_NET any -> [1.94.66.120] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262708; rev:1;)
alert tcp $HOME_NET any -> [1.94.52.236] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262707; rev:1;)
alert tcp $HOME_NET any -> [123.57.172.34] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262706; rev:1;)
alert tcp $HOME_NET any -> [47.120.17.76] 3306  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"47.92.151.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262704; rev:1;)
alert tcp $HOME_NET any -> [47.92.151.17] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262703; rev:1;)
alert tcp $HOME_NET any -> [39.104.28.176] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262702; rev:1;)
alert tcp $HOME_NET any -> [39.100.109.229] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262699; rev:1;)
alert tcp $HOME_NET any -> [39.98.43.192] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262698; rev:1;)
alert tcp $HOME_NET any -> [8.141.166.236] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262696; rev:1;)
alert tcp $HOME_NET any -> [8.141.166.236] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262697; rev:1;)
alert tcp $HOME_NET any -> [8.137.76.34] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262695; rev:1;)
alert tcp $HOME_NET any -> [8.134.92.24] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262694; rev:1;)
alert tcp $HOME_NET any -> [8.130.66.214] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.130.29.62"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262692; rev:1;)
alert tcp $HOME_NET any -> [8.130.29.62] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262691; rev:1;)
alert tcp $HOME_NET any -> [150.158.54.83] 7500  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262690; rev:1;)
alert tcp $HOME_NET any -> [124.222.15.103] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262689; rev:1;)
alert tcp $HOME_NET any -> [123.206.115.56] 6667  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"122.51.89.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262687; rev:1;)
alert tcp $HOME_NET any -> [122.51.89.45] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"119.91.218.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262685; rev:1;)
alert tcp $HOME_NET any -> [119.91.218.68] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262684; rev:1;)
alert tcp $HOME_NET any -> [114.132.245.246] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262683; rev:1;)
alert tcp $HOME_NET any -> [111.229.200.233] 3333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262682; rev:1;)
alert tcp $HOME_NET any -> [111.229.35.119] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262680; rev:1;)
alert tcp $HOME_NET any -> [111.229.35.119] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262681; rev:1;)
alert tcp $HOME_NET any -> [101.35.198.25] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.136.43.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262678; rev:1;)
alert tcp $HOME_NET any -> [43.136.43.49] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.113.150.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"185.229.237.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.130.252.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"209.222.0.68"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"60.205.115.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"8.138.119.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.139.205.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"111.230.98.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262667; rev:1;)
alert tcp $HOME_NET any -> [118.31.116.9] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.31.116.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"38.147.170.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262664; rev:1;)
alert tcp $HOME_NET any -> [8.138.119.180] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"8.138.119.180"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262640; rev:1;)
alert tcp $HOME_NET any -> [1.14.96.69] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.14.96.69"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262638; rev:1;)
alert tcp $HOME_NET any -> [45.142.182.80] 5900  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262637; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.25] 5654  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262606; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"craftedfollowing.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262607; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.14] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262580/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91262580; rev:1;)
alert tcp $HOME_NET any -> [172.94.9.228] 3980  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262605; rev:1;)
alert tcp $HOME_NET any -> [5.253.40.118] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262604; rev:1;)
alert tcp $HOME_NET any -> [64.227.140.244] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262603; rev:1;)
alert tcp $HOME_NET any -> [93.127.202.69] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262602; rev:1;)
alert tcp $HOME_NET any -> [14.178.208.233] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262601; rev:1;)
alert tcp $HOME_NET any -> [18.159.103.213] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262600; rev:1;)
alert tcp $HOME_NET any -> [77.91.70.104] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262599; rev:1;)
alert tcp $HOME_NET any -> [54.202.238.187] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262598; rev:1;)
alert tcp $HOME_NET any -> [45.207.36.33] 2088  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262597; rev:1;)
alert tcp $HOME_NET any -> [45.207.36.50] 2088  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262596; rev:1;)
alert tcp $HOME_NET any -> [190.70.119.188] 4859  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262595; rev:1;)
alert tcp $HOME_NET any -> [45.141.84.135] 54183  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262594; rev:1;)
alert tcp $HOME_NET any -> [35.192.76.216] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262593; rev:1;)
alert tcp $HOME_NET any -> [193.227.134.120] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262592; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20037  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262591; rev:1;)
alert tcp $HOME_NET any -> [45.95.174.253] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262590; rev:1;)
alert tcp $HOME_NET any -> [45.95.174.39] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262589; rev:1;)
alert tcp $HOME_NET any -> [149.28.25.144] 55556  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262588; rev:1;)
alert tcp $HOME_NET any -> [149.28.25.144] 5432  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_26; classtype:trojan-activity; sid:91262587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lt8e"; depth:5; nocase; http.host; content:"39.105.191.1"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262586/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_26; classtype:trojan-activity; sid:91262586; rev:1;)
alert tcp $HOME_NET any -> [39.105.191.1] 18888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptpollmultigeneratordatalife.php"; depth:41; nocase; http.host; content:"taketa.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262584; rev:1;)
alert tcp $HOME_NET any -> [85.203.42.194] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"85.203.42.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~blog/"; depth:7; nocase; http.host; content:"45.77.223.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262581; rev:1;)
alert tcp $HOME_NET any -> [5.42.92.179] 18418  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_26; classtype:trojan-activity; sid:91262579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.70.154.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"103.116.245.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"175.178.54.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262576; rev:1;)
alert tcp $HOME_NET any -> [44.194.227.114] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ms"; depth:3; nocase; http.host; content:"dct4jph3as9lp.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262573; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dct4jph3as9lp.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"85.203.42.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262571; rev:1;)
alert tcp $HOME_NET any -> [85.203.42.194] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loginin.html"; depth:13; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262569; rev:1;)
alert tcp $HOME_NET any -> [23.94.169.124] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.134.11.7"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262567; rev:1;)
alert tcp $HOME_NET any -> [8.134.11.7] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262568; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"flypadi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262565/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262565; rev:1;)
alert tcp $HOME_NET any -> [89.34.237.212] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262496/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz24519.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"cbg.divineunveil.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"pgdm.my"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tangerang/wp-content/plugins/user-private-files/shared/"; depth:56; nocase; http.host; content:"tutycholid.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/model-2/wp-content/plugins/user-private-files/shared/"; depth:54; nocase; http.host; content:"vitrine.izaragency.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"taifateule.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"upr.lk"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phs124168.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phatthanhnghia.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"quotesparade.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ugandainarabic.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"thayhoicoffee.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ideosphere.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/plugins/user-private-files/shared/"; depth:49; nocase; http.host; content:"vegasnights.co.za"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"audio.daiphucminh.vn"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"seraphyaromatherapy.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chocolate/wp-content/plugins/user-private-files/shared/"; depth:56; nocase; http.host; content:"milkganache.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/projects/visioncrystal/wp-content/plugins/user-private-files/shared/"; depth:69; nocase; http.host; content:"www.websitedesigningindia.biz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"www.pansy-dz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ideanet.co.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"newsmedia247.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"reyadtours.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"bissecci.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"devaccrocs.allianceconsultants.net"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"manbaulhudaasia.aliyy.my"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"yahyacarpet.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/epicure-traiteur/wp-content/plugins/user-private-files/shared/"; depth:63; nocase; http.host; content:"vitrine.izaragency.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"antvietnam.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/site/wp-content/plugins/user-private-files/shared/"; depth:51; nocase; http.host; content:"direitopositivado.com.br"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"i.thietke.in"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"divifar.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indigo/wp-content/plugins/user-private-files/shared/"; depth:53; nocase; http.host; content:"konsaltakuatorial.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/networkconnect/wp-content/plugins/user-private-files/shared/"; depth:61; nocase; http.host; content:"iswpcreator.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live"; depth:5; nocase; http.host; content:"grizmotras.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live"; depth:5; nocase; http.host; content:"pewwhranet.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"pgdm.my"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"cbg.divineunveil.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tangerang/wp-content/plugins/user-private-files/shared/"; depth:56; nocase; http.host; content:"tutycholid.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/model-2/wp-content/plugins/user-private-files/shared/"; depth:54; nocase; http.host; content:"vitrine.izaragency.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"taifateule.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"upr.lk"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phs124168.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"phatthanhnghia.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"quotesparade.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ugandainarabic.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/plugins/user-private-files/shared/"; depth:49; nocase; http.host; content:"vegasnights.co.za"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"thayhoicoffee.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ideosphere.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"audio.daiphucminh.vn"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chocolate/wp-content/plugins/user-private-files/shared/"; depth:56; nocase; http.host; content:"milkganache.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"seraphyaromatherapy.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/projects/visioncrystal/wp-content/plugins/user-private-files/shared/"; depth:69; nocase; http.host; content:"www.websitedesigningindia.biz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"www.pansy-dz.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"ideanet.co.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"reyadtours.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"newsmedia247.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"bissecci.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"devaccrocs.allianceconsultants.net"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"manbaulhudaasia.aliyy.my"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"yahyacarpet.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/epicure-traiteur/wp-content/plugins/user-private-files/shared/"; depth:63; nocase; http.host; content:"vitrine.izaragency.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"antvietnam.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"i.thietke.in"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/site/wp-content/plugins/user-private-files/shared/"; depth:51; nocase; http.host; content:"direitopositivado.com.br"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/user-private-files/shared/"; depth:46; nocase; http.host; content:"divifar.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indigo/wp-content/plugins/user-private-files/shared/"; depth:53; nocase; http.host; content:"konsaltakuatorial.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/networkconnect/wp-content/plugins/user-private-files/shared/"; depth:61; nocase; http.host; content:"iswpcreator.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/security_check/"; depth:16; nocase; http.host; content:"nlqbgkl5.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ad.msi"; depth:7; nocase; http.host; content:"45.95.11.217"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"wrankaget.site"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"jarinamaers.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"94.131.101.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262456; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"svif-venezuela.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"33moneycshlazim33.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262461/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneycsasfasfh.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262462/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262462; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trembolone.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneycsffhgm7.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262464/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262464; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.43] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mmexoda3mdazzja5/"; depth:18; nocase; http.host; content:"moneymaskalandd.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262463/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262463; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"minjuthecutest.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262465; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.43] 2006  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262489; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.102] 1990  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262490; rev:1;)
alert tcp $HOME_NET any -> [89.185.30.66] 2006  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262491; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.46] 6969  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262492; rev:1;)
alert tcp $HOME_NET any -> [54.36.113.159] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262488; rev:1;)
alert tcp $HOME_NET any -> [185.125.50.198] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262487; rev:1;)
alert tcp $HOME_NET any -> [109.120.177.48] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262486; rev:1;)
alert tcp $HOME_NET any -> [120.46.59.252] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262485; rev:1;)
alert tcp $HOME_NET any -> [45.63.124.134] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262484; rev:1;)
alert tcp $HOME_NET any -> [52.26.153.104] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262483; rev:1;)
alert tcp $HOME_NET any -> [43.139.113.158] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262482; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.197] 4443  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262481/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262481; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.7] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262480/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262480; rev:1;)
alert tcp $HOME_NET any -> [193.92.65.11] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262479/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262479; rev:1;)
alert tcp $HOME_NET any -> [13.126.220.163] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262478; rev:1;)
alert tcp $HOME_NET any -> [18.253.226.108] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262476; rev:1;)
alert tcp $HOME_NET any -> [18.253.226.108] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262475; rev:1;)
alert tcp $HOME_NET any -> [5.42.85.10] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262474; rev:1;)
alert tcp $HOME_NET any -> [18.118.8.124] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262473; rev:1;)
alert tcp $HOME_NET any -> [142.93.142.34] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262472; rev:1;)
alert tcp $HOME_NET any -> [89.117.172.225] 58895  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"119.186.205.191"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262470; rev:1;)
alert tcp $HOME_NET any -> [45.15.156.9] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"88.214.27.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262467; rev:1;)
alert tcp $HOME_NET any -> [88.214.27.89] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262468; rev:1;)
alert tcp $HOME_NET any -> [45.15.156.9] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/netsupport43.zip"; depth:23; nocase; http.host; content:"138.124.180.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/netsupport43.zip"; depth:23; nocase; http.host; content:"138.124.180.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/advancedipscanner.msix"; depth:29; nocase; http.host; content:"cdn43.space"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/netsupport43.zip"; depth:23; nocase; http.host; content:"cdn43.space"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262283; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn43.space"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262284; rev:1;)
alert tcp $HOME_NET any -> [138.124.180.84] 80  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262285; rev:1;)
alert tcp $HOME_NET any -> [138.124.180.84] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hollandtrees.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262291; rev:1;)
alert tcp $HOME_NET any -> [89.185.30.66] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262292/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/advancedipscanner.msix"; depth:29; nocase; http.host; content:"138.124.180.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262279; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.qngxgw.eu.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262293; rev:1;)
alert tcp $HOME_NET any -> [193.222.62.236] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/advancedipscanner.msix"; depth:29; nocase; http.host; content:"138.124.180.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262278; rev:1;)
alert tcp $HOME_NET any -> [94.232.45.77] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262453/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_25; classtype:trojan-activity; sid:91262453; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcxwq1.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262277; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.234] 3232  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262276/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-dduj2otc-1303958398.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"88.214.26.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262273; rev:1;)
alert tcp $HOME_NET any -> [173.211.46.172] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.216.117.157"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262270; rev:1;)
alert tcp $HOME_NET any -> [80.66.75.43] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"101.201.46.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"88.214.27.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"211.159.172.150"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chromeupdate/shellex/default.php"; depth:33; nocase; http.host; content:"8.134.80.227"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-dduj2otc-1303958398.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-dduj2otc-1303958398.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"www.stylejason.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262260; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.stylejason.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"mopelas.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262219/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"kambarca.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262220/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"yedekleregldk.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262221/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"karaklpak.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262222/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_25; classtype:trojan-activity; sid:91262222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"1.gamithou.cyou"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"kuramaservices.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"78.40.116.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"91.92.254.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"158.220.106.37"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"51.38.70.1"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"89.117.151.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"57.129.16.213"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262252; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.2] 7045  (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262251; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.6] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262250; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qax.gsldedie.sbs"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262248; rev:1;)
alert tcp $HOME_NET any -> [170.106.169.138] 2087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"qax.gsldedie.sbs"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262247; rev:1;)
alert tcp $HOME_NET any -> [185.42.14.185] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262246; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dvbtools.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documentid"; depth:11; nocase; http.host; content:"dvbtools.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.200.197.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262243; rev:1;)
alert tcp $HOME_NET any -> [78.40.116.170] 8872  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262242; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"youlovemedontyou.bounceme.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262241; rev:1;)
alert tcp $HOME_NET any -> [209.14.69.249] 666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262240; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nocrynetworking.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262239; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.113] 4190  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262238; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s.sushiking.world"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262237; rev:1;)
alert tcp $HOME_NET any -> [139.59.156.81] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262231; rev:1;)
alert tcp $HOME_NET any -> [159.203.9.75] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262232; rev:1;)
alert tcp $HOME_NET any -> [159.223.220.220] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262233; rev:1;)
alert tcp $HOME_NET any -> [161.35.210.154] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262234; rev:1;)
alert tcp $HOME_NET any -> [174.138.51.159] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262235; rev:1;)
alert tcp $HOME_NET any -> [174.138.51.232] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262236; rev:1;)
alert tcp $HOME_NET any -> [64.23.232.47] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262223; rev:1;)
alert tcp $HOME_NET any -> [64.23.251.7] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262224; rev:1;)
alert tcp $HOME_NET any -> [64.23.251.20] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262225; rev:1;)
alert tcp $HOME_NET any -> [64.225.17.60] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262226; rev:1;)
alert tcp $HOME_NET any -> [64.226.124.214] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262227; rev:1;)
alert tcp $HOME_NET any -> [68.183.48.122] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262228; rev:1;)
alert tcp $HOME_NET any -> [138.197.90.26] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262229; rev:1;)
alert tcp $HOME_NET any -> [139.59.41.182] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262230; rev:1;)
alert tcp $HOME_NET any -> [128.199.180.45] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262215; rev:1;)
alert tcp $HOME_NET any -> [138.68.97.101] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262216; rev:1;)
alert tcp $HOME_NET any -> [138.68.97.171] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262217; rev:1;)
alert tcp $HOME_NET any -> [146.190.135.213] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4track/testtrafficeternal/private3/secure7db/7private3/wordpresslocal/windows/cpuvoiddbtraffic/2base/providerexternalpipejavascriptupdatesqldbasynctemporary.php"; depth:161; nocase; http.host; content:"176.123.168.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1606aca9.php"; depth:13; nocase; http.host; content:"a0947291.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262213; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.113] 3190  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~blog/"; depth:7; nocase; http.host; content:"45.77.223.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262209; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lsagjogu8ztaueghasdjsdigh.cc"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262206; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hitler.su"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262207; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kz.hitler.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262208; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pve.rebirthltd.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirthltd.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262204; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scan.rebirthltd.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262205; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-network-rebirthltd.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262189; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.secure-network-rebirthltd.ru"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262190; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirthltd.dev"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262191; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scan.rebirthltd.dev"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262192; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-cyber-security-rebirthltd.su"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262193; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sex.secure-cyber-security-rebirthltd.su"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262194; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirth-network.su"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262195; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.rebirth-network.su"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262196; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps.rebirth-network.su"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262197; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adolfhitler.su"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262198; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kz.adolfhitler.su"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262199; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-core-rebirthltd.su"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262200; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security.secure-core-rebirthltd.su"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262201; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuck-niggers.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262202; rev:1;)
alert tcp $HOME_NET any -> [45.32.168.59] 6363  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262188/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262188; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.254] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262187/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262187; rev:1;)
alert tcp $HOME_NET any -> [45.207.36.45] 2088  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262186/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262186; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.21] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262185/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262185; rev:1;)
alert tcp $HOME_NET any -> [41.99.107.210] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262184; rev:1;)
alert tcp $HOME_NET any -> [69.159.0.21] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262183; rev:1;)
alert tcp $HOME_NET any -> [77.126.168.121] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262182; rev:1;)
alert tcp $HOME_NET any -> [154.82.65.35] 8443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262181; rev:1;)
alert tcp $HOME_NET any -> [64.23.159.147] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262180; rev:1;)
alert tcp $HOME_NET any -> [209.151.148.194] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262179; rev:1;)
alert tcp $HOME_NET any -> [51.8.90.242] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262178; rev:1;)
alert tcp $HOME_NET any -> [3.250.35.163] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262177; rev:1;)
alert tcp $HOME_NET any -> [3.250.35.163] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262176; rev:1;)
alert tcp $HOME_NET any -> [86.60.160.90] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262175; rev:1;)
alert tcp $HOME_NET any -> [31.42.185.190] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262174; rev:1;)
alert tcp $HOME_NET any -> [164.92.80.224] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262173; rev:1;)
alert tcp $HOME_NET any -> [80.87.206.160] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262172; rev:1;)
alert tcp $HOME_NET any -> [50.114.37.38] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262171; rev:1;)
alert tcp $HOME_NET any -> [129.226.154.137] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262170; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.249] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262169/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262169; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.249] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262168/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262168; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.249] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262167; rev:1;)
alert tcp $HOME_NET any -> [172.160.240.225] 7654  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262166; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 12143  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262157; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 12143  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262158/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_25; classtype:trojan-activity; sid:91262158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"107.172.157.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262148; rev:1;)
alert tcp $HOME_NET any -> [91.149.202.222] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262162/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262162; rev:1;)
alert tcp $HOME_NET any -> [159.253.120.176] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_25; classtype:trojan-activity; sid:91262163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~blog/"; depth:7; nocase; http.host; content:"45.77.223.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262164; rev:1;)
alert tcp $HOME_NET any -> [41.249.109.159] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262161; rev:1;)
alert tcp $HOME_NET any -> [80.66.89.223] 38183  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_25; classtype:trojan-activity; sid:91262160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"golovkcc.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.fiash.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262156; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 12143  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262155; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 12143  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262154; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 12143  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262153; rev:1;)
alert tcp $HOME_NET any -> [45.148.120.189] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.148.120.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"193.32.179.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262149; rev:1;)
alert tcp $HOME_NET any -> [193.32.179.234] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262150; rev:1;)
alert tcp $HOME_NET any -> [95.169.196.22] 118  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262139; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.177] 45  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262140; rev:1;)
alert tcp $HOME_NET any -> [212.70.149.10] 35342  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262141; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.77] 3966  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262142; rev:1;)
alert tcp $HOME_NET any -> [2.58.95.123] 3778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262143; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.155] 5958  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262144; rev:1;)
alert tcp $HOME_NET any -> [66.187.4.175] 1337  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262145; rev:1;)
alert tcp $HOME_NET any -> [3.121.139.82] 12138  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262146/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/white-rock-progression/l3h0y5.php"; depth:52; nocase; http.host; content:"www.briccodeldente.it"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262110; rev:1;)
alert tcp $HOME_NET any -> [82.205.72.17] 8080  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262137/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262137; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aboft7e.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/0srbuw.php"; depth:45; nocase; http.host; content:"dreamerz.vn"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/msecgc.php"; depth:45; nocase; http.host; content:"www.savetheworldpodcast.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/vhpg2j.php"; depth:46; nocase; http.host; content:"retrobox.rocks"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/sb9ivy.php"; depth:45; nocase; http.host; content:"djibek.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262106; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wavebysudryez.fr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262105; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.16] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262103/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262103; rev:1;)
alert tcp $HOME_NET any -> [5.230.68.74] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262147/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91262147; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.159] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262135; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.159] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262136; rev:1;)
alert tcp $HOME_NET any -> [89.208.105.144] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262134; rev:1;)
alert tcp $HOME_NET any -> [20.67.206.46] 443  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262133; rev:1;)
alert tcp $HOME_NET any -> [47.94.88.4] 8889  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262132; rev:1;)
alert tcp $HOME_NET any -> [47.94.88.4] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262131; rev:1;)
alert tcp $HOME_NET any -> [104.194.79.234] 8044  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262130; rev:1;)
alert tcp $HOME_NET any -> [8.213.212.170] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262129; rev:1;)
alert tcp $HOME_NET any -> [43.129.31.59] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262128; rev:1;)
alert tcp $HOME_NET any -> [18.166.176.116] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262127; rev:1;)
alert tcp $HOME_NET any -> [130.63.213.199] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262126; rev:1;)
alert tcp $HOME_NET any -> [35.72.161.191] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262125; rev:1;)
alert tcp $HOME_NET any -> [103.82.132.120] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262124; rev:1;)
alert tcp $HOME_NET any -> [103.82.132.120] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262123; rev:1;)
alert tcp $HOME_NET any -> [143.198.237.101] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262122; rev:1;)
alert tcp $HOME_NET any -> [195.123.226.83] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262121; rev:1;)
alert tcp $HOME_NET any -> [92.243.64.130] 28002  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262120; rev:1;)
alert tcp $HOME_NET any -> [62.233.57.237] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262119; rev:1;)
alert tcp $HOME_NET any -> [213.87.44.192] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262118; rev:1;)
alert tcp $HOME_NET any -> [219.144.98.12] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262117; rev:1;)
alert tcp $HOME_NET any -> [98.98.118.81] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262116; rev:1;)
alert tcp $HOME_NET any -> [217.237.87.199] 3389  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91262115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providereternalprotectdbasync.php"; depth:34; nocase; http.host; content:"a0804818.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.138.73.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"152.136.100.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262111; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dttao.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1262104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262104; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.139] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"20.106.253.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1262101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262101; rev:1;)
alert tcp $HOME_NET any -> [185.62.58.73] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262100; rev:1;)
alert tcp $HOME_NET any -> [82.153.64.23] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262099; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.12] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1262006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91262006; rev:1;)
alert tcp $HOME_NET any -> [139.162.178.159] 2003  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261864; rev:1;)
alert tcp $HOME_NET any -> [78.40.117.167] 4444  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261863; rev:1;)
alert tcp $HOME_NET any -> [139.99.133.66] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261862/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91261862; rev:1;)
alert tcp $HOME_NET any -> [139.99.133.66] 4444  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261861/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91261861; rev:1;)
alert tcp $HOME_NET any -> [146.70.198.22] 60129  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261860; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.191] 2022  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hearthingdirecwi.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.211.228.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"18.162.61.95"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261858; rev:1;)
alert tcp $HOME_NET any -> [18.162.61.95] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"3.139.18.182"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261855; rev:1;)
alert tcp $HOME_NET any -> [3.139.18.182] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261854; rev:1;)
alert tcp $HOME_NET any -> [202.146.220.4] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261853; rev:1;)
alert tcp $HOME_NET any -> [123.249.36.186] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"116.205.188.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261851; rev:1;)
alert tcp $HOME_NET any -> [116.205.188.138] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"8.130.70.205"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261849; rev:1;)
alert tcp $HOME_NET any -> [8.130.70.205] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261848; rev:1;)
alert tcp $HOME_NET any -> [101.34.87.236] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"45.116.79.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261846; rev:1;)
alert tcp $HOME_NET any -> [165.227.108.186] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"167.71.242.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"165.227.108.186"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"45.55.199.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/query/info"; depth:11; nocase; http.host; content:"47.92.131.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261840; rev:1;)
alert tcp $HOME_NET any -> [47.92.131.203] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.94.13.86"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"123.57.85.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"107.150.47.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"154.3.1.252"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"172.247.44.182"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261835; rev:1;)
alert tcp $HOME_NET any -> [173.211.46.172] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrew"; depth:5; nocase; http.host; content:"173.211.46.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261833; rev:1;)
alert tcp $HOME_NET any -> [61.240.29.215] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"61.240.29.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"91.92.242.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"35.221.150.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/open/js/jweixin-1.4.0.js"; depth:25; nocase; http.host; content:"65.20.107.130"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"129.204.169.101"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261827; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-6qlmfr7s-1312562872.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-6qlmfr7s-1312562872.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.130.30.60"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/milu_image/"; depth:12; nocase; http.host; content:"18.166.113.176"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/logo.gif"; depth:9; nocase; http.host; content:"berita-timur.kumbaraan.biz.id"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"49.232.157.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"157.245.12.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261820; rev:1;)
alert tcp $HOME_NET any -> [156.224.20.92] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"156.224.20.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"107.174.254.9"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261817; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.alipan.lol"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.alipan.lol"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"107.172.159.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"20.2.202.15"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"192.227.155.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"bliblyuvblfds.work.gd"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bliblyuvblfds.work.gd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/onedrive"; depth:9; nocase; http.host; content:"keolisgroup.azureedge.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.212.71.0"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"60.204.222.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user/profile"; depth:13; nocase; http.host; content:"47.92.131.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"139.155.134.117"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261805; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-j78tszan-1319584009.sh.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/product"; depth:8; nocase; http.host; content:"service-j78tszan-1319584009.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"175.178.50.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"129.204.169.101"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"23.102.7.180"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261799; rev:1;)
alert tcp $HOME_NET any -> [23.102.7.180] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261800; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"berita-timur.kumbaraan.biz.id"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image"; depth:6; nocase; http.host; content:"berita-timur.kumbaraan.biz.id"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoftupdate/shellex/kb242742/default.aspx"; depth:46; nocase; http.host; content:"192.227.152.217"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/milu_image/"; depth:12; nocase; http.host; content:"www.614110.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261794; rev:1;)
alert tcp $HOME_NET any -> [18.166.113.176] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261795; rev:1;)
alert tcp $HOME_NET any -> [154.213.17.138] 90  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.213.17.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261792; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fiash.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.fiash.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"101.36.111.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261789; rev:1;)
alert tcp $HOME_NET any -> [192.144.128.196] 1994  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"39.100.109.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"150.158.141.97"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"107.174.235.118"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261784; rev:1;)
alert tcp $HOME_NET any -> [120.46.91.175] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.46.91.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261782; rev:1;)
alert tcp $HOME_NET any -> [39.100.79.87] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"39.100.79.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261780; rev:1;)
alert tcp $HOME_NET any -> [39.100.109.229] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"www.huawei.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakalanda346.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261768/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_24; classtype:trojan-activity; sid:91261768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakafsafndan5.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_24; classtype:trojan-activity; sid:91261769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakalanfgdfg.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_24; classtype:trojan-activity; sid:91261770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakalaasdgtg.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261771/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_24; classtype:trojan-activity; sid:91261771; rev:1;)
alert tcp $HOME_NET any -> [103.113.70.99] 2630  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261776; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.goelites.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261775; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.30] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261774/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91261774; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"putin.zelenskyj.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261772; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zelenskyj.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"115.159.62.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261767; rev:1;)
alert tcp $HOME_NET any -> [107.148.1.41] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"firmware-yrs-conflicts-favorites.trycloudflare.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261764; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firmware-yrs-conflicts-favorites.trycloudflare.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261765; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.131] 1337  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261763; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ooguy.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261760; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xd.netsyn.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261761; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xd.nodefunction.vip"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261762; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eclp8oz0m8mxouv96hc9p7k2btydt3iv.click"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1261759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261759; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.30] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261755; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.17] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261756; rev:1;)
alert tcp $HOME_NET any -> [89.169.55.166] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261757; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.43] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261758; rev:1;)
alert tcp $HOME_NET any -> [5.42.66.10] 50505  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261754; rev:1;)
alert tcp $HOME_NET any -> [45.150.64.135] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261753; rev:1;)
alert tcp $HOME_NET any -> [95.179.190.134] 23954  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261752; rev:1;)
alert tcp $HOME_NET any -> [96.70.92.177] 465  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261751; rev:1;)
alert tcp $HOME_NET any -> [122.100.188.124] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261750; rev:1;)
alert tcp $HOME_NET any -> [158.160.87.195] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261749; rev:1;)
alert tcp $HOME_NET any -> [80.82.76.14] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261748; rev:1;)
alert tcp $HOME_NET any -> [140.249.32.157] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261747; rev:1;)
alert tcp $HOME_NET any -> [123.57.183.22] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261746; rev:1;)
alert tcp $HOME_NET any -> [101.200.197.134] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261745; rev:1;)
alert tcp $HOME_NET any -> [47.116.170.61] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261744; rev:1;)
alert tcp $HOME_NET any -> [45.156.23.149] 80  (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261226; rev:1;)
alert tcp $HOME_NET any -> [45.156.23.186] 80  (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261227/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261227; rev:1;)
alert tcp $HOME_NET any -> [193.176.190.43] 80  (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261228/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261228; rev:1;)
alert tcp $HOME_NET any -> [193.242.145.129] 80  (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261229/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261229; rev:1;)
alert tcp $HOME_NET any -> [195.211.124.144] 80  (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261230/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261230; rev:1;)
alert tcp $HOME_NET any -> [194.116.214.7] 80  (msg:"ThreatFox Amadey payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261231/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_24; classtype:trojan-activity; sid:91261231; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.10] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261740/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_24; classtype:trojan-activity; sid:91261740; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nano.anygreaterways.tech"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91260928; rev:1;)
alert tcp $HOME_NET any -> [3.6.98.232] 15030  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91260989; rev:1;)
alert tcp $HOME_NET any -> [3.6.30.85] 15030  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91260990; rev:1;)
alert tcp $HOME_NET any -> [3.6.122.107] 15030  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91260998; rev:1;)
alert tcp $HOME_NET any -> [154.53.42.53] 8847  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261000; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.182] 10651  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261006; rev:1;)
alert tcp $HOME_NET any -> [3.6.98.232] 10651  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261007; rev:1;)
alert tcp $HOME_NET any -> [3.6.122.107] 10651  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261008; rev:1;)
alert tcp $HOME_NET any -> [3.6.30.85] 10651  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/sf/1g3fvhte94"; depth:22; nocase; http.host; content:"60.205.245.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261742; rev:1;)
alert tcp $HOME_NET any -> [60.205.245.29] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261741; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.220] 1337  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261739; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.47] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_24; classtype:trojan-activity; sid:91261738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/300e6d86f44da037.php"; depth:21; nocase; http.host; content:"89.105.198.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"115.159.62.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261005; rev:1;)
alert tcp $HOME_NET any -> [45.144.3.139] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"45.144.3.139"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261003; rev:1;)
alert tcp $HOME_NET any -> [60.205.245.29] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1261002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compare/sf/1g3fvhte94"; depth:22; nocase; http.host; content:"60.205.245.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1261001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91261001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"blockbeerman.fun"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"fghjdtgujkjdgkdettygdbnbbn.000webhostapp.com"; depth:44; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6/api144/9wp/imagevmcpubigloaddefault.php"; depth:42; nocase; http.host; content:"45.130.42.16"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260996; rev:1;)
alert tcp $HOME_NET any -> [193.37.69.112] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260994/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260994; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.19] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260995/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260995; rev:1;)
alert tcp $HOME_NET any -> [45.129.199.246] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260993/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test2/get.php"; depth:14; nocase; http.host; content:"cajgtus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test1/get.php"; depth:14; nocase; http.host; content:"cajgtus.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260991; rev:1;)
alert tcp $HOME_NET any -> [62.60.130.8] 10000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/rili/gate.php"; depth:22; nocase; http.host; content:"smartoffice-eg.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260987; rev:1;)
alert tcp $HOME_NET any -> [47.96.107.37] 8082  (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260986; rev:1;)
alert tcp $HOME_NET any -> [213.252.247.202] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260985; rev:1;)
alert tcp $HOME_NET any -> [213.252.247.202] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260984; rev:1;)
alert tcp $HOME_NET any -> [156.195.128.36] 8000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260983; rev:1;)
alert tcp $HOME_NET any -> [128.90.103.36] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260982; rev:1;)
alert tcp $HOME_NET any -> [85.97.168.208] 20000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6ef96e7190cc7acd.php"; depth:21; nocase; http.host; content:"185.161.248.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260980; rev:1;)
alert tcp $HOME_NET any -> [185.229.237.201] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260979; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.3] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260978; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.3] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260977; rev:1;)
alert tcp $HOME_NET any -> [172.247.44.182] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260975; rev:1;)
alert tcp $HOME_NET any -> [154.198.194.220] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260976; rev:1;)
alert tcp $HOME_NET any -> [117.72.39.83] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260974; rev:1;)
alert tcp $HOME_NET any -> [117.72.65.27] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260973; rev:1;)
alert tcp $HOME_NET any -> [148.135.46.9] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260971; rev:1;)
alert tcp $HOME_NET any -> [148.135.46.9] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260972; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"symposiumos.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260970; rev:1;)
alert tcp $HOME_NET any -> [170.130.55.123] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260969; rev:1;)
alert tcp $HOME_NET any -> [103.146.141.15] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260967; rev:1;)
alert tcp $HOME_NET any -> [154.92.18.140] 54321  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260968; rev:1;)
alert tcp $HOME_NET any -> [114.116.50.214] 59527  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260966; rev:1;)
alert tcp $HOME_NET any -> [118.193.62.169] 3036  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260965; rev:1;)
alert tcp $HOME_NET any -> [101.36.117.53] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260964; rev:1;)
alert tcp $HOME_NET any -> [18.144.30.84] 8848  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260963; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.614110.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260962; rev:1;)
alert tcp $HOME_NET any -> [18.166.113.176] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260961; rev:1;)
alert tcp $HOME_NET any -> [54.249.71.250] 8005  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260960; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.211] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260959; rev:1;)
alert tcp $HOME_NET any -> [104.214.168.71] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260958; rev:1;)
alert tcp $HOME_NET any -> [139.84.234.159] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260957; rev:1;)
alert tcp $HOME_NET any -> [176.44.95.96] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260956; rev:1;)
alert tcp $HOME_NET any -> [85.107.24.39] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260955; rev:1;)
alert tcp $HOME_NET any -> [122.248.198.64] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260954; rev:1;)
alert tcp $HOME_NET any -> [178.128.22.83] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260953; rev:1;)
alert tcp $HOME_NET any -> [66.135.9.239] 3232  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260952; rev:1;)
alert tcp $HOME_NET any -> [62.210.188.78] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260951; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 8080  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260950; rev:1;)
alert tcp $HOME_NET any -> [144.208.127.115] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260949; rev:1;)
alert tcp $HOME_NET any -> [144.208.127.115] 37821  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260948; rev:1;)
alert tcp $HOME_NET any -> [20.2.202.15] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260947; rev:1;)
alert tcp $HOME_NET any -> [43.130.252.161] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260946; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"img.creativemedia.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260945; rev:1;)
alert tcp $HOME_NET any -> [107.175.115.199] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260944; rev:1;)
alert tcp $HOME_NET any -> [23.94.133.100] 6001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260943; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"keolisgroup.azureedge.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260942/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260942; rev:1;)
alert tcp $HOME_NET any -> [138.68.87.151] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260941; rev:1;)
alert tcp $HOME_NET any -> [139.9.35.75] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260940; rev:1;)
alert tcp $HOME_NET any -> [139.196.174.180] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260939; rev:1;)
alert tcp $HOME_NET any -> [139.196.154.253] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260938; rev:1;)
alert tcp $HOME_NET any -> [123.57.58.184] 60000  (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260937; rev:1;)
alert tcp $HOME_NET any -> [123.57.58.184] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260936; rev:1;)
alert tcp $HOME_NET any -> [121.199.43.12] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260935; rev:1;)
alert tcp $HOME_NET any -> [120.25.2.115] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260934; rev:1;)
alert tcp $HOME_NET any -> [59.110.126.110] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260933; rev:1;)
alert tcp $HOME_NET any -> [47.120.63.146] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260932; rev:1;)
alert tcp $HOME_NET any -> [47.120.32.46] 10152  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260931; rev:1;)
alert tcp $HOME_NET any -> [47.117.156.10] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260930; rev:1;)
alert tcp $HOME_NET any -> [47.98.251.131] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"103.146.50.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"112.124.34.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.137.108.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.243.59.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.101.37.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.113.150.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.78.139.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"106.54.236.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260918; rev:1;)
alert tcp $HOME_NET any -> [43.153.202.176] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content"; depth:8; nocase; http.host; content:"api.rayob2.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260915; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.rayob2.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260916; rev:1;)
alert tcp $HOME_NET any -> [8.137.93.215] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"8.210.236.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"117.50.188.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.147.132.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"157.245.12.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"42.193.117.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260908; rev:1;)
alert tcp $HOME_NET any -> [42.193.117.162] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260909; rev:1;)
alert tcp $HOME_NET any -> [43.136.176.207] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-ldzftvcf-1252123187.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260905; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ldzftvcf-1252123187.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260906; rev:1;)
alert tcp $HOME_NET any -> [193.112.85.116] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"193.112.85.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.98.247.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-ku7vp6lj-1253504731.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260900; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ku7vp6lj-1253504731.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260901; rev:1;)
alert tcp $HOME_NET any -> [119.45.171.159] 8889  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260899; rev:1;)
alert tcp $HOME_NET any -> [8.134.113.161] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"62.234.223.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"156.224.25.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"81.19.136.252"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260894; rev:1;)
alert tcp $HOME_NET any -> [80.66.75.9] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/0cmp4e8sk1rgrjhc2ncnqf2u"; depth:42; nocase; http.host; content:"facelove.life"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260891; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"facelove.life"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260892; rev:1;)
alert tcp $HOME_NET any -> [101.201.54.74] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.76.153.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"8.130.118.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"121.43.33.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260886; rev:1;)
alert tcp $HOME_NET any -> [119.45.171.159] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260885; rev:1;)
alert tcp $HOME_NET any -> [101.33.192.242] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"43.141.50.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.51.156.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rewardsapp/ncfooter"; depth:20; nocase; http.host; content:"117.187.245.242"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"43.141.11.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260880; rev:1;)
alert tcp $HOME_NET any -> [139.144.33.158] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zomgapt"; depth:8; nocase; http.host; content:"38.107.146.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"39.104.28.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.55.36.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260875; rev:1;)
alert tcp $HOME_NET any -> [120.55.36.136] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260876; rev:1;)
alert tcp $HOME_NET any -> [119.45.171.159] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260874; rev:1;)
alert tcp $HOME_NET any -> [43.136.38.59] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260873; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oa.dahuatec.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"oa.dahuatec.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260871; rev:1;)
alert tcp $HOME_NET any -> [103.97.58.61] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"103.97.58.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.92.200.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"49.232.208.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260867; rev:1;)
alert tcp $HOME_NET any -> [104.248.6.246] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"office365.homes"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260864; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office365.homes"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260865; rev:1;)
alert tcp $HOME_NET any -> [38.34.166.53] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.34.166.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"81.19.136.252"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260861; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-r3og53uv-1303913364.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-r3og53uv-1303913364.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"37.27.11.209"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"100.40.180.6"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260856; rev:1;)
alert tcp $HOME_NET any -> [111.92.243.236] 8083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"111.229.200.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260855; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dr-hoefler.de"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260853; rev:1;)
alert tcp $HOME_NET any -> [46.101.137.168] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"dr-hoefler.de"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.76.219.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"45.207.38.71"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"114.132.62.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.156.166.78"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"193.112.85.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.137.108.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content"; depth:8; nocase; http.host; content:"8.222.176.223"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260845; rev:1;)
alert tcp $HOME_NET any -> [124.222.218.72] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260844; rev:1;)
alert tcp $HOME_NET any -> [5.188.86.28] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_shop_active"; depth:16; nocase; http.host; content:"zx.scsvcreg.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260841; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx.scsvcreg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260842; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as.scsvcreg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eo"; depth:3; nocase; http.host; content:"as.scsvcreg.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_shop_active"; depth:16; nocase; http.host; content:"qw.scsvcreg.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260837; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qw.scsvcreg.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"8.141.13.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"91.92.246.246"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"128.199.178.134"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.201.54.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260829; rev:1;)
alert tcp $HOME_NET any -> [103.143.208.215] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260828; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.xahoithongtins.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.5.6.min.js"; depth:20; nocase; http.host; content:"www.xahoithongtins.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"114.134.188.22"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260824; rev:1;)
alert tcp $HOME_NET any -> [123.206.126.95] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"62.204.41.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260822; rev:1;)
alert tcp $HOME_NET any -> [119.45.171.159] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260821; rev:1;)
alert tcp $HOME_NET any -> [118.89.72.82] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260820; rev:1;)
alert tcp $HOME_NET any -> [115.159.62.32] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260819; rev:1;)
alert tcp $HOME_NET any -> [101.42.1.218] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260818; rev:1;)
alert tcp $HOME_NET any -> [101.34.70.89] 9000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260817; rev:1;)
alert tcp $HOME_NET any -> [81.70.236.105] 60000  (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260816; rev:1;)
alert tcp $HOME_NET any -> [81.70.236.105] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260815; rev:1;)
alert tcp $HOME_NET any -> [49.235.187.155] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260814; rev:1;)
alert tcp $HOME_NET any -> [49.233.211.19] 60000  (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260813; rev:1;)
alert tcp $HOME_NET any -> [49.233.211.19] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260811; rev:1;)
alert tcp $HOME_NET any -> [49.233.211.19] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260812; rev:1;)
alert tcp $HOME_NET any -> [43.136.109.223] 60000  (msg:"ThreatFox Viper RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260810; rev:1;)
alert tcp $HOME_NET any -> [43.136.109.223] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260809; rev:1;)
alert tcp $HOME_NET any -> [1.13.19.92] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260808; rev:1;)
alert tcp $HOME_NET any -> [103.254.73.249] 63305  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260807; rev:1;)
alert tcp $HOME_NET any -> [103.254.73.248] 63305  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260806; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.44] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260802/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260802; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.44] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260801/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260801; rev:1;)
alert tcp $HOME_NET any -> [94.156.10.12] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260800/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260800; rev:1;)
alert tcp $HOME_NET any -> [94.156.10.12] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260799/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260799; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.77] 33966  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260559/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260559; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.voidnet.click"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260560; rev:1;)
alert tcp $HOME_NET any -> [217.15.168.60] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260579; rev:1;)
alert tcp $HOME_NET any -> [158.51.96.17] 1025  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260574; rev:1;)
alert tcp $HOME_NET any -> [185.102.172.136] 999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260575; rev:1;)
alert tcp $HOME_NET any -> [188.212.100.60] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260576; rev:1;)
alert tcp $HOME_NET any -> [193.187.174.244] 2052  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260577; rev:1;)
alert tcp $HOME_NET any -> [209.141.44.84] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260578; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.210] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260567; rev:1;)
alert tcp $HOME_NET any -> [45.131.64.78] 2052  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260568; rev:1;)
alert tcp $HOME_NET any -> [82.165.230.58] 3000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260569; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.74] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260570; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.33] 10000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260571; rev:1;)
alert tcp $HOME_NET any -> [149.56.79.119] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260572; rev:1;)
alert tcp $HOME_NET any -> [152.42.239.228] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260573; rev:1;)
alert tcp $HOME_NET any -> [2.58.95.133] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260561; rev:1;)
alert tcp $HOME_NET any -> [15.204.18.234] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260562; rev:1;)
alert tcp $HOME_NET any -> [15.235.149.59] 666  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260563; rev:1;)
alert tcp $HOME_NET any -> [15.235.149.123] 888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260564; rev:1;)
alert tcp $HOME_NET any -> [37.114.56.22] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260565; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.12] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptpacketupdateprotectdle.php"; depth:37; nocase; http.host; content:"212.109.196.215"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260558; rev:1;)
alert tcp $HOME_NET any -> [65.191.34.123] 6000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260518/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260518; rev:1;)
alert tcp $HOME_NET any -> [188.49.116.130] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260528/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260528; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ipscanadvsf.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260529; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"notionso.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260530; rev:1;)
alert tcp $HOME_NET any -> [65.21.119.50] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260532; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pdftoconvert.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260533; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"toppdfconverter.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260534; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"zoomis.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"faststaynow.duckdns.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260556; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.228] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260557; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neger.icu"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"neger.icu"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"methbot-proxy.pro"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"89.116.236.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"209.141.60.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"195.181.164.244"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"74.91.116.85"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"135.148.57.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"51.81.104.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"93.123.85.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"2.58.95.81"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard/attack.html"; depth:22; nocase; http.host; content:"93.123.85.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260544; rev:1;)
alert tcp $HOME_NET any -> [45.136.15.175] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"45.136.15.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260542; rev:1;)
alert tcp $HOME_NET any -> [101.42.228.86] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"101.42.228.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260540; rev:1;)
alert tcp $HOME_NET any -> [148.135.72.115] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.109.106.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"148.135.72.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/localuniversal/3dumpprocessor/gamewordpresstrack6/eternal4/flower8testdump/longpolllongpoll/securehttpwplocal.php"; depth:114; nocase; http.host; content:"82.146.61.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260536; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elastsolek21.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260531; rev:1;)
alert tcp $HOME_NET any -> [106.75.174.5] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.75.104.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260526; rev:1;)
alert tcp $HOME_NET any -> [45.136.15.175] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"45.136.15.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260524; rev:1;)
alert tcp $HOME_NET any -> [139.196.174.180] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"139.196.174.180"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"webpoint.micromoto.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260521; rev:1;)
alert tcp $HOME_NET any -> [148.135.72.115] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"148.135.72.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260519; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.231] 64418  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260517; rev:1;)
alert tcp $HOME_NET any -> [193.35.18.127] 19286  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260516/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"121.37.214.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260515; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.122] 39361  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260514; rev:1;)
alert tcp $HOME_NET any -> [45.142.212.16] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260513; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.148] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260512; rev:1;)
alert tcp $HOME_NET any -> [23.254.144.29] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260511; rev:1;)
alert tcp $HOME_NET any -> [43.198.238.210] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260510; rev:1;)
alert tcp $HOME_NET any -> [117.72.38.14] 8008  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260509; rev:1;)
alert tcp $HOME_NET any -> [104.214.168.52] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260508; rev:1;)
alert tcp $HOME_NET any -> [117.72.64.94] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260507; rev:1;)
alert tcp $HOME_NET any -> [124.221.56.114] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260506/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260506; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.12] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260505; rev:1;)
alert tcp $HOME_NET any -> [151.30.238.53] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260504; rev:1;)
alert tcp $HOME_NET any -> [189.175.199.252] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260503; rev:1;)
alert tcp $HOME_NET any -> [103.215.80.54] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260502; rev:1;)
alert tcp $HOME_NET any -> [3.76.124.183] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260501; rev:1;)
alert tcp $HOME_NET any -> [45.55.38.40] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_23; classtype:trojan-activity; sid:91260500; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bimbro.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260492; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bohot.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260493; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karl3on.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260494; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neuengi.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260495; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndearn.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260496; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"almatac.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260497; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kartogra.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260498; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aktayho.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aktayho.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260487; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redddog.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260488; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eralaunch.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260489; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soka101.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260490; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tenens.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kartogra.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"almatac.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ndearn.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"neuengi.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"karl3on.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bohot.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bimbro.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tenens.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"soka101.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eralaunch.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"redddog.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260476; rev:1;)
alert tcp $HOME_NET any -> [116.203.7.96] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260473; rev:1;)
alert tcp $HOME_NET any -> [95.217.9.149] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260474; rev:1;)
alert tcp $HOME_NET any -> [95.217.240.166] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260467; rev:1;)
alert tcp $HOME_NET any -> [95.217.244.99] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260468; rev:1;)
alert tcp $HOME_NET any -> [95.217.244.99] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260469; rev:1;)
alert tcp $HOME_NET any -> [49.13.224.6] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260470; rev:1;)
alert tcp $HOME_NET any -> [65.109.241.217] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260471; rev:1;)
alert tcp $HOME_NET any -> [116.202.177.31] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.9.149"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.7.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.177.31"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.224.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199677575543"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/snsb82"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260458; rev:1;)
alert tcp $HOME_NET any -> [77.221.149.0] 5428  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/powershell/"; depth:21; nocase; http.host; content:"194.163.130.194"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260424; rev:1;)
alert tcp $HOME_NET any -> [194.163.130.194] 443  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260426; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.96] 28380  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260430; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.20] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260431; rev:1;)
alert tcp $HOME_NET any -> [41.200.95.182] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260452/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260452; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wscript.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260453/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260453; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.191] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260454/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260454; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.238] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_23; classtype:trojan-activity; sid:91260455; rev:1;)
alert tcp $HOME_NET any -> [103.95.97.149] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vre"; depth:4; nocase; http.host; content:"vjwmaster.duckdns.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_23; classtype:trojan-activity; sid:91260451; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.88] 16964  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerjavascriptrequestupdate.php"; depth:36; nocase; http.host; content:"clientright.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/payment/54wa3c29/eblaghhh/confirm.php"; depth:54; nocase; http.host; content:"tech-1.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260446; rev:1;)
alert tcp $HOME_NET any -> [185.11.145.254] 443  (msg:"ThreatFox IRATA botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260447; rev:1;)
alert tcp $HOME_NET any -> [185.11.145.145] 443  (msg:"ThreatFox IRATA botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/"; depth:17; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/"; depth:21; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/"; depth:30; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/sms.php"; depth:37; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/id.txt"; depth:36; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/requests.php"; depth:42; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data/6977722252/rat/140wa69z/contact.php"; depth:41; nocase; http.host; content:"my-admin-sql.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260438; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tdinsuranceapply-a0guehftc6fzegca.a03.azurefd.net"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260436; rev:1;)
alert tcp $HOME_NET any -> [4.206.184.179] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mms.html"; depth:9; nocase; http.host; content:"tdinsuranceapply-a0guehftc6fzegca.a03.azurefd.net"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mylibs.js"; depth:10; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260433; rev:1;)
alert tcp $HOME_NET any -> [23.94.169.124] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.37.214.255"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vgbashgdvgvbhkbjhqwrgrthyuj/hjqwretyuiopadshnjmklomfhbqaxinhgbfwrftgyujicn/iplkrtikfmjdnsbgatefv/yughghjbjgbjhsdgstgsdhysyryyrs/uhgbnte/five/fre.php"; depth:149; nocase; http.host; content:"91.92.253.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260429; rev:1;)
alert tcp $HOME_NET any -> [91.188.254.6] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260428; rev:1;)
alert tcp $HOME_NET any -> [181.214.147.25] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260427; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.32] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260425; rev:1;)
alert tcp $HOME_NET any -> [120.46.39.241] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260423; rev:1;)
alert tcp $HOME_NET any -> [60.204.232.46] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260422; rev:1;)
alert tcp $HOME_NET any -> [123.207.16.205] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260421; rev:1;)
alert tcp $HOME_NET any -> [47.113.219.67] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260420; rev:1;)
alert tcp $HOME_NET any -> [85.99.83.235] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260419; rev:1;)
alert tcp $HOME_NET any -> [157.20.182.102] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260418; rev:1;)
alert tcp $HOME_NET any -> [45.87.155.112] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260417; rev:1;)
alert tcp $HOME_NET any -> [77.232.143.114] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260416; rev:1;)
alert tcp $HOME_NET any -> [165.22.72.160] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260415; rev:1;)
alert tcp $HOME_NET any -> [43.154.80.163] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260414; rev:1;)
alert tcp $HOME_NET any -> [109.123.252.6] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260413; rev:1;)
alert tcp $HOME_NET any -> [109.120.178.98] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260412; rev:1;)
alert tcp $HOME_NET any -> [45.79.123.66] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260411; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 2222  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260410; rev:1;)
alert tcp $HOME_NET any -> [142.93.131.96] 43122  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91260409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"94.156.79.164"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260408; rev:1;)
alert tcp $HOME_NET any -> [107.175.229.136] 24775  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/whatsappsecure.apk"; depth:19; nocase; http.host; content:"91.92.243.86"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260397; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.86] 8000  (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260398; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.165] 443  (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260399; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mypony.nl"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260401/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/saat.apk"; depth:9; nocase; http.host; content:"91.92.246.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260396; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.26] 35888  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260125/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260125; rev:1;)
alert tcp $HOME_NET any -> [175.178.160.155] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"jxvtcm.cn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"175.178.160.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mylibs.js"; depth:10; nocase; http.host; content:"flashl.tw"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260402; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flashl.tw"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260403; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.169] 37732  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260395; rev:1;)
alert tcp $HOME_NET any -> [211.194.139.155] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260394; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.12] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260393; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dist2118.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loki/five/fre.php"; depth:18; nocase; http.host; content:"mypony.nl"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260391; rev:1;)
alert tcp $HOME_NET any -> [191.82.238.74] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260390; rev:1;)
alert tcp $HOME_NET any -> [158.247.236.255] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260389; rev:1;)
alert tcp $HOME_NET any -> [120.26.136.167] 8088  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260388; rev:1;)
alert tcp $HOME_NET any -> [103.200.124.198] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260387; rev:1;)
alert tcp $HOME_NET any -> [5.189.159.115] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260386; rev:1;)
alert tcp $HOME_NET any -> [2.56.245.124] 80  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260385; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webpoint.micromoto.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260384; rev:1;)
alert tcp $HOME_NET any -> [64.227.107.166] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3bbf"; depth:5; nocase; http.host; content:"www.stylejason.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260382/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260382; rev:1;)
alert tcp $HOME_NET any -> [47.245.37.54] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260381; rev:1;)
alert tcp $HOME_NET any -> [8.222.209.150] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260380; rev:1;)
alert tcp $HOME_NET any -> [123.60.93.91] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260379; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hathawaya.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260378; rev:1;)
alert tcp $HOME_NET any -> [47.104.213.26] 7001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260377; rev:1;)
alert tcp $HOME_NET any -> [8.141.13.130] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260375; rev:1;)
alert tcp $HOME_NET any -> [8.141.13.130] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260376; rev:1;)
alert tcp $HOME_NET any -> [20.222.185.152] 25651  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260072; rev:1;)
alert tcp $HOME_NET any -> [14.225.213.142] 73  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260073; rev:1;)
alert tcp $HOME_NET any -> [94.228.168.60] 1337  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260074; rev:1;)
alert tcp $HOME_NET any -> [206.189.49.14] 57899  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260123; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"spagetti.openproxylist.info"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260124/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260124; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.96] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260122; rev:1;)
alert tcp $HOME_NET any -> [20.222.185.152] 9999  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260121; rev:1;)
alert tcp $HOME_NET any -> [14.225.219.227] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260120; rev:1;)
alert tcp $HOME_NET any -> [80.66.75.9] 44433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260119; rev:1;)
alert tcp $HOME_NET any -> [109.205.213.98] 59087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260118; rev:1;)
alert tcp $HOME_NET any -> [221.150.78.215] 59991  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260117; rev:1;)
alert tcp $HOME_NET any -> [138.197.71.186] 38721  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260116; rev:1;)
alert tcp $HOME_NET any -> [82.156.188.211] 41209  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260115; rev:1;)
alert tcp $HOME_NET any -> [121.40.139.97] 15000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260114; rev:1;)
alert tcp $HOME_NET any -> [124.220.212.252] 54321  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260113; rev:1;)
alert tcp $HOME_NET any -> [80.66.75.52] 44433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260112; rev:1;)
alert tcp $HOME_NET any -> [147.78.47.125] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260111/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260111; rev:1;)
alert tcp $HOME_NET any -> [45.32.100.156] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260110/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260110; rev:1;)
alert tcp $HOME_NET any -> [80.112.42.92] 88  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260109/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260109; rev:1;)
alert tcp $HOME_NET any -> [2.58.56.99] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260108; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.149] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260107/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260107; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.152] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260106; rev:1;)
alert tcp $HOME_NET any -> [123.127.192.55] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260105; rev:1;)
alert tcp $HOME_NET any -> [103.26.77.213] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260104/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260104; rev:1;)
alert tcp $HOME_NET any -> [213.1.229.142] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260103/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260103; rev:1;)
alert tcp $HOME_NET any -> [193.142.146.101] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260102; rev:1;)
alert tcp $HOME_NET any -> [197.119.238.232] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260101; rev:1;)
alert tcp $HOME_NET any -> [95.165.149.124] 4444  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260100; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.21] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260099; rev:1;)
alert tcp $HOME_NET any -> [116.203.15.80] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260098; rev:1;)
alert tcp $HOME_NET any -> [77.105.162.97] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260097; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.234] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260096/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260096; rev:1;)
alert tcp $HOME_NET any -> [45.85.117.76] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260095/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260095; rev:1;)
alert tcp $HOME_NET any -> [38.180.142.98] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260094; rev:1;)
alert tcp $HOME_NET any -> [5.182.210.52] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260093; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.91] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260092; rev:1;)
alert tcp $HOME_NET any -> [5.42.92.89] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260091; rev:1;)
alert tcp $HOME_NET any -> [94.98.233.242] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260090; rev:1;)
alert tcp $HOME_NET any -> [94.98.235.90] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260089; rev:1;)
alert tcp $HOME_NET any -> [41.46.230.155] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260088; rev:1;)
alert tcp $HOME_NET any -> [172.111.139.205] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260087; rev:1;)
alert tcp $HOME_NET any -> [24.24.236.97] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260086; rev:1;)
alert tcp $HOME_NET any -> [172.111.139.88] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260085; rev:1;)
alert tcp $HOME_NET any -> [172.111.159.146] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260084; rev:1;)
alert tcp $HOME_NET any -> [103.125.189.138] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260083/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260083; rev:1;)
alert tcp $HOME_NET any -> [72.202.37.223] 2181  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260082/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260082; rev:1;)
alert tcp $HOME_NET any -> [139.162.49.139] 443  (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260081/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260081; rev:1;)
alert tcp $HOME_NET any -> [134.209.99.16] 80  (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260080; rev:1;)
alert tcp $HOME_NET any -> [45.142.215.143] 3791  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260079/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260079; rev:1;)
alert tcp $HOME_NET any -> [45.142.213.91] 3791  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260078/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260078; rev:1;)
alert tcp $HOME_NET any -> [109.107.171.138] 3791  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260077/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260077; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.253] 9091  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260076/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260076; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.222] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260075/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"kh1.userjoy.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260070; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kh1.userjoy.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260071; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yamaxun.blog"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/originate/v4.01/qgqtnora"; depth:25; nocase; http.host; content:"yamaxun.blog"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260068; rev:1;)
alert tcp $HOME_NET any -> [171.80.235.140] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260067; rev:1;)
alert tcp $HOME_NET any -> [47.98.97.75] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260066/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260066; rev:1;)
alert tcp $HOME_NET any -> [80.133.66.162] 7777  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260065/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260065; rev:1;)
alert tcp $HOME_NET any -> [45.74.46.58] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260064/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260064; rev:1;)
alert tcp $HOME_NET any -> [167.71.105.169] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260063/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260063; rev:1;)
alert tcp $HOME_NET any -> [3.105.212.12] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260062/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260062; rev:1;)
alert tcp $HOME_NET any -> [207.231.109.20] 808  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260061/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260061; rev:1;)
alert tcp $HOME_NET any -> [45.137.155.47] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260060/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260060; rev:1;)
alert tcp $HOME_NET any -> [78.161.0.177] 3001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260059/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260059; rev:1;)
alert tcp $HOME_NET any -> [136.175.8.35] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260058; rev:1;)
alert tcp $HOME_NET any -> [136.175.8.35] 444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260057; rev:1;)
alert tcp $HOME_NET any -> [156.194.116.198] 443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_22; classtype:trojan-activity; sid:91260056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sig.exe"; depth:8; nocase; http.host; content:"87.120.84.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260054; rev:1;)
alert tcp $HOME_NET any -> [87.120.84.140] 80  (msg:"ThreatFox zgRAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260055; rev:1;)
alert tcp $HOME_NET any -> [87.120.84.140] 7702  (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cryptonrat.exe"; depth:15; nocase; http.host; content:"87.120.84.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yk.exe"; depth:7; nocase; http.host; content:"87.120.84.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260053; rev:1;)
alert tcp $HOME_NET any -> [31.41.44.109] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cd2b41cbde8fc9c.php"; depth:21; nocase; http.host; content:"185.172.128.76"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.111"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1227169762392674387/1231867622568493086/ikacvgbsewoudhywk67.bin"; depth:76; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cfekrthdtjivs63.bin"; depth:20; nocase; http.host; content:"172.93.222.219"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260044; rev:1;)
alert tcp $HOME_NET any -> [172.93.222.219] 80  (msg:"ThreatFox Remcos payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260045; rev:1;)
alert tcp $HOME_NET any -> [209.90.234.20] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/low70sql/updatecdn/lowtemporarypython/eternaluploads3geo/8/eternallinetracktemp.php"; depth:84; nocase; http.host; content:"185.221.198.248"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260043; rev:1;)
alert tcp $HOME_NET any -> [45.141.87.215] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"1488.winstate.cc"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260040; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1488.winstate.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-k43f6rw9-1308954353.kr.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260039; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6b789950.sjys66.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260027; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6437cf8a.sjys66.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260028; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccc.sjys6.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260029; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"idc.sjys66.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260030; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pay.sjys6.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260031; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sjys6.de"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260032; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.sjys6.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260033; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"744fbc05.sjys66.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260034; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sjys6.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260035; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sjys6.sbs"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260036; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sjys6.sbs"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260037; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whcdn.sjys66.me"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260038; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ppa.sjys66.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260024; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbd9d414.sjys66.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2762da3f.sjys6.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1260026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/view.php"; depth:9; nocase; http.host; content:"radiotvcachay.cl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/locals.txt"; depth:11; nocase; http.host; content:"kurkcu-dukkani.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/personalmessage.php"; depth:20; nocase; http.host; content:"professionalwonders.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2345703467245762476247.txt"; depth:27; nocase; http.host; content:"extendaloan.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260023; rev:1;)
alert tcp $HOME_NET any -> [194.99.21.34] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260018; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.38] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260019; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.100] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260017; rev:1;)
alert tcp $HOME_NET any -> [37.60.245.93] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260016; rev:1;)
alert tcp $HOME_NET any -> [47.109.137.34] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260015; rev:1;)
alert tcp $HOME_NET any -> [175.178.54.48] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260014; rev:1;)
alert tcp $HOME_NET any -> [3.13.191.225] 16969  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91260004; rev:1;)
alert tcp $HOME_NET any -> [116.203.15.80] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260012; rev:1;)
alert tcp $HOME_NET any -> [23.88.47.9] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.47.9"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260009; rev:1;)
alert tcp $HOME_NET any -> [116.202.190.202] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260010; rev:1;)
alert tcp $HOME_NET any -> [95.217.29.215] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.15.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.164.39"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.29.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.190.202"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1260005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260005; rev:1;)
alert tcp $HOME_NET any -> [172.160.240.225] 8976  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260003; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.15] 8008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260002; rev:1;)
alert tcp $HOME_NET any -> [210.56.49.230] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260001; rev:1;)
alert tcp $HOME_NET any -> [203.189.234.25] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1260000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91260000; rev:1;)
alert tcp $HOME_NET any -> [103.254.73.247] 63305  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259999; rev:1;)
alert tcp $HOME_NET any -> [51.68.169.120] 443  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259998; rev:1;)
alert tcp $HOME_NET any -> [103.249.112.118] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259997/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_22; classtype:trojan-activity; sid:91259997; rev:1;)
alert tcp $HOME_NET any -> [94.131.9.239] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259996; rev:1;)
alert tcp $HOME_NET any -> [31.129.98.188] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259995; rev:1;)
alert tcp $HOME_NET any -> [2.58.56.113] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259994; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.189] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259993; rev:1;)
alert tcp $HOME_NET any -> [23.94.66.43] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259992/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259992; rev:1;)
alert tcp $HOME_NET any -> [8.212.183.234] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259991/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259991; rev:1;)
alert tcp $HOME_NET any -> [20.240.192.104] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259990/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259990; rev:1;)
alert tcp $HOME_NET any -> [199.192.192.93] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259989/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259989; rev:1;)
alert tcp $HOME_NET any -> [175.10.46.187] 4432  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259988/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259988; rev:1;)
alert tcp $HOME_NET any -> [69.159.0.152] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259987/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259987; rev:1;)
alert tcp $HOME_NET any -> [45.137.155.52] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259986/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259986; rev:1;)
alert tcp $HOME_NET any -> [146.190.60.217] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259985/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259985; rev:1;)
alert tcp $HOME_NET any -> [80.71.149.154] 8686  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259984; rev:1;)
alert tcp $HOME_NET any -> [94.6.155.2] 8443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259983; rev:1;)
alert tcp $HOME_NET any -> [38.173.107.201] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259982; rev:1;)
alert tcp $HOME_NET any -> [61.182.130.108] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259981; rev:1;)
alert tcp $HOME_NET any -> [3.223.6.69] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259980; rev:1;)
alert tcp $HOME_NET any -> [185.99.133.34] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259970; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.69] 9932  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259958; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 11720  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259968; rev:1;)
alert tcp $HOME_NET any -> [185.99.133.5] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259969; rev:1;)
alert tcp $HOME_NET any -> [185.99.133.18] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259971; rev:1;)
alert tcp $HOME_NET any -> [185.99.133.173] 5667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259972; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cecilioisbetter.dyn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259973; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thisisnotabotnet.pirate"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259974; rev:1;)
alert tcp $HOME_NET any -> [103.237.87.90] 999  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259957; rev:1;)
alert tcp $HOME_NET any -> [5.181.156.177] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259979; rev:1;)
alert tcp $HOME_NET any -> [162.55.134.240] 9001  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0bettertraffic2/cdn8secure/temporaryapivoiddb5/8uploads2/private/vm/dumpcpuprivate/protecttest3/externalimagevmjs.php"; depth:118; nocase; http.host; content:"185.43.4.41"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259978; rev:1;)
alert tcp $HOME_NET any -> [45.89.53.206] 4663  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259977; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.196] 1610  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tjmkdc/five/fre.php"; depth:20; nocase; http.host; content:"91.92.253.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_22; classtype:trojan-activity; sid:91259975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.56.180.63"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_22; classtype:trojan-activity; sid:91259967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mylibs.js"; depth:10; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259966; rev:1;)
alert tcp $HOME_NET any -> [111.229.214.58] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/micro_app/get_org_app"; depth:30; nocase; http.host; content:"61.170.44.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hrmregister/corptrial/get_permission"; depth:37; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/micro_app/get_org_app"; depth:30; nocase; http.host; content:"111.6.56.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/micro_app/get_org_app"; depth:30; nocase; http.host; content:"183.232.189.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omp/api/get_page_config"; depth:24; nocase; http.host; content:"111.51.156.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"23.95.65.198"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"89.105.201.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259956; rev:1;)
alert tcp $HOME_NET any -> [185.112.249.40] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259955/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259955; rev:1;)
alert tcp $HOME_NET any -> [202.61.85.167] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259858; rev:1;)
alert tcp $HOME_NET any -> [202.61.85.57] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259857; rev:1;)
alert tcp $HOME_NET any -> [87.120.84.220] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259856; rev:1;)
alert tcp $HOME_NET any -> [45.77.177.125] 2053  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259855; rev:1;)
alert tcp $HOME_NET any -> [172.104.102.237] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259854; rev:1;)
alert tcp $HOME_NET any -> [61.128.153.112] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259853; rev:1;)
alert tcp $HOME_NET any -> [3.27.90.144] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cuponerachilanga.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"architecture-interior.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"apieventemitter.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"arpsychotherapy.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"vud.register.arpsychotherapy.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259842; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.161] 25561  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259839/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"register.arpsychotherapy.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259840; rev:1;)
alert tcp $HOME_NET any -> [103.174.73.190] 2024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259837; rev:1;)
alert tcp $HOME_NET any -> [5.181.190.250] 1475  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259838; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sonicglyder.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"illitluckygirl.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/underwars.rar"; depth:24; nocase; http.host; content:"under-wars.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259825; rev:1;)
alert tcp $HOME_NET any -> [62.72.191.247] 777  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259836; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"under-wars.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259811; rev:1;)
alert tcp $HOME_NET any -> [98.66.170.171] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259754; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ecurs.ro"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259757/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259757; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.134] 46690  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1231360292168929434/1231360436591399053/sonic-glyder.zip"; depth:69; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"beautyservicenearme.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"onesmartiptv.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"carlaweishale.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cv76387.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259850; rev:1;)
alert tcp $HOME_NET any -> [5.53.20.184] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259835; rev:1;)
alert tcp $HOME_NET any -> [54.224.170.33] 443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259833; rev:1;)
alert tcp $HOME_NET any -> [106.53.162.128] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259834; rev:1;)
alert tcp $HOME_NET any -> [42.118.144.192] 9000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259832; rev:1;)
alert tcp $HOME_NET any -> [185.125.50.17] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259831; rev:1;)
alert tcp $HOME_NET any -> [95.164.3.243] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259830; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.96] 6667  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259829; rev:1;)
alert tcp $HOME_NET any -> [128.90.123.67] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259823; rev:1;)
alert tcp $HOME_NET any -> [193.111.125.200] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259824; rev:1;)
alert tcp $HOME_NET any -> [2.29.196.40] 9000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259815; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.62] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259816; rev:1;)
alert tcp $HOME_NET any -> [45.141.215.159] 8088  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259817; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.15] 9004  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259818; rev:1;)
alert tcp $HOME_NET any -> [51.195.94.205] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259819; rev:1;)
alert tcp $HOME_NET any -> [51.195.94.205] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259820; rev:1;)
alert tcp $HOME_NET any -> [51.195.94.205] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259821; rev:1;)
alert tcp $HOME_NET any -> [95.7.175.50] 20000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259822; rev:1;)
alert tcp $HOME_NET any -> [159.89.124.149] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259810/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_21; classtype:trojan-activity; sid:91259810; rev:1;)
alert tcp $HOME_NET any -> [154.44.26.34] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259809; rev:1;)
alert tcp $HOME_NET any -> [88.214.26.54] 40032  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259808; rev:1;)
alert tcp $HOME_NET any -> [103.234.72.70] 7000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259807; rev:1;)
alert tcp $HOME_NET any -> [103.195.6.60] 54230  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259806; rev:1;)
alert tcp $HOME_NET any -> [89.187.28.116] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259805; rev:1;)
alert tcp $HOME_NET any -> [107.150.47.82] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259804; rev:1;)
alert tcp $HOME_NET any -> [54.169.155.216] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259803; rev:1;)
alert tcp $HOME_NET any -> [185.216.117.38] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259802; rev:1;)
alert tcp $HOME_NET any -> [23.133.216.223] 16993  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259801; rev:1;)
alert tcp $HOME_NET any -> [154.29.149.248] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259800; rev:1;)
alert tcp $HOME_NET any -> [144.34.170.237] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259799; rev:1;)
alert tcp $HOME_NET any -> [156.242.40.198] 50005  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259798; rev:1;)
alert tcp $HOME_NET any -> [185.236.231.201] 52589  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259797; rev:1;)
alert tcp $HOME_NET any -> [62.204.41.11] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259795; rev:1;)
alert tcp $HOME_NET any -> [62.204.41.11] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259796; rev:1;)
alert tcp $HOME_NET any -> [154.3.1.252] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259794; rev:1;)
alert tcp $HOME_NET any -> [185.62.56.15] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259793; rev:1;)
alert tcp $HOME_NET any -> [172.121.5.230] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259792; rev:1;)
alert tcp $HOME_NET any -> [154.204.178.55] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259791; rev:1;)
alert tcp $HOME_NET any -> [146.70.188.137] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259790; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stylejason.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/infected2.ps1"; depth:14; nocase; http.host; content:"156.247.14.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/infect.ps1"; depth:11; nocase; http.host; content:"156.247.14.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259787; rev:1;)
alert tcp $HOME_NET any -> [156.247.14.253] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259785; rev:1;)
alert tcp $HOME_NET any -> [156.247.14.253] 50038  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259786; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hcy5bcw8-1317301829.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259784; rev:1;)
alert tcp $HOME_NET any -> [154.205.138.72] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259783; rev:1;)
alert tcp $HOME_NET any -> [206.166.251.32] 25568  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259782; rev:1;)
alert tcp $HOME_NET any -> [156.242.42.194] 4396  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259781; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.citriix.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259780; rev:1;)
alert tcp $HOME_NET any -> [82.197.93.75] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259779; rev:1;)
alert tcp $HOME_NET any -> [156.224.25.183] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259778; rev:1;)
alert tcp $HOME_NET any -> [45.116.79.9] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259777; rev:1;)
alert tcp $HOME_NET any -> [43.129.23.221] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259776; rev:1;)
alert tcp $HOME_NET any -> [107.175.158.78] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259774; rev:1;)
alert tcp $HOME_NET any -> [107.175.158.78] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259775; rev:1;)
alert tcp $HOME_NET any -> [107.172.159.202] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259773; rev:1;)
alert tcp $HOME_NET any -> [23.94.169.124] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259772; rev:1;)
alert tcp $HOME_NET any -> [47.89.225.2] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259770; rev:1;)
alert tcp $HOME_NET any -> [47.76.153.170] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259769; rev:1;)
alert tcp $HOME_NET any -> [8.218.236.5] 8062  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259768; rev:1;)
alert tcp $HOME_NET any -> [8.217.10.117] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259767; rev:1;)
alert tcp $HOME_NET any -> [120.46.201.95] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259766; rev:1;)
alert tcp $HOME_NET any -> [123.57.167.128] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259765; rev:1;)
alert tcp $HOME_NET any -> [47.120.46.170] 50001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259764; rev:1;)
alert tcp $HOME_NET any -> [47.97.29.241] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259763; rev:1;)
alert tcp $HOME_NET any -> [47.96.72.192] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259762; rev:1;)
alert tcp $HOME_NET any -> [47.92.221.188] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259761; rev:1;)
alert tcp $HOME_NET any -> [8.137.114.210] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259760; rev:1;)
alert tcp $HOME_NET any -> [150.158.13.117] 18888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259759; rev:1;)
alert tcp $HOME_NET any -> [1.13.175.135] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259755; rev:1;)
alert tcp $HOME_NET any -> [64.188.18.137] 1604  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259753/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259753; rev:1;)
alert tcp $HOME_NET any -> [195.10.205.79] 30525  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"34844.clmonth.nyashteam.ru"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259751; rev:1;)
alert tcp $HOME_NET any -> [47.116.33.203] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.116.33.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259749; rev:1;)
alert tcp $HOME_NET any -> [38.147.171.36] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"38.147.171.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259747; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 32934  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259745/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259745; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"quotes-nl.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259746/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259746; rev:1;)
alert tcp $HOME_NET any -> [162.252.175.197] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259743; rev:1;)
alert tcp $HOME_NET any -> [162.252.175.197] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259744; rev:1;)
alert tcp $HOME_NET any -> [71.88.240.79] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259742; rev:1;)
alert tcp $HOME_NET any -> [172.104.172.74] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259741; rev:1;)
alert tcp $HOME_NET any -> [185.150.26.240] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259740; rev:1;)
alert tcp $HOME_NET any -> [45.137.155.36] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259739; rev:1;)
alert tcp $HOME_NET any -> [15.222.252.34] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259738; rev:1;)
alert tcp $HOME_NET any -> [31.220.80.82] 1234  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259737; rev:1;)
alert tcp $HOME_NET any -> [34.142.80.46] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259736; rev:1;)
alert tcp $HOME_NET any -> [141.195.112.200] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259735; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 8085  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259734/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_21; classtype:trojan-activity; sid:91259734; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.161] 25565  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259733; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"other-tours.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259721; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 11720  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259540; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 58503  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259542/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259542; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"basic-values.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259543/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259543; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 32481  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_21; classtype:trojan-activity; sid:91259720; rev:1;)
alert tcp $HOME_NET any -> [2.58.95.131] 65337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259727; rev:1;)
alert tcp $HOME_NET any -> [34.159.237.198] 6667  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259728; rev:1;)
alert tcp $HOME_NET any -> [51.81.85.213] 8888  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259729; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.231] 56648  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"116.203.13.134"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1259538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.27.87.155"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1259539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259539; rev:1;)
alert tcp $HOME_NET any -> [146.70.40.235] 80  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_21; classtype:trojan-activity; sid:91259545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"175.178.160.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259732; rev:1;)
alert tcp $HOME_NET any -> [186.102.167.18] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259731; rev:1;)
alert tcp $HOME_NET any -> [87.251.67.92] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259726/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259726; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 19177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259725; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 19177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259724; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 19177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259723; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 19177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259722; rev:1;)
alert tcp $HOME_NET any -> [45.66.248.122] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259718; rev:1;)
alert tcp $HOME_NET any -> [45.66.248.122] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259719; rev:1;)
alert tcp $HOME_NET any -> [91.151.95.157] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259717; rev:1;)
alert tcp $HOME_NET any -> [87.120.84.167] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259716; rev:1;)
alert tcp $HOME_NET any -> [3.34.122.177] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259715; rev:1;)
alert tcp $HOME_NET any -> [109.120.177.43] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259714; rev:1;)
alert tcp $HOME_NET any -> [120.77.11.79] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259713; rev:1;)
alert tcp $HOME_NET any -> [1.13.175.135] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259712; rev:1;)
alert tcp $HOME_NET any -> [16.163.148.219] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259711; rev:1;)
alert tcp $HOME_NET any -> [179.13.4.37] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259710; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.10] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259709; rev:1;)
alert tcp $HOME_NET any -> [4.227.63.81] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259708; rev:1;)
alert tcp $HOME_NET any -> [210.3.101.68] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259707; rev:1;)
alert tcp $HOME_NET any -> [45.9.148.192] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259706; rev:1;)
alert tcp $HOME_NET any -> [45.9.148.206] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.204.193.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259704; rev:1;)
alert tcp $HOME_NET any -> [45.9.168.238] 1984  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259544; rev:1;)
alert tcp $HOME_NET any -> [83.196.78.85] 8080  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259541; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 11720  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259536; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 11720  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259537; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 11720  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259535; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 11720  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259534; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.61] 9817  (msg:"ThreatFox PureLogs Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259532; rev:1;)
alert tcp $HOME_NET any -> [194.187.251.115] 14645  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/logo2.jpg"; depth:14; nocase; http.host; content:"public-ftp.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/logo.jpg"; depth:13; nocase; http.host; content:"public-ftp.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259525; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"public-ftp.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/logo3.jpg"; depth:14; nocase; http.host; content:"public-ftp.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zzv3"; depth:5; nocase; http.host; content:"118.89.125.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259531; rev:1;)
alert tcp $HOME_NET any -> [118.89.125.171] 886  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"106.54.236.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259528; rev:1;)
alert tcp $HOME_NET any -> [106.54.236.42] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259529; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"harassretunrstiwo.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259494; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"productivelookewr.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259495; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tolerateilusidjukl.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259496; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shatterbreathepsw.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259497; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shortsvelventysjo.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259498; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"incredibleextedwj.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259499; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alcojoldwograpciw.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259500; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liabilitynighstjsko.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259501; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.128] 7287  (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"193.222.96.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259504; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"demonstationfukewko.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/15.bat"; depth:7; nocase; http.host; content:"193.222.96.128"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/security.apk"; depth:13; nocase; http.host; content:"193.222.96.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/securitypro.apk"; depth:16; nocase; http.host; content:"193.222.96.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259509; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.20] 7287  (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/securityvpro.apk"; depth:17; nocase; http.host; content:"193.222.96.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"193.222.96.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gogi.bat"; depth:9; nocase; http.host; content:"193.222.96.114"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259516; rev:1;)
alert tcp $HOME_NET any -> [101.78.63.44] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259521; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.114] 7287  (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259519; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.20] 7771  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uphqey"; depth:7; nocase; http.host; content:"101.78.63.44"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259520; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.20] 7772  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259523; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.collegeclubapparel.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259436/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259436; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"collegeclubapparel.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259437/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259437; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.blueberry-breeze.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259438; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blueberry-breeze.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259439/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259439; rev:1;)
alert tcp $HOME_NET any -> [4.184.225.183] 30592  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259440; rev:1;)
alert tcp $HOME_NET any -> [209.126.11.251] 31618  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnz5/"; depth:6; nocase; http.host; content:"www.blueberry-breeze.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259435/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259435; rev:1;)
alert tcp $HOME_NET any -> [203.159.80.211] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259443; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.3] 2552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259447/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259447; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.16] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259448; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.182] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259452/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259452; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 15422  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259449/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259449; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 15422  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259450/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259450; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 10543  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259457; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.103] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259453; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.223] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259454; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 10543  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259456; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 14390  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259458; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 14390  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.101.4.196"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.101.4.196"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259461; rev:1;)
alert tcp $HOME_NET any -> [5.101.4.196] 3790  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bnz5/"; depth:6; nocase; http.host; content:"www.collegeclubapparel.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259434/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_20; classtype:trojan-activity; sid:91259434; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.161] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259412; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.31] 777  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259418; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.107] 33966  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259419; rev:1;)
alert tcp $HOME_NET any -> [45.178.6.2] 8090  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259420; rev:1;)
alert tcp $HOME_NET any -> [195.62.32.227] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"svif-venezuela.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"94.131.101.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"94.131.101.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"go8et.lol"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259165; rev:1;)
alert tcp $HOME_NET any -> [94.131.101.153] 80  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259166; rev:1;)
alert tcp $HOME_NET any -> [94.131.101.153] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259167; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"go8et.lol"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259168; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uf.tispy.me"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"demonstationfukewko.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"liabilitynighstjsko.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"alcojoldwograpciw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"incredibleextedwj.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"shortsvelventysjo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"shatterbreathepsw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tolerateilusidjukl.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"productivelookewr.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"harassretunrstiwo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259485; rev:1;)
alert tcp $HOME_NET any -> [77.238.231.212] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259484; rev:1;)
alert tcp $HOME_NET any -> [13.213.45.189] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259483; rev:1;)
alert tcp $HOME_NET any -> [95.70.159.193] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259482; rev:1;)
alert tcp $HOME_NET any -> [45.152.66.244] 58082  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259481/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259481; rev:1;)
alert tcp $HOME_NET any -> [117.72.74.16] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259480/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259480; rev:1;)
alert tcp $HOME_NET any -> [45.32.111.233] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259479/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259479; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.2] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259478; rev:1;)
alert tcp $HOME_NET any -> [49.1.239.101] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259477/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259477; rev:1;)
alert tcp $HOME_NET any -> [5.15.236.59] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259476; rev:1;)
alert tcp $HOME_NET any -> [187.213.203.252] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259475; rev:1;)
alert tcp $HOME_NET any -> [64.225.31.29] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259474; rev:1;)
alert tcp $HOME_NET any -> [185.64.247.78] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259473; rev:1;)
alert tcp $HOME_NET any -> [31.220.80.82] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259472; rev:1;)
alert tcp $HOME_NET any -> [43.143.170.206] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259471; rev:1;)
alert tcp $HOME_NET any -> [45.76.190.37] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259470; rev:1;)
alert tcp $HOME_NET any -> [109.120.178.253] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259469; rev:1;)
alert tcp $HOME_NET any -> [3.33.182.244] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259468; rev:1;)
alert tcp $HOME_NET any -> [3.146.206.142] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259467; rev:1;)
alert tcp $HOME_NET any -> [54.145.56.118] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259466; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259465; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 8088  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_20; classtype:trojan-activity; sid:91259464; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 33547  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipejavascriptwordpress.php"; depth:28; nocase; http.host; content:"betabag.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259455; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.112] 17752  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259451; rev:1;)
alert tcp $HOME_NET any -> [116.203.6.63] 3306  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_20; classtype:trojan-activity; sid:91259446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tomthf/cvghx/five/fre.php"; depth:26; nocase; http.host; content:"94.156.65.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259445; rev:1;)
alert tcp $HOME_NET any -> [41.142.212.85] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalvm_cpugamewindows.php"; depth:30; nocase; http.host; content:"109.107.182.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259441; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.234] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"173.44.141.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259432; rev:1;)
alert tcp $HOME_NET any -> [106.54.236.42] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"106.54.236.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259430; rev:1;)
alert tcp $HOME_NET any -> [106.54.236.42] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/v5.6/zz1qb9mls"; depth:21; nocase; http.host; content:"172.247.189.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"zj.court.cn.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259426; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zj.court.cn.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"109.120.178.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259424; rev:1;)
alert tcp $HOME_NET any -> [109.120.178.253] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259425; rev:1;)
alert tcp $HOME_NET any -> [175.178.160.155] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/complete/pr/h6tcqrwr"; depth:21; nocase; http.host; content:"jxvtcm.cn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259421; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jxvtcm.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259422; rev:1;)
alert tcp $HOME_NET any -> [64.227.147.74] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259415/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259415; rev:1;)
alert tcp $HOME_NET any -> [146.19.143.84] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259416; rev:1;)
alert tcp $HOME_NET any -> [91.149.219.102] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259417/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259417; rev:1;)
alert tcp $HOME_NET any -> [66.63.188.141] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259413/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259413; rev:1;)
alert tcp $HOME_NET any -> [185.112.249.13] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259414/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e609f91d.php"; depth:13; nocase; http.host; content:"a0938829.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259409; rev:1;)
alert tcp $HOME_NET any -> [95.164.117.2] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259408; rev:1;)
alert tcp $HOME_NET any -> [139.99.64.79] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259407; rev:1;)
alert tcp $HOME_NET any -> [157.230.222.248] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259406; rev:1;)
alert tcp $HOME_NET any -> [64.23.216.132] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259405; rev:1;)
alert tcp $HOME_NET any -> [97.74.89.69] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259404/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259404; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.2] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259403; rev:1;)
alert tcp $HOME_NET any -> [187.170.75.34] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259402; rev:1;)
alert tcp $HOME_NET any -> [151.48.149.0] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259401; rev:1;)
alert tcp $HOME_NET any -> [41.97.160.21] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259400; rev:1;)
alert tcp $HOME_NET any -> [77.126.182.204] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259399; rev:1;)
alert tcp $HOME_NET any -> [34.92.143.66] 8443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259398; rev:1;)
alert tcp $HOME_NET any -> [91.225.218.38] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259397; rev:1;)
alert tcp $HOME_NET any -> [45.153.229.132] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259396; rev:1;)
alert tcp $HOME_NET any -> [101.43.211.59] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259395; rev:1;)
alert tcp $HOME_NET any -> [54.66.9.58] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259394; rev:1;)
alert tcp $HOME_NET any -> [45.121.50.136] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259393; rev:1;)
alert tcp $HOME_NET any -> [62.169.23.231] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259392; rev:1;)
alert tcp $HOME_NET any -> [138.68.189.254] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259391; rev:1;)
alert tcp $HOME_NET any -> [45.33.116.110] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259390; rev:1;)
alert tcp $HOME_NET any -> [193.36.119.250] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259389; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 8081  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91259388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"co29474.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gs3p"; depth:5; nocase; http.host; content:"47.120.39.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.120.39.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259171; rev:1;)
alert tcp $HOME_NET any -> [47.120.39.182] 63306  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259170; rev:1;)
alert tcp $HOME_NET any -> [185.73.124.164] 25  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259041/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259041; rev:1;)
alert tcp $HOME_NET any -> [185.73.124.164] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259039; rev:1;)
alert tcp $HOME_NET any -> [185.73.124.164] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259040/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"cuponerachilanga.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"go8et.lol"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"cuponerachilanga.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259019; rev:1;)
alert tcp $HOME_NET any -> [185.73.124.164] 2525  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259042/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259042; rev:1;)
alert tcp $HOME_NET any -> [185.73.124.164] 993  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259043; rev:1;)
alert tcp $HOME_NET any -> [185.73.124.164] 3389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259044/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gnbc/"; depth:6; nocase; http.host; content:"www.oyoing.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259118/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259118; rev:1;)
alert tcp $HOME_NET any -> [184.49.69.41] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259045; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.tyaer.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259120/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gnbc/"; depth:6; nocase; http.host; content:"www.megabet303.lol"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259116/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gnbc/"; depth:6; nocase; http.host; content:"www.tyaer.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259117/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259117; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.megabet303.lol"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259119/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259119; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.oyoing.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259121/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259121; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"megabet303.lol"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259122/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259122; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tyaer.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259123; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oyoing.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259124/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"jemyy.theworkpc.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1259158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259158; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jemyy.theworkpc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.71.108"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1259161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259161; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.108] 1604  (msg:"ThreatFox Houdini botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259160; rev:1;)
alert tcp $HOME_NET any -> [109.248.151.106] 5401  (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259162; rev:1;)
alert tcp $HOME_NET any -> [206.237.6.174] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259157; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.128] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259156; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.114] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259155; rev:1;)
alert tcp $HOME_NET any -> [171.249.233.153] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259152; rev:1;)
alert tcp $HOME_NET any -> [171.249.233.153] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259153; rev:1;)
alert tcp $HOME_NET any -> [171.249.233.153] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259154; rev:1;)
alert tcp $HOME_NET any -> [112.65.51.10] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259149; rev:1;)
alert tcp $HOME_NET any -> [121.36.248.151] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259150; rev:1;)
alert tcp $HOME_NET any -> [121.40.222.45] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259151; rev:1;)
alert tcp $HOME_NET any -> [47.95.158.44] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259147; rev:1;)
alert tcp $HOME_NET any -> [101.42.51.12] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259148; rev:1;)
alert tcp $HOME_NET any -> [45.152.64.31] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259146; rev:1;)
alert tcp $HOME_NET any -> [177.102.67.47] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259145; rev:1;)
alert tcp $HOME_NET any -> [108.46.243.201] 8000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259144; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.121] 1688  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259139; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.121] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259140; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.121] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259141; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.121] 2061  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259142; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.121] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259143; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.204] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259138; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.233] 1933  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259134; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.233] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259135; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.233] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259136; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.233] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259137; rev:1;)
alert tcp $HOME_NET any -> [81.136.90.1] 1339  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259133; rev:1;)
alert tcp $HOME_NET any -> [196.74.150.120] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259132; rev:1;)
alert tcp $HOME_NET any -> [198.23.227.175] 8881  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259131; rev:1;)
alert tcp $HOME_NET any -> [172.111.169.67] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259130; rev:1;)
alert tcp $HOME_NET any -> [172.111.148.95] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259129; rev:1;)
alert tcp $HOME_NET any -> [148.163.101.182] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259128; rev:1;)
alert tcp $HOME_NET any -> [128.90.103.12] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259127; rev:1;)
alert tcp $HOME_NET any -> [87.121.105.252] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259126; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.12] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259125; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.224] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259115; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.248] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259114; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gardeniasupplies.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259113; rev:1;)
alert tcp $HOME_NET any -> [79.132.128.96] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259111; rev:1;)
alert tcp $HOME_NET any -> [79.132.128.96] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259112; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.31] 4444  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259110; rev:1;)
alert tcp $HOME_NET any -> [83.97.73.157] 2082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259108; rev:1;)
alert tcp $HOME_NET any -> [83.97.73.157] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259109; rev:1;)
alert tcp $HOME_NET any -> [206.188.197.218] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259107; rev:1;)
alert tcp $HOME_NET any -> [18.217.214.178] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259106; rev:1;)
alert tcp $HOME_NET any -> [13.40.36.157] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259105; rev:1;)
alert tcp $HOME_NET any -> [3.71.70.1] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259104; rev:1;)
alert tcp $HOME_NET any -> [89.251.22.32] 14791  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259103; rev:1;)
alert tcp $HOME_NET any -> [209.222.0.68] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259102; rev:1;)
alert tcp $HOME_NET any -> [45.76.178.151] 47889  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259101; rev:1;)
alert tcp $HOME_NET any -> [20.68.131.221] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259100; rev:1;)
alert tcp $HOME_NET any -> [4.191.74.1] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259098; rev:1;)
alert tcp $HOME_NET any -> [4.191.74.1] 3306  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259099; rev:1;)
alert tcp $HOME_NET any -> [47.237.26.206] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259095; rev:1;)
alert tcp $HOME_NET any -> [47.242.4.42] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259096; rev:1;)
alert tcp $HOME_NET any -> [147.139.7.182] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259097; rev:1;)
alert tcp $HOME_NET any -> [8.210.32.15] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259092; rev:1;)
alert tcp $HOME_NET any -> [8.218.8.26] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259093; rev:1;)
alert tcp $HOME_NET any -> [8.218.21.190] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259094; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.120] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259085; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.121] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259086; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.122] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259087; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.123] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259088; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.124] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259089; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.125] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259090; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.126] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259091; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.85] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259077; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.86] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259078; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.114] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259079; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.115] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259080; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.116] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259081; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.117] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259082; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.118] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259083; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.119] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259084; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.82] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259074; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.83] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259075; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.84] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259076; rev:1;)
alert tcp $HOME_NET any -> [168.76.255.27] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259073; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.123] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259069; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.124] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259070; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.125] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259071; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.126] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259072; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.121] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259067; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.122] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259068; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.115] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259062; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.116] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259063; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.118] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259064; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.119] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259065; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.120] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259066; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.82] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259056; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.83] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259057; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.84] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259058; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.85] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259059; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.86] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259060; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.114] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259061; rev:1;)
alert tcp $HOME_NET any -> [157.230.254.3] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259055; rev:1;)
alert tcp $HOME_NET any -> [128.199.207.8] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259054; rev:1;)
alert tcp $HOME_NET any -> [121.37.41.201] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259053; rev:1;)
alert tcp $HOME_NET any -> [121.40.67.130] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259052; rev:1;)
alert tcp $HOME_NET any -> [143.244.162.41] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259051; rev:1;)
alert tcp $HOME_NET any -> [120.24.171.139] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259050; rev:1;)
alert tcp $HOME_NET any -> [101.37.13.119] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259049; rev:1;)
alert tcp $HOME_NET any -> [47.120.12.228] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259048; rev:1;)
alert tcp $HOME_NET any -> [47.120.10.216] 5000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259047; rev:1;)
alert tcp $HOME_NET any -> [47.113.194.22] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259046; rev:1;)
alert tcp $HOME_NET any -> [47.113.104.226] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259038; rev:1;)
alert tcp $HOME_NET any -> [47.101.37.46] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259037; rev:1;)
alert tcp $HOME_NET any -> [47.100.244.166] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259036; rev:1;)
alert tcp $HOME_NET any -> [39.108.234.47] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sign.mpeg"; depth:10; nocase; http.host; content:"easthoolbook.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259034/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259034; rev:1;)
alert tcp $HOME_NET any -> [211.159.172.150] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259033; rev:1;)
alert tcp $HOME_NET any -> [159.75.111.243] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259032; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-33y2vp0r-1303081427.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259031; rev:1;)
alert tcp $HOME_NET any -> [150.158.107.49] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259029; rev:1;)
alert tcp $HOME_NET any -> [150.158.107.49] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259030; rev:1;)
alert tcp $HOME_NET any -> [129.204.169.101] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259028; rev:1;)
alert tcp $HOME_NET any -> [124.221.95.96] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"94.156.71.108"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259026; rev:1;)
alert tcp $HOME_NET any -> [122.51.81.205] 60050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259025; rev:1;)
alert tcp $HOME_NET any -> [43.142.170.25] 5901  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259023; rev:1;)
alert tcp $HOME_NET any -> [43.142.170.25] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259024; rev:1;)
alert tcp $HOME_NET any -> [43.136.220.38] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsbhn.js"; depth:9; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.120.176.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.120.178.115"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.197.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"37.221.93.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"svma.arcovip.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"it13.intelvpn.site"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"ftp.huboftest.ir"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.60.sslip.io"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"mahdi.intelvpn.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"sam.coinmarketcap-tm.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259008; rev:1;)
alert tcp $HOME_NET any -> [78.142.18.109] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259006/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_19; classtype:trojan-activity; sid:91259006; rev:1;)
alert tcp $HOME_NET any -> [116.203.164.39] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259005/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_19; classtype:trojan-activity; sid:91259005; rev:1;)
alert tcp $HOME_NET any -> [116.203.164.39] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259004/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_19; classtype:trojan-activity; sid:91259004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/voiddbproviderserver6/auth/uploads/centralcentralline/7eternal/2_/temp/toupdategameflowertemporary.php"; depth:103; nocase; http.host; content:"minecrafthyipixel.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1259003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259003; rev:1;)
alert tcp $HOME_NET any -> [103.174.73.85] 29989  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91259002; rev:1;)
alert tcp $HOME_NET any -> [52.37.96.65] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1259001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259001; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.installbootstrap.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1259000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91259000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.installbootstrap.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258999; rev:1;)
alert tcp $HOME_NET any -> [149.104.24.217] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.0.min.js"; depth:20; nocase; http.host; content:"149.104.24.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258997; rev:1;)
alert tcp $HOME_NET any -> [8.130.34.85] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"8.130.34.85"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsbhn.js"; depth:9; nocase; http.host; content:"23.94.169.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"120.46.91.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258993; rev:1;)
alert tcp $HOME_NET any -> [204.12.199.30] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258992; rev:1;)
alert tcp $HOME_NET any -> [204.12.199.30] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258991/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258991; rev:1;)
alert tcp $HOME_NET any -> [204.12.199.30] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258990; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.ravec2.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258989; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"visit.startfinishthis.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258978; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258983; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killler.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258984; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxy.heleh.vn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258985; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.vptmedia.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258986; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.paintmc.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258987; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yeuemvcl.cltxhot.fun"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258988; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xd.ubnutu.cyou"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258980; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lon.vani.ovh"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258981; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loz.vani.ovh"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258982; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.170] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258979/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258979; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killler.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258976; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aomacamada.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258977; rev:1;)
alert tcp $HOME_NET any -> [57.128.155.22] 8895  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258969; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.9] 8896  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258970; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.9] 8895  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258971; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.9] 8890  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258968; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rootme.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258966; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rooty.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.138.222.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258964; rev:1;)
alert tcp $HOME_NET any -> [43.138.222.123] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"8.218.236.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258963/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g88sks2sam/index.php"; depth:21; nocase; http.host; content:"91.202.233.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258962; rev:1;)
alert tcp $HOME_NET any -> [94.131.107.85] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258961; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.50] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258960; rev:1;)
alert tcp $HOME_NET any -> [188.166.138.176] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258959; rev:1;)
alert tcp $HOME_NET any -> [178.128.196.190] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258958; rev:1;)
alert tcp $HOME_NET any -> [146.56.237.36] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258957; rev:1;)
alert tcp $HOME_NET any -> [93.95.231.17] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258956; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.2] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258955; rev:1;)
alert tcp $HOME_NET any -> [41.96.151.123] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258954; rev:1;)
alert tcp $HOME_NET any -> [137.184.61.218] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258953; rev:1;)
alert tcp $HOME_NET any -> [35.89.154.15] 4443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258952; rev:1;)
alert tcp $HOME_NET any -> [194.87.106.163] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258951; rev:1;)
alert tcp $HOME_NET any -> [178.128.134.221] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258950; rev:1;)
alert tcp $HOME_NET any -> [138.197.134.200] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258949; rev:1;)
alert tcp $HOME_NET any -> [20.186.89.88] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258948; rev:1;)
alert tcp $HOME_NET any -> [151.236.16.48] 47163  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258947; rev:1;)
alert tcp $HOME_NET any -> [194.87.252.12] 4443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258946; rev:1;)
alert tcp $HOME_NET any -> [121.43.94.2] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258945; rev:1;)
alert tcp $HOME_NET any -> [43.140.251.2] 9999  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_19; classtype:trojan-activity; sid:91258944; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 17393  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258937/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258937; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 17393  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258938/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258938; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 17393  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258939; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 15296  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258940/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258940; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 15296  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258941/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258941; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 15296  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258942/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_19; classtype:trojan-activity; sid:91258942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0945069.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"esdjasd.maxkrnldc.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_19; classtype:trojan-activity; sid:91258936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquerys-6.3.5.max.js"; depth:21; nocase; http.host; content:"43.143.168.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/panel/five/fre.php"; depth:57; nocase; http.host; content:"tequilacofradiamx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258934/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/minyhug/fxgsfhsdtytdjfudyjfjewrwsejyt/panel/five/fre.php"; depth:57; nocase; http.host; content:"tequilacofradiamx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258933; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.171] 1188  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258932; rev:1;)
alert tcp $HOME_NET any -> [134.122.109.15] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258931; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.116] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258930; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.124] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258929; rev:1;)
alert tcp $HOME_NET any -> [114.55.100.165] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258928; rev:1;)
alert tcp $HOME_NET any -> [122.51.79.87] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258927; rev:1;)
alert tcp $HOME_NET any -> [94.156.10.208] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258926; rev:1;)
alert tcp $HOME_NET any -> [188.48.107.177] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258925; rev:1;)
alert tcp $HOME_NET any -> [41.129.161.179] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258924; rev:1;)
alert tcp $HOME_NET any -> [8.137.171.164] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258923; rev:1;)
alert tcp $HOME_NET any -> [185.140.12.198] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258922; rev:1;)
alert tcp $HOME_NET any -> [191.96.1.195] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258921; rev:1;)
alert tcp $HOME_NET any -> [162.252.175.170] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258920/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258920; rev:1;)
alert tcp $HOME_NET any -> [203.96.177.103] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258919; rev:1;)
alert tcp $HOME_NET any -> [89.175.170.211] 1720  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258918; rev:1;)
alert tcp $HOME_NET any -> [39.173.112.177] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258917; rev:1;)
alert tcp $HOME_NET any -> [185.170.144.142] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258916/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258916; rev:1;)
alert tcp $HOME_NET any -> [159.100.6.45] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258915/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258915; rev:1;)
alert tcp $HOME_NET any -> [31.129.57.189] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258914; rev:1;)
alert tcp $HOME_NET any -> [172.104.110.118] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258913; rev:1;)
alert tcp $HOME_NET any -> [174.138.179.149] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258912; rev:1;)
alert tcp $HOME_NET any -> [151.115.72.13] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258911; rev:1;)
alert tcp $HOME_NET any -> [151.115.72.13] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258910; rev:1;)
alert tcp $HOME_NET any -> [188.208.197.140] 5906  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258696; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"theatergenerationju.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258697; rev:1;)
alert tcp $HOME_NET any -> [103.79.76.40] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258698/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258698; rev:1;)
alert tcp $HOME_NET any -> [103.201.130.11] 8443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258699/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258699; rev:1;)
alert tcp $HOME_NET any -> [37.27.87.155] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258694; rev:1;)
alert tcp $HOME_NET any -> [23.88.47.9] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.47.9"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.87.155"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkbfjbvzspkeqfs/hachgecttvyetqz.php"; depth:36; nocase; http.host; content:"38.180.94.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258656/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qkbfjbvzspkeqfs/hachgecttvyetqz.php"; depth:36; nocase; http.host; content:"15731.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258657/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258657; rev:1;)
alert tcp $HOME_NET any -> [38.180.94.120] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258658/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258658; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 25%)"; dns_query; content:"15731.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258659/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 25%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.slationo.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258660/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258660; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 25%)"; dns_query; content:"www.slationo.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258661/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258661; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 25%)"; dns_query; content:"slationo.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258662/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_18; classtype:trojan-activity; sid:91258662; rev:1;)
alert tcp $HOME_NET any -> [194.110.172.149] 7705  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258686; rev:1;)
alert tcp $HOME_NET any -> [183.238.22.22] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258691/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258691; rev:1;)
alert tcp $HOME_NET any -> [124.71.37.149] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258689; rev:1;)
alert tcp $HOME_NET any -> [45.129.199.161] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258688/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258688; rev:1;)
alert tcp $HOME_NET any -> [178.208.87.204] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 60%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258687/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_18; classtype:trojan-activity; sid:91258687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"87.120.84.22"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.250.45.130"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.214.98.73"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.96.116"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.222.96.186"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"20.55.63.136"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"79.133.51.234"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"3.79.194.172"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"35.246.183.49"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.48.251.136"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"134.122.109.15"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.202.233.174"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"107.173.140.104"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1258674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.216.51.35"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1258672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.8.125"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"154.61.80.57"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1258671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.216.70.211"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.146.185"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.255.105"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1258667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.33.191.105"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.216.70.210"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.254.16"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"147.78.103.174"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1258663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258655; rev:1;)
alert tcp $HOME_NET any -> [121.41.50.152] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258653; rev:1;)
alert tcp $HOME_NET any -> [123.207.50.191] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258652; rev:1;)
alert tcp $HOME_NET any -> [146.70.86.229] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258651/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258651; rev:1;)
alert tcp $HOME_NET any -> [146.70.86.229] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258650; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chotsolo2nhay.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258623; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"countdownx.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258624; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dfyaudiobookprofits.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258625; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"difik.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258626; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"exchangezone.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258627; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fins.info"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258628; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gcoat.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258629; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"glowchamps.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258630/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258630; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"impressionzone.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258631/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258631; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"islandbooking.info"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258632; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"istanbook.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258633; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lightmecha.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258634/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258634; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"maramoja.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258635/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mesdemarches.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258636/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258636; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mezcallero.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258637/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258637; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mlmcompensationplanpdf.info"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258638/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258638; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"monambulanceprivee.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258639/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258639; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njnlcompany.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258640/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258640; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"oradifitness.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258641/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258641; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"progastrin.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258642/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258642; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"szekrekedes.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"techhooks.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258644; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"transystem.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258645/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258645; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vetownedhomeinspections.info"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258646/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258646; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wobilya.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258647/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258647; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"womansmedia.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258648/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258648; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yellowbooks.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258649/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258649; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cabobao3.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258593; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"durete.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258594; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"fuwer.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258595; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gyjyhyo8.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258596; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"hofaty.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258597; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"intellipowerinc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258598; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"jurofye.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258599; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"lyzupoy.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258601; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"labljas.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258600; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mebumau.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258602; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mimerou.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258603; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"nevujo.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258604; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pubmass.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258605; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pucak.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258606/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258606; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"qeqady.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258607/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258607; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"riwesi.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258608/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258608; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"simanay.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258609; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"suzabyu.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258610; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"sytukoe8.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258611; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vajosoo.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258612; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vizewye.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258613; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vopytei.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258614; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"vpdpkli.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258615; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xirygiy.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258616; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xmgpsmi.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258617; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"xuhyjoe5.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258618/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"zefos.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qtuc"; depth:5; nocase; http.host; content:"195.181.245.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258622/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"195.181.245.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258621/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258621; rev:1;)
alert tcp $HOME_NET any -> [195.181.245.38] 7966  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258620; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bezizeo9.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258558/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258558; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cemiwyi7.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258559/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258559; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cuxu.org"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258560; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"deqytuu9.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258561/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258561; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fazadoe.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258562/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258562; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fokeqi.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258563/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258563; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gejyg.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258564; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gihibml.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258565/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258565; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gmsmwil.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258566/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258566; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hejoweo.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258567/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258567; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jesebyy.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258568; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"lmfpbpm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258569; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"luhuhu.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258570/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258570; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mmqsrsl.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258571/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258571; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mmtixmm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258572/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258572; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mnsmsla.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258573/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258573; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"moxiroo.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258574; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nurunia.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258575/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258575; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pisuxy.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258576/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258576; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"poxof.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258577/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258577; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ppmpqii.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258578/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258578; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pydypu.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258580/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258580; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pubonao.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258579/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258579; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qazoryy.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258581/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258581; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qogmjlm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258582/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258582; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qoroh.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258583/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258583; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sobopnm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258584/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258584; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sumuta.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258585/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258585; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tapyjya.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258586/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258586; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"usprivatemoneylender.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258587/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258587; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vlbmqpm.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258588/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258588; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vnfmnmo.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258589/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258589; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wireoneinternet.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258590/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258590; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wpmlvii.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258591/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258591; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zixirml.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258592/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258592; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dead-cheap-doma.in"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vl.php"; depth:7; nocase; http.host; content:"gihibml.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gihibml.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"prominencedigiworld.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"akshayascientifics.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"iespppomabamba.edu.pe"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"www.mlmigration.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"www.prottahobarta.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/hot-random-image/index.html"; depth:47; nocase; http.host; content:"rummyking24.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wzm.exe"; depth:8; nocase; http.host; content:"speedy34.myvnc.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258548; rev:1;)
alert tcp $HOME_NET any -> [43.138.222.123] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.138.222.123"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258546; rev:1;)
alert tcp $HOME_NET any -> [168.76.131.64] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/update"; depth:7; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258538; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.57] 59666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run"; depth:4; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/x86"; depth:4; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/arm"; depth:4; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mips"; depth:5; nocase; http.host; content:"136.244.98.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258543; rev:1;)
alert tcp $HOME_NET any -> [198.23.227.230] 7777  (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258544; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jswl.bzwl888.sbs"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258536; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bzwl888.sbs"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258537; rev:1;)
alert tcp $HOME_NET any -> [85.239.55.70] 515  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258535/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258535; rev:1;)
alert tcp $HOME_NET any -> [92.249.48.17] 666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258517/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258517; rev:1;)
alert tcp $HOME_NET any -> [103.167.88.226] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258533; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.101] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258534; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"owo.p3pr00t.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258522; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hi.p3pr00t.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258523; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p3pr00t.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258524; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doxbin.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258525; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kayomirai.kro.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258526; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.atlasapi.co"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258527; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.atlasapi.co"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258528; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"superdomain.africa"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258529; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vivki.epiddserica.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258530; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epiddserica.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258531; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"santc.epiddserica.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258532; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ust.cx"; depth:6; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258518; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet2.vani.ovh"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258519; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graph.vani.ovh"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258520; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirai.vani.ovh"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258521; rev:1;)
alert tcp $HOME_NET any -> [45.59.170.27] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258516; rev:1;)
alert tcp $HOME_NET any -> [45.59.170.27] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258515/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258515; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.210] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258514; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.86] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258513; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.121] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258512; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.119] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258511; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.117] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258510; rev:1;)
alert tcp $HOME_NET any -> [150.158.139.136] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258509; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.126] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258508; rev:1;)
alert tcp $HOME_NET any -> [119.91.141.31] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258507; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.118] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258506/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258506; rev:1;)
alert tcp $HOME_NET any -> [1.92.114.234] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258505/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258505; rev:1;)
alert tcp $HOME_NET any -> [77.124.180.80] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258504; rev:1;)
alert tcp $HOME_NET any -> [197.83.246.191] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258503; rev:1;)
alert tcp $HOME_NET any -> [149.109.240.100] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258502; rev:1;)
alert tcp $HOME_NET any -> [103.249.112.118] 8181  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258501; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.251] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258500; rev:1;)
alert tcp $HOME_NET any -> [80.78.22.18] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258499; rev:1;)
alert tcp $HOME_NET any -> [103.82.36.91] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258498; rev:1;)
alert tcp $HOME_NET any -> [49.13.214.35] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258497; rev:1;)
alert tcp $HOME_NET any -> [74.208.123.12] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258496; rev:1;)
alert tcp $HOME_NET any -> [221.211.234.138] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258495; rev:1;)
alert tcp $HOME_NET any -> [3.0.250.71] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258494; rev:1;)
alert tcp $HOME_NET any -> [217.160.117.52] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258493; rev:1;)
alert tcp $HOME_NET any -> [89.147.111.163] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_18; classtype:trojan-activity; sid:91258492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.189.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258491; rev:1;)
alert tcp $HOME_NET any -> [79.137.202.152] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258490; rev:1;)
alert tcp $HOME_NET any -> [94.130.189.25] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258489; rev:1;)
alert tcp $HOME_NET any -> [94.130.189.25] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258488/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"tecklardagasda2.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258476/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"maraksatandas13.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258477/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"teckmarakbads2.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258478/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kovey.mezo-api.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258479/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258479; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.17] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_18; classtype:trojan-activity; sid:91258486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"4.245.224.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258474; rev:1;)
alert tcp $HOME_NET any -> [45.131.111.219] 33966  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258475; rev:1;)
alert tcp $HOME_NET any -> [4.245.224.165] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"124.222.173.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258487; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.116] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258485/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258485; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.116] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258484/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_18; classtype:trojan-activity; sid:91258484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bjnddcoa3/index.php"; depth:21; nocase; http.host; content:"topgamecheats.dev"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_18; classtype:trojan-activity; sid:91258483; rev:1;)
alert tcp $HOME_NET any -> [70.34.253.108] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258482; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"european.pornvideo.mynetav.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"european.pornvideo.mynetav.org"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258480; rev:1;)
alert tcp $HOME_NET any -> [194.87.39.98] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258472/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258472; rev:1;)
alert tcp $HOME_NET any -> [104.129.20.14] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258471/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptpollupdategamebigloaddbbaseasynclocal.php"; depth:52; nocase; http.host; content:"91.240.84.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258470; rev:1;)
alert tcp $HOME_NET any -> [154.61.80.57] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258469; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.122] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258468; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.115] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258467; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.123] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258466/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258466; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.114] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258465; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.84] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258464; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.82] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258463; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.83] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258462/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258462; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.120] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258461/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258461; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.85] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258460/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258460; rev:1;)
alert tcp $HOME_NET any -> [168.76.120.125] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258459; rev:1;)
alert tcp $HOME_NET any -> [188.54.117.185] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258458; rev:1;)
alert tcp $HOME_NET any -> [41.98.14.133] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258457/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258457; rev:1;)
alert tcp $HOME_NET any -> [178.163.140.51] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258456/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258456; rev:1;)
alert tcp $HOME_NET any -> [159.100.14.172] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258455; rev:1;)
alert tcp $HOME_NET any -> [74.208.123.12] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258454; rev:1;)
alert tcp $HOME_NET any -> [172.105.81.73] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258453; rev:1;)
alert tcp $HOME_NET any -> [124.220.235.28] 1003  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258452; rev:1;)
alert tcp $HOME_NET any -> [167.86.85.34] 80  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258451; rev:1;)
alert tcp $HOME_NET any -> [103.134.144.226] 29903  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258450; rev:1;)
alert tcp $HOME_NET any -> [103.134.144.225] 29903  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258449; rev:1;)
alert tcp $HOME_NET any -> [173.242.156.181] 448  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258448; rev:1;)
alert tcp $HOME_NET any -> [119.96.137.30] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258447; rev:1;)
alert tcp $HOME_NET any -> [5.181.156.104] 7777  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258446; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.100] 8763  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258185; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dzn.ddns.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258188/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258188; rev:1;)
alert tcp $HOME_NET any -> [45.77.154.40] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258189/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/gateway"; depth:12; nocase; http.host; content:"85.239.53.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258205/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/g"; depth:6; nocase; http.host; content:"85.239.53.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258206/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258206; rev:1;)
alert tcp $HOME_NET any -> [85.239.53.219] 80  (msg:"ThreatFox Emotet botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258207/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258207; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.168] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"architecture-interior.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"architecture-interior.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"119.179.217.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquerys-6.3.5.max.js"; depth:21; nocase; http.host; content:"service-o62eztd3-1259321672.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258254; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-o62eztd3-1259321672.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258255; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cncboatnetonlvu.apimomo.pro"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258249; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"npcodaas.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258250; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnettajima.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258251; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.verminteam.link"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258252; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"legendsworld.in"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1063894486901587979/1229768405582741570/1_npp.8.6.3.portable.x64.zip"; depth:81; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eft-edi-customer"; depth:17; nocase; http.host; content:"pankerfan.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accessinformation"; depth:18; nocase; http.host; content:"pankerfan.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/white-rock-progression/l3h0y5.php"; depth:52; nocase; http.host; content:"www.briccodeldente.it"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/0srbuw.php"; depth:45; nocase; http.host; content:"dreamerz.vn"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/vhpg2j.php"; depth:46; nocase; http.host; content:"retrobox.rocks"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/msecgc.php"; depth:45; nocase; http.host; content:"www.savetheworldpodcast.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/sb9ivy.php"; depth:45; nocase; http.host; content:"djibek.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258238; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 23403  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerpipephp_httplowupdateprotectdbpublic.php"; depth:49; nocase; http.host; content:"579050cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258236; rev:1;)
alert tcp $HOME_NET any -> [103.195.236.62] 6789  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258235; rev:1;)
alert tcp $HOME_NET any -> [94.156.10.31] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258234; rev:1;)
alert tcp $HOME_NET any -> [8.217.14.132] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258233; rev:1;)
alert tcp $HOME_NET any -> [103.244.226.133] 8086  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258232; rev:1;)
alert tcp $HOME_NET any -> [13.43.245.50] 3306  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258231; rev:1;)
alert tcp $HOME_NET any -> [5.44.196.220] 9999  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258230; rev:1;)
alert tcp $HOME_NET any -> [119.28.159.21] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258229; rev:1;)
alert tcp $HOME_NET any -> [192.227.152.217] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258228; rev:1;)
alert tcp $HOME_NET any -> [47.238.201.54] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258227; rev:1;)
alert tcp $HOME_NET any -> [8.219.146.174] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258226; rev:1;)
alert tcp $HOME_NET any -> [8.219.15.69] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258225; rev:1;)
alert tcp $HOME_NET any -> [137.184.117.57] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258224; rev:1;)
alert tcp $HOME_NET any -> [123.249.100.205] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258223; rev:1;)
alert tcp $HOME_NET any -> [120.46.91.175] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258222; rev:1;)
alert tcp $HOME_NET any -> [47.104.20.195] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258221; rev:1;)
alert tcp $HOME_NET any -> [47.108.197.14] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258220; rev:1;)
alert tcp $HOME_NET any -> [139.196.78.46] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258219; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nextoneup.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258218; rev:1;)
alert tcp $HOME_NET any -> [37.44.238.78] 65001  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258216; rev:1;)
alert tcp $HOME_NET any -> [37.44.238.94] 9931  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258217; rev:1;)
alert tcp $HOME_NET any -> [175.178.50.68] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258215; rev:1;)
alert tcp $HOME_NET any -> [122.51.85.143] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258214; rev:1;)
alert tcp $HOME_NET any -> [121.4.97.220] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258213; rev:1;)
alert tcp $HOME_NET any -> [49.232.157.82] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258212; rev:1;)
alert tcp $HOME_NET any -> [116.203.13.134] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258210; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.73] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.13.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258208; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.203] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258200; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.203] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258201; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.203] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258202; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.203] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258203; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.203] 2281  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258204; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.203] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258195; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.203] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258196; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.203] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258197; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.203] 2082  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258198; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.203] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258199; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.156] 4433  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258194; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.159] 11423  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258193; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.61] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258191; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.61] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258192; rev:1;)
alert tcp $HOME_NET any -> [213.195.126.87] 5001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258190; rev:1;)
alert tcp $HOME_NET any -> [179.13.4.37] 8010  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258187; rev:1;)
alert tcp $HOME_NET any -> [179.13.4.37] 8082  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258186; rev:1;)
alert tcp $HOME_NET any -> [178.73.218.8] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258184; rev:1;)
alert tcp $HOME_NET any -> [192.210.236.212] 15111  (msg:"ThreatFox NetWire RC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258183; rev:1;)
alert tcp $HOME_NET any -> [5.249.165.126] 9090  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258182; rev:1;)
alert tcp $HOME_NET any -> [79.132.128.95] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258181; rev:1;)
alert tcp $HOME_NET any -> [146.190.207.195] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"onesmartiptv.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"beautyservicenearme.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"onesmartiptv.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258178; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"afterksmelipandmahdiimadss.ddns.net"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lendenclub.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258172/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_17; classtype:trojan-activity; sid:91258172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.adarch.de"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258173/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_17; classtype:trojan-activity; sid:91258173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"netedu.ir"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258174/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_17; classtype:trojan-activity; sid:91258174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.althaus-innenausbau.de"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258175/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_17; classtype:trojan-activity; sid:91258175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258176; rev:1;)
alert tcp $HOME_NET any -> [49.13.149.95] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258170/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_17; classtype:trojan-activity; sid:91258170; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.69] 3770  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258169; rev:1;)
alert tcp $HOME_NET any -> [66.248.207.29] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258168; rev:1;)
alert tcp $HOME_NET any -> [51.254.53.24] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258167; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mark1234567.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258166; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xiaokkk.02maill.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258163; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ss.02maill.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258164; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cve.02maill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258165; rev:1;)
alert tcp $HOME_NET any -> [209.141.41.148] 9009  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mi341/index.php"; depth:16; nocase; http.host; content:"ccrhs.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/main/assets/js/bootbox.js"; depth:26; nocase; http.host; content:"1.92.85.139"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258160; rev:1;)
alert tcp $HOME_NET any -> [159.203.166.179] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258159; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utilityreport.azureedge.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ms-settings"; depth:12; nocase; http.host; content:"utilityreport.azureedge.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258157; rev:1;)
alert tcp $HOME_NET any -> [101.99.94.224] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258156; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 29750  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258144/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258144; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"require-spa.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258145/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258145; rev:1;)
alert tcp $HOME_NET any -> [5.230.76.134] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258146/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258146; rev:1;)
alert tcp $HOME_NET any -> [45.129.199.86] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258147/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258147; rev:1;)
alert tcp $HOME_NET any -> [66.63.189.8] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258148/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258148; rev:1;)
alert tcp $HOME_NET any -> [77.72.85.78] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258149/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258149; rev:1;)
alert tcp $HOME_NET any -> [91.149.253.77] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258150/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258150; rev:1;)
alert tcp $HOME_NET any -> [94.232.45.58] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258151/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258151; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.179] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258152/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258152; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.182] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258153/; target:src_ip; metadata: confidence_level 85, first_seen 2024_04_17; classtype:trojan-activity; sid:91258153; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.110] 3050  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258155; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4-hitler.publicvm.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258154; rev:1;)
alert tcp $HOME_NET any -> [192.159.99.43] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258139; rev:1;)
alert tcp $HOME_NET any -> [207.32.219.92] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258140; rev:1;)
alert tcp $HOME_NET any -> [35.233.238.201] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258141; rev:1;)
alert tcp $HOME_NET any -> [45.94.31.103] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258142; rev:1;)
alert tcp $HOME_NET any -> [192.3.109.131] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258143; rev:1;)
alert tcp $HOME_NET any -> [87.120.84.91] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258134; rev:1;)
alert tcp $HOME_NET any -> [147.124.213.188] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258135; rev:1;)
alert tcp $HOME_NET any -> [212.23.222.206] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258136; rev:1;)
alert tcp $HOME_NET any -> [51.195.94.201] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258137; rev:1;)
alert tcp $HOME_NET any -> [207.244.249.35] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258138; rev:1;)
alert tcp $HOME_NET any -> [85.239.237.148] 2005  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258132; rev:1;)
alert tcp $HOME_NET any -> [209.145.56.0] 7788  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258133; rev:1;)
alert tcp $HOME_NET any -> [77.238.235.75] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258131; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.6] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258130; rev:1;)
alert tcp $HOME_NET any -> [85.192.63.194] 7777  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258129; rev:1;)
alert tcp $HOME_NET any -> [41.99.193.128] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258128; rev:1;)
alert tcp $HOME_NET any -> [154.246.248.213] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258127; rev:1;)
alert tcp $HOME_NET any -> [51.15.225.131] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258126/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258126; rev:1;)
alert tcp $HOME_NET any -> [18.206.197.222] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258125/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258125; rev:1;)
alert tcp $HOME_NET any -> [119.45.176.135] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258124; rev:1;)
alert tcp $HOME_NET any -> [62.169.25.187] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258123; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.156] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258121; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.156] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258122; rev:1;)
alert tcp $HOME_NET any -> [45.121.147.117] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258120; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20022  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258119; rev:1;)
alert tcp $HOME_NET any -> [221.130.195.172] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258118/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258118; rev:1;)
alert tcp $HOME_NET any -> [95.217.29.187] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258116; rev:1;)
alert tcp $HOME_NET any -> [65.109.240.63] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.63"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.29.187"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258114; rev:1;)
alert tcp $HOME_NET any -> [137.184.39.229] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_17; classtype:trojan-activity; sid:91258113; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258111; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.ib-comm-gateway.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258112; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spotslfy.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258110; rev:1;)
alert tcp $HOME_NET any -> [192.253.251.132] 1780  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wnwa"; depth:5; nocase; http.host; content:"139.196.73.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258108/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258108; rev:1;)
alert tcp $HOME_NET any -> [139.196.73.80] 9902  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.23"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258106; rev:1;)
alert tcp $HOME_NET any -> [94.228.162.82] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258104/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258104; rev:1;)
alert tcp $HOME_NET any -> [94.228.162.82] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258105/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258105; rev:1;)
alert tcp $HOME_NET any -> [94.228.162.82] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258103/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258103; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 29545  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258099/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258099; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cars-fraction.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258100/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258100; rev:1;)
alert tcp $HOME_NET any -> [3.14.182.203] 19044  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258081/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258081; rev:1;)
alert tcp $HOME_NET any -> [3.13.191.225] 19044  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258082/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258082; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.228] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258096/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258096; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pnauco5.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258051; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backupssupport.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258077; rev:1;)
alert tcp $HOME_NET any -> [3.134.125.175] 19044  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258080/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_17; classtype:trojan-activity; sid:91258080; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.64] 15030  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258072; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.182] 15030  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258073; rev:1;)
alert tcp $HOME_NET any -> [193.106.175.140] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0942660.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalvideotestdatalifeuploads.php"; depth:37; nocase; http.host; content:"porpabor.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/08409289280180"; depth:25; nocase; http.host; content:"136.244.109.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258098; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.103] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/1748937"; depth:18; nocase; http.host; content:"136.244.109.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258095; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.65] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_17; classtype:trojan-activity; sid:91258094; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.72] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_17; classtype:trojan-activity; sid:91258093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/690877741063"; depth:23; nocase; http.host; content:"136.244.109.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_17; classtype:trojan-activity; sid:91258092; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.103] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-e1idmqlj-1259321672.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-e1idmqlj-1259321672.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258090; rev:1;)
alert tcp $HOME_NET any -> [77.91.122.210] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demonstrate/v3.76/t35i67njako"; depth:30; nocase; http.host; content:"77.91.122.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258087; rev:1;)
alert tcp $HOME_NET any -> [175.27.133.246] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp"; depth:3; nocase; http.host; content:"154.8.187.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp"; depth:3; nocase; http.host; content:"192.144.195.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release"; depth:8; nocase; http.host; content:"154.8.187.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258083; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.185] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91258079; rev:1;)
alert tcp $HOME_NET any -> [66.63.189.105] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91258078; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.204] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258076; rev:1;)
alert tcp $HOME_NET any -> [172.111.216.199] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258075; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.9] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258071/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258071; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.9] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258070/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258070; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.23] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258069/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258069; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.23] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258068/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258068; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.47] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_16; classtype:trojan-activity; sid:91258067; rev:1;)
alert tcp $HOME_NET any -> [213.109.202.229] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258066; rev:1;)
alert tcp $HOME_NET any -> [77.232.40.96] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258065; rev:1;)
alert tcp $HOME_NET any -> [103.207.68.53] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258064; rev:1;)
alert tcp $HOME_NET any -> [43.135.5.150] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258063; rev:1;)
alert tcp $HOME_NET any -> [39.40.172.160] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258062; rev:1;)
alert tcp $HOME_NET any -> [89.148.151.61] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258061; rev:1;)
alert tcp $HOME_NET any -> [88.229.77.223] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258060; rev:1;)
alert tcp $HOME_NET any -> [83.136.248.250] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258059; rev:1;)
alert tcp $HOME_NET any -> [103.82.36.91] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258058; rev:1;)
alert tcp $HOME_NET any -> [182.140.130.101] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258057; rev:1;)
alert tcp $HOME_NET any -> [149.28.144.85] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"45.55.199.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"167.71.242.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"165.227.108.186"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258052; rev:1;)
alert tcp $HOME_NET any -> [185.196.220.194] 80  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258050; rev:1;)
alert tcp $HOME_NET any -> [103.155.93.148] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258049; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.169] 7287  (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"194.48.251.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2.hta"; depth:6; nocase; http.host; content:"194.48.251.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3.hta"; depth:6; nocase; http.host; content:"194.48.251.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gogis.bat"; depth:10; nocase; http.host; content:"194.48.251.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258047; rev:1;)
alert tcp $HOME_NET any -> [66.66.146.74] 9511  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"kingofdolomites.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1258041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258041; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"camps.topgunnbaseball.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1258042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91258042; rev:1;)
alert tcp $HOME_NET any -> [109.107.181.83] 15666  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258040; rev:1;)
alert tcp $HOME_NET any -> [216.9.225.194] 80  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258039; rev:1;)
alert tcp $HOME_NET any -> [191.82.251.201] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258038; rev:1;)
alert tcp $HOME_NET any -> [194.105.5.194] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258037; rev:1;)
alert tcp $HOME_NET any -> [104.234.204.57] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258036; rev:1;)
alert tcp $HOME_NET any -> [103.47.147.18] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258035; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.112] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258034; rev:1;)
alert tcp $HOME_NET any -> [80.112.42.92] 22  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1258026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91258026; rev:1;)
alert tcp $HOME_NET any -> [43.156.80.75] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257786; rev:1;)
alert tcp $HOME_NET any -> [43.135.11.76] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257785; rev:1;)
alert tcp $HOME_NET any -> [107.172.196.210] 58000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257784; rev:1;)
alert tcp $HOME_NET any -> [103.151.123.225] 5000  (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257783; rev:1;)
alert tcp $HOME_NET any -> [23.94.66.43] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257782; rev:1;)
alert tcp $HOME_NET any -> [47.236.8.228] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0941979.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257780; rev:1;)
alert tcp $HOME_NET any -> [8.218.149.242] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"zgjatj.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257778; rev:1;)
alert tcp $HOME_NET any -> [159.65.56.30] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257777; rev:1;)
alert tcp $HOME_NET any -> [124.70.102.46] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257776; rev:1;)
alert tcp $HOME_NET any -> [1.92.85.139] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257775; rev:1;)
alert tcp $HOME_NET any -> [1.92.82.206] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257774; rev:1;)
alert tcp $HOME_NET any -> [139.224.49.34] 7443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257773; rev:1;)
alert tcp $HOME_NET any -> [120.78.139.9] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257772; rev:1;)
alert tcp $HOME_NET any -> [115.29.202.65] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257771; rev:1;)
alert tcp $HOME_NET any -> [54.91.135.60] 333  (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257770/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257770; rev:1;)
alert tcp $HOME_NET any -> [101.200.86.176] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257769; rev:1;)
alert tcp $HOME_NET any -> [59.110.91.230] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257768; rev:1;)
alert tcp $HOME_NET any -> [47.115.215.30] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257767; rev:1;)
alert tcp $HOME_NET any -> [47.108.130.112] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257766; rev:1;)
alert tcp $HOME_NET any -> [47.92.206.180] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/0672554332862"; depth:24; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257764/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257764; rev:1;)
alert tcp $HOME_NET any -> [39.96.116.85] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257763; rev:1;)
alert tcp $HOME_NET any -> [8.137.11.219] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257762; rev:1;)
alert tcp $HOME_NET any -> [8.134.102.18] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257761; rev:1;)
alert tcp $HOME_NET any -> [175.178.160.155] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257760; rev:1;)
alert tcp $HOME_NET any -> [124.222.147.8] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257759; rev:1;)
alert tcp $HOME_NET any -> [43.143.168.206] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257758; rev:1;)
alert tcp $HOME_NET any -> [43.139.67.72] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257757; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"b.doxbin.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257756/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257756; rev:1;)
alert tcp $HOME_NET any -> [107.175.229.141] 36832  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257755/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257755; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.16] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257735; rev:1;)
alert tcp $HOME_NET any -> [64.95.13.160] 10000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257734; rev:1;)
alert tcp $HOME_NET any -> [51.89.30.114] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257733; rev:1;)
alert tcp $HOME_NET any -> [51.81.0.240] 666  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257732; rev:1;)
alert tcp $HOME_NET any -> [51.38.67.91] 888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257731; rev:1;)
alert tcp $HOME_NET any -> [45.133.74.121] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257730; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.219] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257729; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.185] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257728; rev:1;)
alert tcp $HOME_NET any -> [23.160.193.106] 1225  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257726; rev:1;)
alert tcp $HOME_NET any -> [23.160.194.10] 1225  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257727; rev:1;)
alert tcp $HOME_NET any -> [15.235.149.123] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257725; rev:1;)
alert tcp $HOME_NET any -> [15.204.12.150] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257724; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.35] 999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257723; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.184] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257736; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.225] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257737; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.43] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257738; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.74] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257739; rev:1;)
alert tcp $HOME_NET any -> [94.228.168.28] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257740; rev:1;)
alert tcp $HOME_NET any -> [103.174.73.85] 9900  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257741; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.53] 999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257742; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.237] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257743; rev:1;)
alert tcp $HOME_NET any -> [158.51.96.17] 1225  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257744; rev:1;)
alert tcp $HOME_NET any -> [162.214.103.215] 2052  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257745; rev:1;)
alert tcp $HOME_NET any -> [162.214.103.216] 2052  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257746; rev:1;)
alert tcp $HOME_NET any -> [172.65.152.34] 22  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257747; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.230] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257748; rev:1;)
alert tcp $HOME_NET any -> [193.34.69.249] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257749; rev:1;)
alert tcp $HOME_NET any -> [209.141.50.91] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257750; rev:1;)
alert tcp $HOME_NET any -> [209.141.59.146] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257751; rev:1;)
alert tcp $HOME_NET any -> [209.141.62.176] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257752; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"returns-vary.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257754; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 26628  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257753/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257753; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 29058  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257719/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257719; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tue-jake.gl.at.ply.gg"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257720; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 28329  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257721; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"report-dust.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257722/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"87.120.84.22"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1257717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"87.120.84.22"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1257718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257718; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.234] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"173.44.141.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257714; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lj3klqg6-1308639534.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257712; rev:1;)
alert tcp $HOME_NET any -> [111.230.25.167] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-lj3klqg6-1308639534.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257711; rev:1;)
alert tcp $HOME_NET any -> [101.99.75.132] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257710; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-net.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ki"; depth:3; nocase; http.host; content:"microsoft-net.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257708; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.34] 33335  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257707; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.88] 6281  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"18.166.113.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257639; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"167.71.91.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"122.10.10.100"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"34.81.83.87"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"172.245.81.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"142.171.62.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"35.198.215.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"103.163.208.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"123.1.189.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"47.242.8.254"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"222.112.93.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257650/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.249.8.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"106.75.66.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257652/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"172.245.91.21"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"18.166.113.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"202.61.141.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257636; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"116.204.123.237"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257637; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"202.61.141.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"139.199.2.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.143.112.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"124.220.0.201"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"172.245.134.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"101.34.243.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"202.61.141.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"122.10.10.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"122.10.10.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.128.177.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"107.172.157.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"111.223.247.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.128.177.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.172.157.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257622; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"86.38.247.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"149.129.131.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"103.74.192.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"150.109.241.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257618/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"49.235.117.134"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"107.172.209.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"121.36.61.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"47.242.4.42"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.249.193.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"47.242.4.42"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"107.172.209.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"43.132.193.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.249.193.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257609; rev:1;)
alert tcp $HOME_NET any -> [38.45.100.58] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257500; rev:1;)
alert tcp $HOME_NET any -> [41.216.182.208] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257501; rev:1;)
alert tcp $HOME_NET any -> [45.90.12.124] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257502; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.185] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257503; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.219] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257504; rev:1;)
alert tcp $HOME_NET any -> [45.133.74.121] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257505; rev:1;)
alert tcp $HOME_NET any -> [51.83.180.205] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257506; rev:1;)
alert tcp $HOME_NET any -> [51.222.204.13] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257507; rev:1;)
alert tcp $HOME_NET any -> [86.104.194.180] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257508; rev:1;)
alert tcp $HOME_NET any -> [89.208.103.203] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257509; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.109] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257510; rev:1;)
alert tcp $HOME_NET any -> [91.103.253.34] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257511; rev:1;)
alert tcp $HOME_NET any -> [92.249.48.147] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257512; rev:1;)
alert tcp $HOME_NET any -> [94.131.99.113] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257513; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.32] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257514; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.16] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257515; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.225] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257516; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.74] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257517; rev:1;)
alert tcp $HOME_NET any -> [94.228.168.28] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257518; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.218] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257519; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.237] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257520; rev:1;)
alert tcp $HOME_NET any -> [159.253.120.116] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257521; rev:1;)
alert tcp $HOME_NET any -> [185.102.172.115] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257522; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.230] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257523; rev:1;)
alert tcp $HOME_NET any -> [193.34.69.249] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257524; rev:1;)
alert tcp $HOME_NET any -> [193.35.18.35] 88  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257525; rev:1;)
alert tcp $HOME_NET any -> [193.35.18.98] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257526; rev:1;)
alert tcp $HOME_NET any -> [198.27.107.169] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257527; rev:1;)
alert tcp $HOME_NET any -> [199.195.251.103] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257528; rev:1;)
alert tcp $HOME_NET any -> [205.185.119.42] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257529; rev:1;)
alert tcp $HOME_NET any -> [209.141.44.84] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257530; rev:1;)
alert tcp $HOME_NET any -> [209.141.62.176] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pickthecotton.xyz"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1257556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"zopz-api.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.204.244.125"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1257558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.187.28.15"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1257560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257560; rev:1;)
alert tcp $HOME_NET any -> [164.92.166.129] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257573/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257573; rev:1;)
alert tcp $HOME_NET any -> [51.81.38.137] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257574; rev:1;)
alert tcp $HOME_NET any -> [64.227.166.207] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257575; rev:1;)
alert tcp $HOME_NET any -> [188.119.103.198] 17691  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257601; rev:1;)
alert tcp $HOME_NET any -> [66.187.4.175] 17691  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257602; rev:1;)
alert tcp $HOME_NET any -> [66.187.4.175] 55650  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257603; rev:1;)
alert tcp $HOME_NET any -> [166.88.61.185] 10020  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257608; rev:1;)
alert tcp $HOME_NET any -> [5.181.190.250] 8008  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257607; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.117] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257606; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.103] 33966  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"139.198.174.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257604; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 17455  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257664/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257664; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"artist-composed.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257665/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257665; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 28632  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257663/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257663; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tequilacofradiamx.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257662; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.199] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257661/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xxx.bat"; depth:8; nocase; http.host; content:"193.222.96.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/.hta"; depth:5; nocase; http.host; content:"193.222.96.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257658; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boatnet.dogzsec.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257655; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.41] 7287  (msg:"ThreatFox Venom RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257657; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"green-morrison.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257666/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257666; rev:1;)
alert tcp $HOME_NET any -> [87.121.105.175] 14845  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257667; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 10869  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257671/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257671; rev:1;)
alert tcp $HOME_NET any -> [2.58.95.131] 65480  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257683/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_16; classtype:trojan-activity; sid:91257683; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.252] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257703; rev:1;)
alert tcp $HOME_NET any -> [116.202.185.144] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257704; rev:1;)
alert tcp $HOME_NET any -> [95.217.28.230] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.185.144"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/irfail"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199673019888"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257700; rev:1;)
alert tcp $HOME_NET any -> [82.146.62.51] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257699; rev:1;)
alert tcp $HOME_NET any -> [185.173.38.173] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257698; rev:1;)
alert tcp $HOME_NET any -> [101.37.13.119] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257697; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.8] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257696; rev:1;)
alert tcp $HOME_NET any -> [178.73.192.14] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257695; rev:1;)
alert tcp $HOME_NET any -> [189.152.21.67] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257694; rev:1;)
alert tcp $HOME_NET any -> [190.134.50.121] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257693/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257693; rev:1;)
alert tcp $HOME_NET any -> [77.126.165.31] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257692; rev:1;)
alert tcp $HOME_NET any -> [147.45.136.226] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257691; rev:1;)
alert tcp $HOME_NET any -> [192.162.68.201] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257690; rev:1;)
alert tcp $HOME_NET any -> [128.14.237.229] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257689/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257689; rev:1;)
alert tcp $HOME_NET any -> [77.106.68.26] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257688/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_16; classtype:trojan-activity; sid:91257688; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.87] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.133.156.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"116.62.34.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.92.147.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"106.54.209.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"106.55.181.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0942630.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_16; classtype:trojan-activity; sid:91257672; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 10869  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257670; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 10869  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257669; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 10869  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jinjfg/panel/five/fre.php"; depth:26; nocase; http.host; content:"tequilacofradiamx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257660/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jinjfg/panel/five/fre.php"; depth:26; nocase; http.host; content:"tequilacofradiamx.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257656; rev:1;)
alert tcp $HOME_NET any -> [135.125.21.74] 4545  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257600; rev:1;)
alert tcp $HOME_NET any -> [77.134.63.213] 1122  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257599; rev:1;)
alert tcp $HOME_NET any -> [171.232.6.144] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257597; rev:1;)
alert tcp $HOME_NET any -> [171.232.6.144] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257598; rev:1;)
alert tcp $HOME_NET any -> [111.173.116.82] 2312  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257596; rev:1;)
alert tcp $HOME_NET any -> [89.88.69.115] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257595; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.34] 6667  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257594; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.76] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257593; rev:1;)
alert tcp $HOME_NET any -> [8.210.250.14] 6603  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257591; rev:1;)
alert tcp $HOME_NET any -> [37.235.56.182] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257592; rev:1;)
alert tcp $HOME_NET any -> [223.26.61.23] 5121  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257590; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.216] 7000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257589; rev:1;)
alert tcp $HOME_NET any -> [187.135.177.247] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257588; rev:1;)
alert tcp $HOME_NET any -> [200.9.154.160] 10000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257587; rev:1;)
alert tcp $HOME_NET any -> [104.250.169.165] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257581; rev:1;)
alert tcp $HOME_NET any -> [128.90.122.129] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257582; rev:1;)
alert tcp $HOME_NET any -> [156.195.84.201] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257583; rev:1;)
alert tcp $HOME_NET any -> [156.195.143.153] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257584; rev:1;)
alert tcp $HOME_NET any -> [172.111.148.205] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257585; rev:1;)
alert tcp $HOME_NET any -> [181.214.223.125] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257586; rev:1;)
alert tcp $HOME_NET any -> [20.2.223.28] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257576; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.103] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257577; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.103] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257578; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.103] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257579; rev:1;)
alert tcp $HOME_NET any -> [103.47.147.23] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257580; rev:1;)
alert tcp $HOME_NET any -> [35.221.150.166] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257572; rev:1;)
alert tcp $HOME_NET any -> [35.229.251.245] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257571; rev:1;)
alert tcp $HOME_NET any -> [88.214.27.80] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257569; rev:1;)
alert tcp $HOME_NET any -> [88.214.27.80] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257570; rev:1;)
alert tcp $HOME_NET any -> [81.19.138.60] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257567; rev:1;)
alert tcp $HOME_NET any -> [81.19.138.60] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257568; rev:1;)
alert tcp $HOME_NET any -> [81.19.136.252] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257565; rev:1;)
alert tcp $HOME_NET any -> [81.19.136.252] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257566; rev:1;)
alert tcp $HOME_NET any -> [210.56.49.167] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257564; rev:1;)
alert tcp $HOME_NET any -> [38.180.120.2] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257563; rev:1;)
alert tcp $HOME_NET any -> [106.75.162.14] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257562; rev:1;)
alert tcp $HOME_NET any -> [149.88.78.227] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257561; rev:1;)
alert tcp $HOME_NET any -> [43.131.5.229] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257559; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.8] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257555/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257555; rev:1;)
alert tcp $HOME_NET any -> [88.234.159.168] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257554; rev:1;)
alert tcp $HOME_NET any -> [78.69.198.113] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257553; rev:1;)
alert tcp $HOME_NET any -> [151.64.244.139] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257552; rev:1;)
alert tcp $HOME_NET any -> [158.140.128.55] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257551; rev:1;)
alert tcp $HOME_NET any -> [172.233.120.154] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257550; rev:1;)
alert tcp $HOME_NET any -> [54.37.226.59] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257549; rev:1;)
alert tcp $HOME_NET any -> [103.136.150.94] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257548; rev:1;)
alert tcp $HOME_NET any -> [151.236.26.171] 12041  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257547; rev:1;)
alert tcp $HOME_NET any -> [118.212.140.132] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257546; rev:1;)
alert tcp $HOME_NET any -> [35.189.178.127] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257545; rev:1;)
alert tcp $HOME_NET any -> [38.60.217.106] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257544; rev:1;)
alert tcp $HOME_NET any -> [159.203.125.55] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257543; rev:1;)
alert tcp $HOME_NET any -> [159.203.125.55] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257542; rev:1;)
alert tcp $HOME_NET any -> [103.149.90.58] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257541; rev:1;)
alert tcp $HOME_NET any -> [45.77.37.190] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257540; rev:1;)
alert tcp $HOME_NET any -> [103.146.159.165] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257539; rev:1;)
alert tcp $HOME_NET any -> [20.189.79.97] 43552  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257538; rev:1;)
alert tcp $HOME_NET any -> [43.132.184.81] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257537; rev:1;)
alert tcp $HOME_NET any -> [107.175.91.204] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257536; rev:1;)
alert tcp $HOME_NET any -> [164.92.249.209] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257534; rev:1;)
alert tcp $HOME_NET any -> [164.92.249.209] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257535; rev:1;)
alert tcp $HOME_NET any -> [159.89.16.208] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257533; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.252] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257532/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257532; rev:1;)
alert tcp $HOME_NET any -> [59.174.112.119] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257499; rev:1;)
alert tcp $HOME_NET any -> [176.135.229.160] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257498; rev:1;)
alert tcp $HOME_NET any -> [63.41.157.163] 502  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257497; rev:1;)
alert tcp $HOME_NET any -> [42.157.163.42] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a80d985c.php"; depth:13; nocase; http.host; content:"a0943092.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257495; rev:1;)
alert tcp $HOME_NET any -> [152.42.139.235] 443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257494; rev:1;)
alert tcp $HOME_NET any -> [8.130.69.96] 8001  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257493; rev:1;)
alert tcp $HOME_NET any -> [172.207.236.31] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257492; rev:1;)
alert tcp $HOME_NET any -> [44.222.74.172] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257491; rev:1;)
alert tcp $HOME_NET any -> [103.249.112.105] 8181  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257490; rev:1;)
alert tcp $HOME_NET any -> [13.82.179.86] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_15; classtype:trojan-activity; sid:91257489; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.227] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257203/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257203; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.100] 61192  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257459; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.2] 1883  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257460; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.3] 1883  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257461; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.14] 17912  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257483; rev:1;)
alert tcp $HOME_NET any -> [47.245.94.124] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257488; rev:1;)
alert tcp $HOME_NET any -> [47.236.172.59] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257487; rev:1;)
alert tcp $HOME_NET any -> [47.236.96.178] 5055  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257486; rev:1;)
alert tcp $HOME_NET any -> [47.76.92.216] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257485; rev:1;)
alert tcp $HOME_NET any -> [8.219.228.10] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257484; rev:1;)
alert tcp $HOME_NET any -> [124.71.69.101] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257481; rev:1;)
alert tcp $HOME_NET any -> [124.71.69.101] 22222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257482; rev:1;)
alert tcp $HOME_NET any -> [117.78.11.237] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257480; rev:1;)
alert tcp $HOME_NET any -> [60.204.151.207] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257479; rev:1;)
alert tcp $HOME_NET any -> [123.56.235.29] 9876  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257217; rev:1;)
alert tcp $HOME_NET any -> [118.178.195.229] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257216; rev:1;)
alert tcp $HOME_NET any -> [101.201.70.137] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257215; rev:1;)
alert tcp $HOME_NET any -> [47.120.41.137] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257214; rev:1;)
alert tcp $HOME_NET any -> [47.113.150.236] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257213; rev:1;)
alert tcp $HOME_NET any -> [39.100.120.237] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257212; rev:1;)
alert tcp $HOME_NET any -> [8.137.108.208] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257210; rev:1;)
alert tcp $HOME_NET any -> [8.137.108.208] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257211; rev:1;)
alert tcp $HOME_NET any -> [8.134.80.227] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257209; rev:1;)
alert tcp $HOME_NET any -> [8.130.30.60] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257208; rev:1;)
alert tcp $HOME_NET any -> [47.120.58.214] 8082  (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257206; rev:1;)
alert tcp $HOME_NET any -> [59.110.18.123] 8082  (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257207; rev:1;)
alert tcp $HOME_NET any -> [1.94.120.249] 8082  (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257204; rev:1;)
alert tcp $HOME_NET any -> [8.130.24.188] 8082  (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257205; rev:1;)
alert tcp $HOME_NET any -> [193.112.85.116] 8082  (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257202; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sonic-gif.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257198; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sonic-gif3332.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257199; rev:1;)
alert tcp $HOME_NET any -> [185.73.125.50] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 70%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257201/; target:src_ip; metadata: confidence_level 70, first_seen 2024_04_15; classtype:trojan-activity; sid:91257201; rev:1;)
alert tcp $HOME_NET any -> [193.112.85.116] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257200; rev:1;)
alert tcp $HOME_NET any -> [175.178.232.62] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257197; rev:1;)
alert tcp $HOME_NET any -> [175.27.133.246] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257196; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.103] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257191; rev:1;)
alert tcp $HOME_NET any -> [152.136.43.210] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257194; rev:1;)
alert tcp $HOME_NET any -> [152.136.43.210] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257195; rev:1;)
alert tcp $HOME_NET any -> [111.230.12.198] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257193; rev:1;)
alert tcp $HOME_NET any -> [81.70.91.34] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"carlaweishale.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"carlaweishale.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/df/tt"; depth:6; nocase; http.host; content:"rtattack.baqebei1.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"124.71.136.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257186; rev:1;)
alert tcp $HOME_NET any -> [205.185.121.20] 5386  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257084/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"2.58.95.100"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257174/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"74.91.116.85"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"93.123.85.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"93.123.85.48"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257178; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.53] 999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257179; rev:1;)
alert tcp $HOME_NET any -> [89.116.236.8] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257182; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.48] 1  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257180; rev:1;)
alert tcp $HOME_NET any -> [167.114.127.89] 5214  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257181; rev:1;)
alert tcp $HOME_NET any -> [2.58.95.100] 999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257183; rev:1;)
alert tcp $HOME_NET any -> [74.91.116.85] 999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257184; rev:1;)
alert tcp $HOME_NET any -> [209.141.60.189] 666  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"167.114.127.89"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"89.116.236.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"209.141.60.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257177; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.22] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257071; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.100] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257072; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.60] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257073; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.206] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257074; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.140] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257075; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.61] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257076; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.189] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257077; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.15] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257078; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.38] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257079; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.90] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257080; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.42] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257081; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.21] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257082; rev:1;)
alert tcp $HOME_NET any -> [99.195.249.124] 3778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257083; rev:1;)
alert tcp $HOME_NET any -> [103.35.191.158] 586  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"23.95.254.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257068; rev:1;)
alert tcp $HOME_NET any -> [23.95.254.136] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257069; rev:1;)
alert tcp $HOME_NET any -> [104.219.239.56] 1989  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257067/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257067; rev:1;)
alert tcp $HOME_NET any -> [104.219.239.56] 3956  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257066; rev:1;)
alert tcp $HOME_NET any -> [103.35.191.158] 4414  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257065; rev:1;)
alert tcp $HOME_NET any -> [98.66.160.134] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257064; rev:1;)
alert tcp $HOME_NET any -> [45.63.56.64] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257063; rev:1;)
alert tcp $HOME_NET any -> [172.207.236.31] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257062; rev:1;)
alert tcp $HOME_NET any -> [151.48.171.11] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257061; rev:1;)
alert tcp $HOME_NET any -> [87.110.49.55] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257060; rev:1;)
alert tcp $HOME_NET any -> [16.163.57.246] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257059; rev:1;)
alert tcp $HOME_NET any -> [172.104.25.254] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257058; rev:1;)
alert tcp $HOME_NET any -> [163.181.130.93] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257057; rev:1;)
alert tcp $HOME_NET any -> [34.16.198.174] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257056; rev:1;)
alert tcp $HOME_NET any -> [61.162.223.117] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_15; classtype:trojan-activity; sid:91257055; rev:1;)
alert tcp $HOME_NET any -> [95.216.176.5] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257054; rev:1;)
alert tcp $HOME_NET any -> [65.109.140.8] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257050; rev:1;)
alert tcp $HOME_NET any -> [116.202.185.144] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257051; rev:1;)
alert tcp $HOME_NET any -> [95.217.28.230] 5342  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257052; rev:1;)
alert tcp $HOME_NET any -> [95.216.176.100] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.26.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257048; rev:1;)
alert tcp $HOME_NET any -> [157.90.25.39] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.176.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.176.100"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.185.144"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.140.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"157.90.25.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/0699921091"; depth:21; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257041; rev:1;)
alert tcp $HOME_NET any -> [173.211.46.114] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257040/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257040; rev:1;)
alert tcp $HOME_NET any -> [173.211.46.114] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257039; rev:1;)
alert tcp $HOME_NET any -> [173.211.46.114] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bordersoarmanusjuw.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"entitlementappwo.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"economicscreateojsu.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pushjellysingeywus.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"suitcaseacanehalk.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"absentconvicsjawun.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mealplayerpreceodsju.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wifeplasterbakewis.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257007; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bordersoarmanusjuw.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257008; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"entitlementappwo.shop"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257009; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"economicscreateojsu.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257010; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pushjellysingeywus.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257011; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"absentconvicsjawun.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257012; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suitcaseacanehalk.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257013; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mealplayerpreceodsju.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257014; rev:1;)
alert tcp $HOME_NET any -> [35.198.149.52] 33966  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257026; rev:1;)
alert tcp $HOME_NET any -> [198.12.124.76] 21425  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257028; rev:1;)
alert tcp $HOME_NET any -> [104.168.45.11] 21425  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257029; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.168] 21425  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257027; rev:1;)
alert tcp $HOME_NET any -> [172.245.119.70] 21425  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257030; rev:1;)
alert tcp $HOME_NET any -> [45.86.86.60] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wifeplasterbakewis.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1257015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257015; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 17170  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257016/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257016; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.167] 5555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257017; rev:1;)
alert tcp $HOME_NET any -> [203.145.46.240] 2023  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257024; rev:1;)
alert tcp $HOME_NET any -> [172.245.119.63] 21425  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257031; rev:1;)
alert tcp $HOME_NET any -> [172.67.156.11] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257035/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257035; rev:1;)
alert tcp $HOME_NET any -> [5.39.43.50] 8096  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257037/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_15; classtype:trojan-activity; sid:91257037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/toprocessordlelocalprivate.php"; depth:31; nocase; http.host; content:"276261cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_local.php"; depth:11; nocase; http.host; content:"967183cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/720637"; depth:17; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257033; rev:1;)
alert tcp $HOME_NET any -> [94.130.130.51] 1919  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_pollpacketmultitesttrackdletemporary.php"; depth:42; nocase; http.host; content:"330745cm.nyashkoon.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_15; classtype:trojan-activity; sid:91257023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/01525576.php"; depth:13; nocase; http.host; content:"a0940040.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257022; rev:1;)
alert tcp $HOME_NET any -> [164.155.128.124] 2000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257021; rev:1;)
alert tcp $HOME_NET any -> [41.248.119.194] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257020; rev:1;)
alert tcp $HOME_NET any -> [165.232.123.138] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1257019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"165.232.123.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1257018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91257018; rev:1;)
alert tcp $HOME_NET any -> [206.189.246.137] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256999; rev:1;)
alert tcp $HOME_NET any -> [170.64.197.231] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256998; rev:1;)
alert tcp $HOME_NET any -> [167.179.109.82] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256997; rev:1;)
alert tcp $HOME_NET any -> [96.237.16.249] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256996; rev:1;)
alert tcp $HOME_NET any -> [207.180.230.175] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256995; rev:1;)
alert tcp $HOME_NET any -> [101.99.94.224] 4433  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256994; rev:1;)
alert tcp $HOME_NET any -> [163.181.142.96] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256993; rev:1;)
alert tcp $HOME_NET any -> [18.181.61.11] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256992/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256992; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.217] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256745/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_14; classtype:trojan-activity; sid:91256745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"42.51.37.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256744; rev:1;)
alert tcp $HOME_NET any -> [186.102.175.129] 1114  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256743; rev:1;)
alert tcp $HOME_NET any -> [94.228.162.55] 4483  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256742; rev:1;)
alert tcp $HOME_NET any -> [103.237.86.195] 2024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256737; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.73] 400  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256740; rev:1;)
alert tcp $HOME_NET any -> [87.246.7.66] 52154  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256738; rev:1;)
alert tcp $HOME_NET any -> [203.145.46.240] 2024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/requestcpu/generatorgame/datalife02/processorserver/proton/9/centraltemp/pythontrafficvideo/4sqlserver/dbcentral7/6privatepython/1dle1/wpdle1track/62wordpress/datalife/externalexternalvoiddb/video53base/uploadsdatalife1pipe/requestlongpollflower/php_requestapiprotectwindowsasyncdatalife.php"; depth:292; nocase; http.host; content:"79.174.94.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256741; rev:1;)
alert tcp $HOME_NET any -> [23.227.196.15] 23461  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256736; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"salaamt.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256727/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256727; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mzile.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256724/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256724; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"inspirestudiosteam.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256723/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256723; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"neweatz.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256725/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256725; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"purpleflowers.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256726/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256726; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sam.coffin-jazzed.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256728/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256728; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sam.coinmarketcap-tm.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256729/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256729; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tunel.oracle-panel.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256733; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"svma.arcovip.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256732/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256732; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"elated-black.45-141-215-173.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256720/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256720; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"infallible-lichterman.45-141-215-173.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256722/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256722; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"great-golick.45-141-215-173.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256721/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256721; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"carte-vitale-assurance.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256719/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256719; rev:1;)
alert tcp $HOME_NET any -> [192.53.123.224] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256712; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"al.salaamt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256716/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256716; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ams-k-node1.vleo.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256717/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256717; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bnd-servers.komakhazine.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256718/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256718; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sharp-hugle.45-141-215-173.plesk.page"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256730; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stupefied-germain.45-141-215-173.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256731; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.elated-black.45-141-215-173.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256734/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256734; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.infallible-lichterman.45-141-215-173.plesk.page"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256735/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"42.194.199.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256715/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256715; rev:1;)
alert tcp $HOME_NET any -> [94.130.130.51] 77  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.35.19.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256713; rev:1;)
alert tcp $HOME_NET any -> [185.173.38.38] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256711; rev:1;)
alert tcp $HOME_NET any -> [46.101.4.16] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256710; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.6] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256709; rev:1;)
alert tcp $HOME_NET any -> [108.34.181.65] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256708; rev:1;)
alert tcp $HOME_NET any -> [119.96.91.140] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256707; rev:1;)
alert tcp $HOME_NET any -> [125.73.208.34] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256706; rev:1;)
alert tcp $HOME_NET any -> [82.197.65.180] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256705; rev:1;)
alert tcp $HOME_NET any -> [39.145.65.102] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256704; rev:1;)
alert tcp $HOME_NET any -> [212.113.106.100] 31774  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256703; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.31] 76  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256702/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256702; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"unotree.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256655; rev:1;)
alert tcp $HOME_NET any -> [198.46.177.144] 666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256676/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256676; rev:1;)
alert tcp $HOME_NET any -> [176.123.1.215] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256674/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256674; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.238] 5366  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256675/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256675; rev:1;)
alert tcp $HOME_NET any -> [85.195.79.166] 9981  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_14; classtype:trojan-activity; sid:91256677; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 17231  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256692; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 17231  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256693/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256693; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tcp.eu.ngrok.io"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256695/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256695; rev:1;)
alert tcp $HOME_NET any -> [94.156.10.76] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256685; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rsx.nextoneup.shop"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256690/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256690; rev:1;)
alert tcp $HOME_NET any -> [176.123.1.215] 7777  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256682; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.185] 118  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256686; rev:1;)
alert tcp $HOME_NET any -> [37.44.238.94] 59666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256689; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 15640  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256694/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256694; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 15019  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256696/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256696; rev:1;)
alert tcp $HOME_NET any -> [46.147.123.30] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256697/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256697; rev:1;)
alert tcp $HOME_NET any -> [3.126.37.18] 14095  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256700/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256700; rev:1;)
alert tcp $HOME_NET any -> [18.156.13.209] 14095  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_14; classtype:trojan-activity; sid:91256701; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 14095  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256699; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.5] 14095  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256698; rev:1;)
alert tcp $HOME_NET any -> [41.249.48.248] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0917747.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30257e4c371b49a4.php"; depth:21; nocase; http.host; content:"192.121.87.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_14; classtype:trojan-activity; sid:91256687; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.102] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256684/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_14; classtype:trojan-activity; sid:91256684; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.101] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256683/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_14; classtype:trojan-activity; sid:91256683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2betterpacket/proton/7voiddbcpu2/longpoll5/5testjsmulti/packet/pollprivate.php"; depth:79; nocase; http.host; content:"109.107.182.28"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256681; rev:1;)
alert tcp $HOME_NET any -> [164.155.128.124] 8098  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.23.87.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerlongpollservermultidbwp.php"; depth:36; nocase; http.host; content:"89.23.98.225"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256678; rev:1;)
alert tcp $HOME_NET any -> [34.88.143.155] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256673; rev:1;)
alert tcp $HOME_NET any -> [188.120.240.143] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256672; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.227] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256671; rev:1;)
alert tcp $HOME_NET any -> [47.242.4.42] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256670; rev:1;)
alert tcp $HOME_NET any -> [122.114.26.5] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256669; rev:1;)
alert tcp $HOME_NET any -> [52.185.161.226] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256668; rev:1;)
alert tcp $HOME_NET any -> [78.189.79.252] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256667; rev:1;)
alert tcp $HOME_NET any -> [130.43.60.51] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256666; rev:1;)
alert tcp $HOME_NET any -> [143.198.137.33] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256665; rev:1;)
alert tcp $HOME_NET any -> [4.236.52.255] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256664; rev:1;)
alert tcp $HOME_NET any -> [195.35.16.247] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256663; rev:1;)
alert tcp $HOME_NET any -> [167.114.90.243] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256662; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20010  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256661; rev:1;)
alert tcp $HOME_NET any -> [89.22.182.206] 1720  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256660; rev:1;)
alert tcp $HOME_NET any -> [198.90.21.114] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256659; rev:1;)
alert tcp $HOME_NET any -> [94.198.54.202] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256658; rev:1;)
alert tcp $HOME_NET any -> [172.111.137.180] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.220.148.179"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256656/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256656; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.32] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256654; rev:1;)
alert tcp $HOME_NET any -> [94.156.79.32] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"43.142.183.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256652; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hackerddos.x3322.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ua.tispy.me"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256460; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tispy.me"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytnjmdbmotvintc3/"; depth:18; nocase; http.host; content:"boloneser.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256467/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytnjmdbmotvintc3/"; depth:18; nocase; http.host; content:"mulaktix.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256468/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytnjmdbmotvintc3/"; depth:18; nocase; http.host; content:"munison.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256469/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytnjmdbmotvintc3/"; depth:18; nocase; http.host; content:"udefano.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256470/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256470; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brb.3dtuts.by"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3dtuts.by"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256472; rev:1;)
alert tcp $HOME_NET any -> [2.58.113.208] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256476/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256476; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.73] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256475/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256475; rev:1;)
alert tcp $HOME_NET any -> [41.249.108.177] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagejshttpgeocpugamebigloadsqlwp.php"; depth:38; nocase; http.host; content:"77.221.158.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256473; rev:1;)
alert tcp $HOME_NET any -> [136.243.179.5] 1414  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256466; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.237] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256465/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256465; rev:1;)
alert tcp $HOME_NET any -> [159.69.26.61] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256464/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256464; rev:1;)
alert tcp $HOME_NET any -> [159.69.26.61] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256463/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256463; rev:1;)
alert tcp $HOME_NET any -> [13.232.156.210] 80  (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256462/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256462; rev:1;)
alert tcp $HOME_NET any -> [162.33.178.156] 3122  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256459; rev:1;)
alert tcp $HOME_NET any -> [27.25.156.47] 8000  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256458; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.93] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256457/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"165.232.75.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256455; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.93] 58709  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256454; rev:1;)
alert tcp $HOME_NET any -> [128.199.178.134] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256452; rev:1;)
alert tcp $HOME_NET any -> [165.232.75.251] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256453; rev:1;)
alert tcp $HOME_NET any -> [8.137.84.140] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256450; rev:1;)
alert tcp $HOME_NET any -> [1.94.120.249] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256451; rev:1;)
alert tcp $HOME_NET any -> [1.117.60.10] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256447; rev:1;)
alert tcp $HOME_NET any -> [101.35.173.226] 12306  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256448; rev:1;)
alert tcp $HOME_NET any -> [8.130.52.13] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256449; rev:1;)
alert tcp $HOME_NET any -> [110.42.102.204] 7000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256439; rev:1;)
alert tcp $HOME_NET any -> [177.255.88.116] 8020  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256440; rev:1;)
alert tcp $HOME_NET any -> [207.32.217.79] 9090  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256441; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.223] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256442; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.223] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256443; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.223] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256444; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.101] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256446; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qingfengddos.x3322.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256445; rev:1;)
alert tcp $HOME_NET any -> [89.23.102.165] 158  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256438; rev:1;)
alert tcp $HOME_NET any -> [118.194.233.185] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256436; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mcnodes.zapto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gemak.mk"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256354/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_13; classtype:trojan-activity; sid:91256354; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.185] 57899  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shodo.cosavostra.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256352/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_13; classtype:trojan-activity; sid:91256352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"themetorrent.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256353/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_13; classtype:trojan-activity; sid:91256353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wct-witcom.nl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256355/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_13; classtype:trojan-activity; sid:91256355; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"samsunguniverse.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256434; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.8] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256416/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256416; rev:1;)
alert tcp $HOME_NET any -> [193.176.190.43] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256400/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256400; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"auyametemplanza.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256210/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_13; classtype:trojan-activity; sid:91256210; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.101] 58709  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256435; rev:1;)
alert tcp $HOME_NET any -> [77.221.149.184] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256432; rev:1;)
alert tcp $HOME_NET any -> [77.221.149.184] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256433; rev:1;)
alert tcp $HOME_NET any -> [116.255.216.145] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256431; rev:1;)
alert tcp $HOME_NET any -> [38.45.126.99] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256430/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256430; rev:1;)
alert tcp $HOME_NET any -> [43.249.193.129] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256429; rev:1;)
alert tcp $HOME_NET any -> [38.45.126.102] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256428/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256428; rev:1;)
alert tcp $HOME_NET any -> [38.45.126.100] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256427; rev:1;)
alert tcp $HOME_NET any -> [49.235.117.134] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256426/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256426; rev:1;)
alert tcp $HOME_NET any -> [38.45.126.98] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256425; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.18] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256424; rev:1;)
alert tcp $HOME_NET any -> [189.140.26.156] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256423; rev:1;)
alert tcp $HOME_NET any -> [143.198.137.33] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256422; rev:1;)
alert tcp $HOME_NET any -> [66.78.40.230] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256421; rev:1;)
alert tcp $HOME_NET any -> [157.230.66.27] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256420; rev:1;)
alert tcp $HOME_NET any -> [163.181.142.111] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_13; classtype:trojan-activity; sid:91256419; rev:1;)
alert tcp $HOME_NET any -> [116.203.6.63] 443  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256418; rev:1;)
alert tcp $HOME_NET any -> [185.222.57.134] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_13; classtype:trojan-activity; sid:91256417; rev:1;)
alert tcp $HOME_NET any -> [47.100.180.123] 56616  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256415/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256415; rev:1;)
alert tcp $HOME_NET any -> [124.89.53.26] 1010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256414/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256414; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.203] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256413; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.203] 2047  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256412; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.203] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256411/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256411; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.203] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256410/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256410; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.130] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256409/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256409; rev:1;)
alert tcp $HOME_NET any -> [43.138.0.70] 10002  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256408/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256408; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.12] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256407; rev:1;)
alert tcp $HOME_NET any -> [5.181.156.17] 80  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256406/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256406; rev:1;)
alert tcp $HOME_NET any -> [193.233.232.6] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256405/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256405; rev:1;)
alert tcp $HOME_NET any -> [178.33.57.150] 443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256404; rev:1;)
alert tcp $HOME_NET any -> [171.232.6.144] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256403; rev:1;)
alert tcp $HOME_NET any -> [98.181.129.31] 443  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_13; classtype:trojan-activity; sid:91256402; rev:1;)
alert tcp $HOME_NET any -> [185.241.208.113] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256401/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_12; classtype:trojan-activity; sid:91256401; rev:1;)
alert tcp $HOME_NET any -> [212.52.1.40] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256399/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256399; rev:1;)
alert tcp $HOME_NET any -> [212.52.1.40] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256398/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256398; rev:1;)
alert tcp $HOME_NET any -> [142.202.189.77] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256397; rev:1;)
alert tcp $HOME_NET any -> [103.74.192.103] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256396; rev:1;)
alert tcp $HOME_NET any -> [38.45.126.101] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256395; rev:1;)
alert tcp $HOME_NET any -> [52.185.161.226] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256394; rev:1;)
alert tcp $HOME_NET any -> [162.33.178.99] 4567  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256393; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.2] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256392; rev:1;)
alert tcp $HOME_NET any -> [92.251.131.147] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256391; rev:1;)
alert tcp $HOME_NET any -> [23.93.176.11] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256390; rev:1;)
alert tcp $HOME_NET any -> [41.99.19.206] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256389; rev:1;)
alert tcp $HOME_NET any -> [213.175.37.212] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256388; rev:1;)
alert tcp $HOME_NET any -> [67.207.68.224] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256387; rev:1;)
alert tcp $HOME_NET any -> [104.131.187.5] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256386/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256386; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.77] 1337  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256385/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256385; rev:1;)
alert tcp $HOME_NET any -> [47.93.222.174] 27000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256384/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256384; rev:1;)
alert tcp $HOME_NET any -> [45.63.120.203] 57483  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256383; rev:1;)
alert tcp $HOME_NET any -> [120.78.83.129] 30050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256382/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256382; rev:1;)
alert tcp $HOME_NET any -> [107.172.133.197] 16696  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256381/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256381; rev:1;)
alert tcp $HOME_NET any -> [103.164.49.176] 9000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256380/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256380; rev:1;)
alert tcp $HOME_NET any -> [116.204.42.20] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256379; rev:1;)
alert tcp $HOME_NET any -> [202.79.168.65] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256378; rev:1;)
alert tcp $HOME_NET any -> [187.135.145.47] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256377/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256377; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.136] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256376/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256376; rev:1;)
alert tcp $HOME_NET any -> [185.185.71.5] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256375/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256375; rev:1;)
alert tcp $HOME_NET any -> [38.181.78.247] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256374/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256374; rev:1;)
alert tcp $HOME_NET any -> [42.51.37.127] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256373/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256373; rev:1;)
alert tcp $HOME_NET any -> [42.51.37.127] 8087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256372/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256372; rev:1;)
alert tcp $HOME_NET any -> [47.97.113.146] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256371/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256371; rev:1;)
alert tcp $HOME_NET any -> [2.58.56.221] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256370/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256370; rev:1;)
alert tcp $HOME_NET any -> [77.221.151.10] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256369/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256369; rev:1;)
alert tcp $HOME_NET any -> [217.195.207.156] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256368/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256368; rev:1;)
alert tcp $HOME_NET any -> [185.141.61.74] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256367/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256367; rev:1;)
alert tcp $HOME_NET any -> [178.20.45.159] 7777  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256366/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256366; rev:1;)
alert tcp $HOME_NET any -> [173.44.50.82] 4433  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256365/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256365; rev:1;)
alert tcp $HOME_NET any -> [46.226.162.32] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256364/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256364; rev:1;)
alert tcp $HOME_NET any -> [94.158.245.206] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256363/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256363; rev:1;)
alert tcp $HOME_NET any -> [45.15.158.144] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256362/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256362; rev:1;)
alert tcp $HOME_NET any -> [49.13.125.250] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256361/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256361; rev:1;)
alert tcp $HOME_NET any -> [116.202.186.227] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256360/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256360; rev:1;)
alert tcp $HOME_NET any -> [116.203.15.18] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256359/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256359; rev:1;)
alert tcp $HOME_NET any -> [116.202.188.155] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256358/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256358; rev:1;)
alert tcp $HOME_NET any -> [3.21.170.65] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256357/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256357; rev:1;)
alert tcp $HOME_NET any -> [147.189.168.81] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256356/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91256356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.188.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.146"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256348; rev:1;)
alert tcp $HOME_NET any -> [49.13.32.146] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256346; rev:1;)
alert tcp $HOME_NET any -> [116.202.188.155] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256347; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.193] 10110  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256204; rev:1;)
alert tcp $HOME_NET any -> [206.166.251.28] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256205; rev:1;)
alert tcp $HOME_NET any -> [171.250.188.12] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256206; rev:1;)
alert tcp $HOME_NET any -> [171.250.188.12] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256207; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.75] 7771  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256209; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.169] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256201; rev:1;)
alert tcp $HOME_NET any -> [45.134.225.246] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256202; rev:1;)
alert tcp $HOME_NET any -> [45.134.225.246] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yourserenahelpcustom.uk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256190; rev:1;)
alert tcp $HOME_NET any -> [149.248.79.62] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256191; rev:1;)
alert tcp $HOME_NET any -> [84.247.179.77] 587  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256192; rev:1;)
alert tcp $HOME_NET any -> [84.247.179.77] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256193; rev:1;)
alert tcp $HOME_NET any -> [118.161.124.220] 17814  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256194; rev:1;)
alert tcp $HOME_NET any -> [118.161.124.220] 34820  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256195; rev:1;)
alert tcp $HOME_NET any -> [118.161.124.220] 49078  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256196; rev:1;)
alert tcp $HOME_NET any -> [118.161.124.220] 6004  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256197; rev:1;)
alert tcp $HOME_NET any -> [177.60.18.92] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256198; rev:1;)
alert tcp $HOME_NET any -> [191.82.205.54] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256199; rev:1;)
alert tcp $HOME_NET any -> [191.82.213.14] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"149.248.79.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"149.248.79.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"yourserenahelpcustom.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"yourserenahelpcustom.uk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256189; rev:1;)
alert tcp $HOME_NET any -> [41.108.11.112] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256151; rev:1;)
alert tcp $HOME_NET any -> [105.97.37.105] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256152; rev:1;)
alert tcp $HOME_NET any -> [176.31.220.92] 1744  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256153; rev:1;)
alert tcp $HOME_NET any -> [187.135.86.1] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256154; rev:1;)
alert tcp $HOME_NET any -> [187.135.86.1] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256155; rev:1;)
alert tcp $HOME_NET any -> [187.135.86.1] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256156; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.206] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256157; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.206] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256158; rev:1;)
alert tcp $HOME_NET any -> [187.135.130.189] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256159; rev:1;)
alert tcp $HOME_NET any -> [187.135.130.189] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256160; rev:1;)
alert tcp $HOME_NET any -> [187.135.130.189] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256161; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.240] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256163; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.240] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256162; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.240] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256164; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.240] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256165; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.240] 2281  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256166; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.240] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256167; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.240] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256168; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.240] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256169; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.240] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256170; rev:1;)
alert tcp $HOME_NET any -> [187.135.145.47] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256173; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.240] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256171; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.240] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256172; rev:1;)
alert tcp $HOME_NET any -> [187.135.235.218] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256174; rev:1;)
alert tcp $HOME_NET any -> [187.135.235.218] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256175; rev:1;)
alert tcp $HOME_NET any -> [187.135.235.218] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256176; rev:1;)
alert tcp $HOME_NET any -> [187.135.235.218] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256177; rev:1;)
alert tcp $HOME_NET any -> [187.135.235.218] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256178; rev:1;)
alert tcp $HOME_NET any -> [187.135.235.218] 1757  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256179; rev:1;)
alert tcp $HOME_NET any -> [187.135.235.218] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256180; rev:1;)
alert tcp $HOME_NET any -> [187.135.235.218] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256181; rev:1;)
alert tcp $HOME_NET any -> [187.135.235.218] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256182; rev:1;)
alert tcp $HOME_NET any -> [187.135.235.218] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256183; rev:1;)
alert tcp $HOME_NET any -> [187.135.235.218] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256184; rev:1;)
alert tcp $HOME_NET any -> [187.135.235.218] 1736  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sigortamsaglik.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256083/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cosplayboobies.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256084/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"arkamaya-grhatama.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256085/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pdfkutub.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256086/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"naghsheshahr.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256087/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"theceostory.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256088/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thll.org.tw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256090/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sparo1.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256089/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.estedavivere.it"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256091/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"freshysites.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256092/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.delcas.com.br"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256093/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wahlshausen.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256094/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ticketneedlellc.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256095/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thevarsity.ca"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256096/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.dawinmeckel.de"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256100/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"etisalangy.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256097/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"alldaily.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256099/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"karmanima.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256098/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"vicbros.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256101/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cbseguides.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256102/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"venousmode.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256103/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"slimmerverdienen.nl"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256104/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"teachersbadi.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256105/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eaalim.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256106/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"heshamsaad.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256107/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"giantif.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256108/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"web-e-reputation.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256109/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"javtape.net"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256110/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"arabfish.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256112/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"itigic.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256111/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"digibaru.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256113/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sindipetropb.com.br"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256114/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"swiatyerby.pl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256115/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dailysonardesh.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256116/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bokenasetsadra.se"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256117/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lakedistrictbikes.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256118/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"servicesksa.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256120/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.balkanyemekleri.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256119/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"openaps.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256121/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bookmeacookie.pl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256122/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"m-melody.jp"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256124/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"measuremarketing.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256123/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ctoasaservice.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256125/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cocbases.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256126/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256126; rev:1;)
alert tcp $HOME_NET any -> [31.124.151.205] 9000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/xmlrpc.php"; depth:16; nocase; http.host; content:"www.cmorgan.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256127/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256127; rev:1;)
alert tcp $HOME_NET any -> [34.88.143.155] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256129; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.235] 2003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256130; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.8] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256131; rev:1;)
alert tcp $HOME_NET any -> [51.116.96.182] 3000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256132; rev:1;)
alert tcp $HOME_NET any -> [52.185.161.226] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256133; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.9] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256134; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.9] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256135; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.9] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256136; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.217] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256137; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.217] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256138; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.217] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256139; rev:1;)
alert tcp $HOME_NET any -> [157.254.223.38] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256141; rev:1;)
alert tcp $HOME_NET any -> [157.254.223.38] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256140; rev:1;)
alert tcp $HOME_NET any -> [163.172.59.233] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256142; rev:1;)
alert tcp $HOME_NET any -> [167.88.168.110] 9090  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256143; rev:1;)
alert tcp $HOME_NET any -> [172.111.137.179] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256144; rev:1;)
alert tcp $HOME_NET any -> [178.73.218.12] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256145; rev:1;)
alert tcp $HOME_NET any -> [179.13.3.18] 8020  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256146; rev:1;)
alert tcp $HOME_NET any -> [213.195.121.48] 4001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256147; rev:1;)
alert tcp $HOME_NET any -> [213.195.121.48] 4002  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256148; rev:1;)
alert tcp $HOME_NET any -> [213.195.121.48] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256149; rev:1;)
alert tcp $HOME_NET any -> [213.195.121.48] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256150; rev:1;)
alert tcp $HOME_NET any -> [45.152.64.31] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256074; rev:1;)
alert tcp $HOME_NET any -> [38.207.178.198] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256075; rev:1;)
alert tcp $HOME_NET any -> [38.207.178.198] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256076; rev:1;)
alert tcp $HOME_NET any -> [45.133.238.227] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256077; rev:1;)
alert tcp $HOME_NET any -> [198.244.135.238] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256078; rev:1;)
alert tcp $HOME_NET any -> [198.244.135.238] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256079; rev:1;)
alert tcp $HOME_NET any -> [58.185.25.6] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256080; rev:1;)
alert tcp $HOME_NET any -> [185.239.226.11] 7899  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256081; rev:1;)
alert tcp $HOME_NET any -> [209.58.183.85] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256082; rev:1;)
alert tcp $HOME_NET any -> [103.146.50.218] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256067; rev:1;)
alert tcp $HOME_NET any -> [149.28.23.34] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256068; rev:1;)
alert tcp $HOME_NET any -> [111.92.243.44] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256069; rev:1;)
alert tcp $HOME_NET any -> [170.130.55.121] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256070; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nebraska-lawyers.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256071; rev:1;)
alert tcp $HOME_NET any -> [23.224.61.93] 40000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256072; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.246] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256073; rev:1;)
alert tcp $HOME_NET any -> [117.50.162.108] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256066; rev:1;)
alert tcp $HOME_NET any -> [159.75.92.156] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256036; rev:1;)
alert tcp $HOME_NET any -> [175.27.166.185] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256038; rev:1;)
alert tcp $HOME_NET any -> [159.75.103.67] 12123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256037; rev:1;)
alert tcp $HOME_NET any -> [8.134.14.140] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256039; rev:1;)
alert tcp $HOME_NET any -> [8.138.100.71] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256040; rev:1;)
alert tcp $HOME_NET any -> [8.138.120.114] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256041; rev:1;)
alert tcp $HOME_NET any -> [47.99.56.98] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256042; rev:1;)
alert tcp $HOME_NET any -> [114.55.113.146] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256047; rev:1;)
alert tcp $HOME_NET any -> [114.55.115.0] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256048; rev:1;)
alert tcp $HOME_NET any -> [118.31.115.178] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256049; rev:1;)
alert tcp $HOME_NET any -> [120.26.169.185] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256050; rev:1;)
alert tcp $HOME_NET any -> [142.93.140.24] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256052; rev:1;)
alert tcp $HOME_NET any -> [104.236.69.99] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256051; rev:1;)
alert tcp $HOME_NET any -> [142.93.140.24] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256053; rev:1;)
alert tcp $HOME_NET any -> [143.198.70.94] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256054; rev:1;)
alert tcp $HOME_NET any -> [157.245.12.65] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256055; rev:1;)
alert tcp $HOME_NET any -> [165.232.123.138] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256056; rev:1;)
alert tcp $HOME_NET any -> [47.242.249.91] 2443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256057; rev:1;)
alert tcp $HOME_NET any -> [47.243.59.237] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256058; rev:1;)
alert tcp $HOME_NET any -> [43.129.201.38] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256059; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antfinancial.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1256060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256060; rev:1;)
alert tcp $HOME_NET any -> [43.128.3.197] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256061; rev:1;)
alert tcp $HOME_NET any -> [43.128.40.194] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256062; rev:1;)
alert tcp $HOME_NET any -> [23.95.47.68] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256064; rev:1;)
alert tcp $HOME_NET any -> [23.95.47.68] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256063; rev:1;)
alert tcp $HOME_NET any -> [20.27.144.160] 9002  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fabricate/state/rh3kw9xu"; depth:25; nocase; http.host; content:"43.138.208.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256045; rev:1;)
alert tcp $HOME_NET any -> [43.138.208.188] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256046; rev:1;)
alert tcp $HOME_NET any -> [172.234.250.226] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"172.234.250.226"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.arton-bv.nl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256034/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"textis.ru"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256035/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256035; rev:1;)
alert tcp $HOME_NET any -> [193.124.113.33] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256033; rev:1;)
alert tcp $HOME_NET any -> [45.195.54.195] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256032; rev:1;)
alert tcp $HOME_NET any -> [45.195.54.195] 8888  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256031; rev:1;)
alert tcp $HOME_NET any -> [45.195.54.195] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"46.183.223.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256029; rev:1;)
alert tcp $HOME_NET any -> [172.94.39.213] 2016  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256028; rev:1;)
alert tcp $HOME_NET any -> [178.73.218.12] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"45.15.156.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wonderforest.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256007/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nationalviews.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256008/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"crochetkim.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256009/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.app-gehts.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256011/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"coolskyfood.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256010/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"salamfest.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256012/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"voxpublica.no"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256013/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ambtenarensalaris.nl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256014/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"besocy.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256015/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"entekhab.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256016/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rkbaienfurt.de"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256017/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"amerac.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256018/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256018; rev:1;)
alert tcp $HOME_NET any -> [165.232.44.213] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256026/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256026; rev:1;)
alert tcp $HOME_NET any -> [89.38.225.168] 4433  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256025/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256025; rev:1;)
alert tcp $HOME_NET any -> [165.227.136.196] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256024; rev:1;)
alert tcp $HOME_NET any -> [193.226.15.100] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256023/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256023; rev:1;)
alert tcp $HOME_NET any -> [195.35.16.247] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256022/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256022; rev:1;)
alert tcp $HOME_NET any -> [195.35.16.247] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256021; rev:1;)
alert tcp $HOME_NET any -> [144.202.47.116] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256020; rev:1;)
alert tcp $HOME_NET any -> [49.13.151.150] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_12; classtype:trojan-activity; sid:91256019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"news.mn"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256004/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.casagaribaldi.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256005/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thepointsking.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256006/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_12; classtype:trojan-activity; sid:91256006; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.50] 33080  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256002; rev:1;)
alert tcp $HOME_NET any -> [5.39.43.50] 6136  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255999/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_12; classtype:trojan-activity; sid:91255999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"85.192.56.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"5.42.66.10"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"85.192.56.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"5.42.66.10"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"85.192.56.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"5.42.66.10"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91255993; rev:1;)
alert tcp $HOME_NET any -> [172.245.191.97] 666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_12; classtype:trojan-activity; sid:91255992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"tecbabbshop24578.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91255761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karamdsadvs2.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91255762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"karakalandankasd5.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91255763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdqyn2nmogezotik/"; depth:18; nocase; http.host; content:"tecklardankalan.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255764/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_12; classtype:trojan-activity; sid:91255764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/2028"; depth:15; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1256003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_12; classtype:trojan-activity; sid:91256003; rev:1;)
alert tcp $HOME_NET any -> [45.15.158.15] 6969  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1256000/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91256000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/927339792"; depth:20; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"93.123.39.11"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1255991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.202.233.204"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.132.241"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1255989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.21.118.113"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"farozinda.ru"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1255988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.201.188"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"top-adobe.site"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.209"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1255983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.216.70.109"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.8.97"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1255982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"unidasg.top"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1255981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.216.123.85"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.201.33"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"abrws.com.br"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1255978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.184.48.114"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.223.142"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.146.152"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"62.113.119.199"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.26"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1255973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rewe-coupouns.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1255972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"52.143.157.84"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1255971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255971; rev:1;)
alert tcp $HOME_NET any -> [154.12.85.5] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.12.85.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255969; rev:1;)
alert tcp $HOME_NET any -> [62.109.5.21] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255968; rev:1;)
alert tcp $HOME_NET any -> [212.224.88.151] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255967; rev:1;)
alert tcp $HOME_NET any -> [149.129.131.163] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255966; rev:1;)
alert tcp $HOME_NET any -> [123.60.128.4] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255965; rev:1;)
alert tcp $HOME_NET any -> [107.167.92.76] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255964; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.21] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255963; rev:1;)
alert tcp $HOME_NET any -> [139.218.246.83] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255962; rev:1;)
alert tcp $HOME_NET any -> [43.135.55.212] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255960; rev:1;)
alert tcp $HOME_NET any -> [43.135.55.212] 10000  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255961; rev:1;)
alert tcp $HOME_NET any -> [66.85.173.32] 2268  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255959; rev:1;)
alert tcp $HOME_NET any -> [163.181.39.67] 4506  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255958; rev:1;)
alert tcp $HOME_NET any -> [111.31.37.38] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255957; rev:1;)
alert tcp $HOME_NET any -> [5.253.43.96] 8010  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255956; rev:1;)
alert tcp $HOME_NET any -> [45.32.233.38] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255955; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.23] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"62.234.27.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"birdpenallitysydw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"telldruggcommitetter.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"doughmebinnybunio.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"orbitpettystudio.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"interferencesandyshiw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"warningindicationsjw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"concessionofsellerwo.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"strainriskpropos.store"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"neddlepyramidfunnyjok.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"revisedrinkslappyoowi.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"birdvigorousedetertyw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"newspaperpotatoju.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"brickbrothjorkyooe.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"peanutclutchlowwow.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"appliedgrandyjuiw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sailsystemeyeusjw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"rugbysummerosodnwu.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"spokespersonunjuriwo.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"jewelbasinfrankywoi.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"convictionpartyeokwi.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"competitionpooleow.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"landgateindirectdangre.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"roundpolechildryowjv.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"democraticseekysiwo.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"prematuresolvehumoew.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"directorryversionyju.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tearfulbashfulow.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"computerfuneralljwu.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"divosrcemusemutati.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"practicalcoherentt.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pumpedcalmdeadpannkow.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"meadowannivejrsary.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"awardlandscareposiw.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"chokepopilarvirusew.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"disgustedsorryeedi.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"marchsensedjurkey.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"paintercrutcheniw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"speedparticipatewo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wagonglidemonkywo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"punchtelephoneverdi.store"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"preciousenviouskakei.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"officiallongberyw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"deadpanstupiddyjjuwk.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"combinationconventiwov.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255766; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wpseed.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255765; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"estesidiosplat.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255759/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255759; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"liverpool777.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255760/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255760; rev:1;)
alert tcp $HOME_NET any -> [85.239.34.72] 9981  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255758/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255758; rev:1;)
alert tcp $HOME_NET any -> [198.46.143.219] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255757/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"infineitsolutions.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"infineitsolutions.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"gitkonus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255752; rev:1;)
alert tcp $HOME_NET any -> [116.202.186.227] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.186.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255754; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.131] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.109.58.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255749; rev:1;)
alert tcp $HOME_NET any -> [8.220.200.34] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255747; rev:1;)
alert tcp $HOME_NET any -> [124.71.150.39] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"86.107.199.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255746; rev:1;)
alert tcp $HOME_NET any -> [182.92.79.194] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255743; rev:1;)
alert tcp $HOME_NET any -> [182.92.79.194] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255744; rev:1;)
alert tcp $HOME_NET any -> [78.142.18.222] 80  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255718; rev:1;)
alert tcp $HOME_NET any -> [5.180.24.155] 445  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255719; rev:1;)
alert tcp $HOME_NET any -> [118.25.150.165] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255720; rev:1;)
alert tcp $HOME_NET any -> [118.25.150.165] 83  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255721; rev:1;)
alert tcp $HOME_NET any -> [119.45.171.159] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255722; rev:1;)
alert tcp $HOME_NET any -> [119.45.227.37] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255723; rev:1;)
alert tcp $HOME_NET any -> [119.45.227.37] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255724; rev:1;)
alert tcp $HOME_NET any -> [119.45.227.37] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255725; rev:1;)
alert tcp $HOME_NET any -> [124.220.6.158] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255726; rev:1;)
alert tcp $HOME_NET any -> [124.220.6.158] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255727; rev:1;)
alert tcp $HOME_NET any -> [154.8.160.93] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255728; rev:1;)
alert tcp $HOME_NET any -> [175.27.158.231] 30000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255729; rev:1;)
alert tcp $HOME_NET any -> [42.192.42.231] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255730; rev:1;)
alert tcp $HOME_NET any -> [101.42.24.57] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255731; rev:1;)
alert tcp $HOME_NET any -> [120.53.237.23] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255732; rev:1;)
alert tcp $HOME_NET any -> [122.51.219.5] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255733; rev:1;)
alert tcp $HOME_NET any -> [124.221.237.200] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255734; rev:1;)
alert tcp $HOME_NET any -> [150.158.33.154] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255735; rev:1;)
alert tcp $HOME_NET any -> [162.14.102.251] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255736; rev:1;)
alert tcp $HOME_NET any -> [47.92.131.203] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255738; rev:1;)
alert tcp $HOME_NET any -> [175.24.189.213] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255737; rev:1;)
alert tcp $HOME_NET any -> [47.104.82.127] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255739; rev:1;)
alert tcp $HOME_NET any -> [47.120.60.63] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255740; rev:1;)
alert tcp $HOME_NET any -> [101.37.84.176] 20000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255741; rev:1;)
alert tcp $HOME_NET any -> [139.224.231.162] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"212.87.204.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255711/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionsi.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255712/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionsi.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255713/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionsi.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255714/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionzani.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255715/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionzani.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255716/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzqynjflzje1odvm/"; depth:18; nocase; http.host; content:"germanisoppinionzani.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255717/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255717; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.79] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255710; rev:1;)
alert tcp $HOME_NET any -> [94.154.34.137] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255709; rev:1;)
alert tcp $HOME_NET any -> [109.120.176.38] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255708; rev:1;)
alert tcp $HOME_NET any -> [79.137.197.154] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255707; rev:1;)
alert tcp $HOME_NET any -> [123.56.214.38] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255706; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.8] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255705; rev:1;)
alert tcp $HOME_NET any -> [179.13.3.18] 8010  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255704; rev:1;)
alert tcp $HOME_NET any -> [190.134.136.148] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255703; rev:1;)
alert tcp $HOME_NET any -> [41.103.240.47] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255702; rev:1;)
alert tcp $HOME_NET any -> [175.13.33.64] 4432  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255701; rev:1;)
alert tcp $HOME_NET any -> [20.125.108.162] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255700; rev:1;)
alert tcp $HOME_NET any -> [45.133.238.227] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255699; rev:1;)
alert tcp $HOME_NET any -> [16.171.148.52] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255698; rev:1;)
alert tcp $HOME_NET any -> [164.215.103.89] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255697; rev:1;)
alert tcp $HOME_NET any -> [143.198.73.229] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255696; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wassonite.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/putty-64bit-0.80-installer.zip"; depth:43; nocase; http.host; content:"newarticles23.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/filezilla_3.66.1_win64.zip"; depth:39; nocase; http.host; content:"amplex-amplification.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255684; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"puttyy.ca"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255683; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"pputy.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255682; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"puuty.org"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255681/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255681; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"file-zilla-projectt.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255680; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"powerup.dynuddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255679/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255679; rev:1;)
alert tcp $HOME_NET any -> [104.238.137.229] 6363  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255678/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255678; rev:1;)
alert tcp $HOME_NET any -> [34.31.226.230] 37144  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255632; rev:1;)
alert tcp $HOME_NET any -> [45.13.227.109] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255633; rev:1;)
alert tcp $HOME_NET any -> [192.54.57.69] 3884  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255673; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jaztc.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255674; rev:1;)
alert tcp $HOME_NET any -> [45.86.86.60] 5555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255675/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/putty-64bit-0.80-installer.zip"; depth:43; nocase; http.host; content:"support.hosting-hero.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/installer.zip"; depth:14; nocase; http.host; content:"mkt.geostrategy-ec.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/putty-64bit-0.80-installer.zip"; depth:43; nocase; http.host; content:"mail.smartnet-support.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255688; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"infoputty.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255689/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255689; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"putt-get.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255690/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255690; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"ssh-client.co"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255691; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"putty-ssh.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_11; classtype:trojan-activity; sid:91255692; rev:1;)
alert tcp $HOME_NET any -> [207.32.216.126] 30685  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_11; classtype:trojan-activity; sid:91255693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"makaraaras.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"mabelkanadan.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karamdasn2.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2jhnzzhzwrjmzlm/"; depth:18; nocase; http.host; content:"karakalandan5.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_11; classtype:trojan-activity; sid:91255495; rev:1;)
alert tcp $HOME_NET any -> [179.13.2.154] 5050  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255518/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255518; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"parahoyestsidio.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255519/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255519; rev:1;)
alert tcp $HOME_NET any -> [179.13.0.175] 5557  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255520/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_11; classtype:trojan-activity; sid:91255520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/88746289041"; depth:22; nocase; http.host; content:"24.199.107.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255676; rev:1;)
alert tcp $HOME_NET any -> [45.61.139.225] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255669/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255669; rev:1;)
alert tcp $HOME_NET any -> [38.92.40.19] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255668; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.135] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255667; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.135] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255666; rev:1;)
alert tcp $HOME_NET any -> [92.63.96.171] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255665; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.146] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255664; rev:1;)
alert tcp $HOME_NET any -> [154.40.47.121] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255663; rev:1;)
alert tcp $HOME_NET any -> [47.108.204.218] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255662; rev:1;)
alert tcp $HOME_NET any -> [43.128.177.204] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255661; rev:1;)
alert tcp $HOME_NET any -> [47.93.174.136] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255660; rev:1;)
alert tcp $HOME_NET any -> [123.57.137.235] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255659; rev:1;)
alert tcp $HOME_NET any -> [47.93.173.235] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255658; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.12] 7000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255657/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255657; rev:1;)
alert tcp $HOME_NET any -> [171.41.198.122] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255656; rev:1;)
alert tcp $HOME_NET any -> [216.83.36.247] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255655/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255655; rev:1;)
alert tcp $HOME_NET any -> [103.186.108.212] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255654; rev:1;)
alert tcp $HOME_NET any -> [94.156.10.201] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255652/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255652; rev:1;)
alert tcp $HOME_NET any -> [86.22.67.194] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255653/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255653; rev:1;)
alert tcp $HOME_NET any -> [62.1.168.180] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255651/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255651; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.3] 7000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255650; rev:1;)
alert tcp $HOME_NET any -> [185.62.57.235] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255649/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255649; rev:1;)
alert tcp $HOME_NET any -> [95.172.23.98] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255648/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255648; rev:1;)
alert tcp $HOME_NET any -> [202.95.23.39] 5555  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255647/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255647; rev:1;)
alert tcp $HOME_NET any -> [88.214.59.115] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255646/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255646; rev:1;)
alert tcp $HOME_NET any -> [43.129.31.231] 8858  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255645/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255645; rev:1;)
alert tcp $HOME_NET any -> [116.177.245.48] 4505  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255644; rev:1;)
alert tcp $HOME_NET any -> [137.220.197.178] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255643; rev:1;)
alert tcp $HOME_NET any -> [212.113.106.100] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255642; rev:1;)
alert tcp $HOME_NET any -> [3.105.98.157] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255641/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255641; rev:1;)
alert tcp $HOME_NET any -> [207.180.230.175] 9443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255640/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255640; rev:1;)
alert tcp $HOME_NET any -> [94.98.197.28] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255639/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255639; rev:1;)
alert tcp $HOME_NET any -> [66.50.11.141] 1800  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255638/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255638; rev:1;)
alert tcp $HOME_NET any -> [174.75.184.124] 2083  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255637/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255637; rev:1;)
alert tcp $HOME_NET any -> [72.203.198.245] 8009  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255636/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255636; rev:1;)
alert tcp $HOME_NET any -> [213.195.121.48] 5001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255635/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.56.226.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"38.6.178.161"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255631; rev:1;)
alert tcp $HOME_NET any -> [202.144.192.44] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"202.144.192.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.47.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.242.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255523; rev:1;)
alert tcp $HOME_NET any -> [195.201.47.150] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255522; rev:1;)
alert tcp $HOME_NET any -> [95.217.242.90] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255517; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.microsoftonline.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"www.microsoftonline.info"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255515; rev:1;)
alert tcp $HOME_NET any -> [47.236.185.166] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.236.185.166"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"154.92.14.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"62.234.27.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"173.249.196.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"49.232.55.153"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"7b7cd24ea6f08b711cf4053beac43cc5.melonhack.top"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255506; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7b7cd24ea6f08b711cf4053beac43cc5.melonhack.top"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255507; rev:1;)
alert tcp $HOME_NET any -> [121.37.237.168] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"121.37.237.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255504; rev:1;)
alert tcp $HOME_NET any -> [154.204.177.133] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"114.132.62.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"193.32.149.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azure/api/v2/userinfo/get"; depth:26; nocase; http.host; content:"baidu.freemetb.top"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255499; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baidu.freemetb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"173.249.196.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"121.37.237.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255497; rev:1;)
alert tcp $HOME_NET any -> [154.204.177.133] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255496; rev:1;)
alert tcp $HOME_NET any -> [202.144.192.44] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255491; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.fdsagwagfdsba.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255490; rev:1;)
alert tcp $HOME_NET any -> [45.61.141.168] 35228  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255489; rev:1;)
alert tcp $HOME_NET any -> [89.185.84.115] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255488; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.100] 1337  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255486; rev:1;)
alert tcp $HOME_NET any -> [141.98.10.76] 59666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255487; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.187] 55555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255478/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255478; rev:1;)
alert tcp $HOME_NET any -> [79.137.192.4] 80  (msg:"ThreatFox Poseidon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/jetpack/json-endpoints/jetpack/hays_compiled_documents.zip"; depth:78; nocase; http.host; content:"felizcity.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"116.205.228.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/unsalted-condensed-soups/"; depth:37; nocase; http.host; content:"samsunguniverse.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"cmsdisybnererdefs.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255474/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"cmsdisybnererdasd65.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255475/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"cmsdisybnererdgfdgn2.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255476/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"cmsdisybnererd5345.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255477/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dsbr.cam"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255467/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255467; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.110] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255468; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jswl.vipsf888.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255470; rev:1;)
alert tcp $HOME_NET any -> [14.225.219.227] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255469; rev:1;)
alert tcp $HOME_NET any -> [23.95.254.136] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"23.95.254.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"119.91.214.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pdtzx.scr"; depth:10; nocase; http.host; content:"covid19help.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255465; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.ib-comm-gateway.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255460; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zhudaji.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255461; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rubiconviewer.buzz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255462; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hatsune.network"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255463; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"int.hatsune.network"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255464; rev:1;)
alert tcp $HOME_NET any -> [45.148.244.74] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255459; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.123] 999  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255458; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.58] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255457; rev:1;)
alert tcp $HOME_NET any -> [166.88.61.185] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255456; rev:1;)
alert tcp $HOME_NET any -> [38.89.76.175] 61915  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255455; rev:1;)
alert tcp $HOME_NET any -> [106.54.222.22] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255454; rev:1;)
alert tcp $HOME_NET any -> [194.87.236.115] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255453; rev:1;)
alert tcp $HOME_NET any -> [101.200.160.159] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255452; rev:1;)
alert tcp $HOME_NET any -> [121.36.61.185] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255451; rev:1;)
alert tcp $HOME_NET any -> [101.200.214.198] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255450; rev:1;)
alert tcp $HOME_NET any -> [111.223.247.163] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255449; rev:1;)
alert tcp $HOME_NET any -> [179.13.2.154] 2230  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255448; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.9] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255447; rev:1;)
alert tcp $HOME_NET any -> [51.116.96.182] 4000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255446; rev:1;)
alert tcp $HOME_NET any -> [188.126.90.3] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255445; rev:1;)
alert tcp $HOME_NET any -> [97.118.50.67] 993  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255444; rev:1;)
alert tcp $HOME_NET any -> [8.140.193.181] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255443; rev:1;)
alert tcp $HOME_NET any -> [167.172.246.65] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255441; rev:1;)
alert tcp $HOME_NET any -> [167.172.246.65] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255442; rev:1;)
alert tcp $HOME_NET any -> [47.236.151.19] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255440; rev:1;)
alert tcp $HOME_NET any -> [47.245.38.152] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255439; rev:1;)
alert tcp $HOME_NET any -> [167.71.105.169] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_10; classtype:trojan-activity; sid:91255438; rev:1;)
alert tcp $HOME_NET any -> [116.203.15.18] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.15.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255436; rev:1;)
alert tcp $HOME_NET any -> [179.13.0.175] 5556  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255424/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255424; rev:1;)
alert tcp $HOME_NET any -> [51.68.169.77] 443  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255422; rev:1;)
alert tcp $HOME_NET any -> [89.105.201.98] 591  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"ahhhuu22cxxx.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255415/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"h23hxa22f3f2a.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255416/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255416; rev:1;)
alert tcp $HOME_NET any -> [47.242.231.229] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"h13f2hah2aa.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255417/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"cwcwac3f422af.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255418/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zdfmmdlmzwe1ztji/"; depth:18; nocase; http.host; content:"g2agfawfw.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255419/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_10; classtype:trojan-activity; sid:91255419; rev:1;)
alert tcp $HOME_NET any -> [77.221.137.22] 443  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lets.exe"; depth:9; nocase; http.host; content:"154.23.178.106"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lets.exe"; depth:9; nocase; http.host; content:"38.181.35.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lets.exe"; depth:9; nocase; http.host; content:"154.23.178.139"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lets.exe"; depth:9; nocase; http.host; content:"154.23.178.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255428; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kuailianv.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255429; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"winarkamaps.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255430/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255430; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stratimasesstr.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255431/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255431; rev:1;)
alert tcp $HOME_NET any -> [51.79.87.4] 8732  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255435/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_10; classtype:trojan-activity; sid:91255435; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boom.baiduboomboom.tk"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255433; rev:1;)
alert tcp $HOME_NET any -> [1.15.247.249] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"boom.baiduboomboom.tk"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_10; classtype:trojan-activity; sid:91255432; rev:1;)
alert tcp $HOME_NET any -> [94.250.249.104] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255414; rev:1;)
alert tcp $HOME_NET any -> [178.128.106.68] 2222  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255413; rev:1;)
alert tcp $HOME_NET any -> [150.109.70.101] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255412; rev:1;)
alert tcp $HOME_NET any -> [176.96.138.72] 9191  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255411; rev:1;)
alert tcp $HOME_NET any -> [39.101.205.127] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255410; rev:1;)
alert tcp $HOME_NET any -> [39.40.139.74] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255409; rev:1;)
alert tcp $HOME_NET any -> [198.135.163.245] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255408; rev:1;)
alert tcp $HOME_NET any -> [159.69.195.86] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255407; rev:1;)
alert tcp $HOME_NET any -> [34.195.136.4] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255406; rev:1;)
alert tcp $HOME_NET any -> [3.88.131.251] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255405; rev:1;)
alert tcp $HOME_NET any -> [116.122.95.74] 80  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255400; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vchaonlyone.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255401; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"senpalia.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255402; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.18] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255403/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255403; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.20] 5050  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255404; rev:1;)
alert tcp $HOME_NET any -> [124.221.56.114] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255224; rev:1;)
alert tcp $HOME_NET any -> [124.221.56.114] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255225; rev:1;)
alert tcp $HOME_NET any -> [111.229.158.40] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255193; rev:1;)
alert tcp $HOME_NET any -> [111.229.158.40] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255192; rev:1;)
alert tcp $HOME_NET any -> [101.43.111.190] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255174; rev:1;)
alert tcp $HOME_NET any -> [43.139.52.213] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255117; rev:1;)
alert tcp $HOME_NET any -> [64.23.173.19] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255276; rev:1;)
alert tcp $HOME_NET any -> [128.199.0.116] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255277; rev:1;)
alert tcp $HOME_NET any -> [139.59.101.62] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255278; rev:1;)
alert tcp $HOME_NET any -> [159.65.20.58] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255279; rev:1;)
alert tcp $HOME_NET any -> [23.95.65.198] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255280; rev:1;)
alert tcp $HOME_NET any -> [43.163.220.156] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255281; rev:1;)
alert tcp $HOME_NET any -> [119.28.110.63] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tencentweb.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255283; rev:1;)
alert tcp $HOME_NET any -> [74.226.216.85] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255284; rev:1;)
alert tcp $HOME_NET any -> [47.76.113.146] 8888  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255395; rev:1;)
alert tcp $HOME_NET any -> [74.226.216.85] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255285; rev:1;)
alert tcp $HOME_NET any -> [45.152.243.228] 9090  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255394; rev:1;)
alert tcp $HOME_NET any -> [102.165.56.50] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255396; rev:1;)
alert tcp $HOME_NET any -> [162.238.154.3] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255397; rev:1;)
alert tcp $HOME_NET any -> [179.100.74.227] 1024  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255398; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.169] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255399; rev:1;)
alert tcp $HOME_NET any -> [47.76.178.33] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255273; rev:1;)
alert tcp $HOME_NET any -> [64.23.173.19] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255274; rev:1;)
alert tcp $HOME_NET any -> [64.23.173.19] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255275; rev:1;)
alert tcp $HOME_NET any -> [47.76.163.6] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255272; rev:1;)
alert tcp $HOME_NET any -> [47.97.96.147] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255266; rev:1;)
alert tcp $HOME_NET any -> [1.92.79.205] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255269; rev:1;)
alert tcp $HOME_NET any -> [47.120.65.94] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255267; rev:1;)
alert tcp $HOME_NET any -> [112.124.34.225] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255268; rev:1;)
alert tcp $HOME_NET any -> [124.71.129.181] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255270; rev:1;)
alert tcp $HOME_NET any -> [23.94.148.10] 666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255271; rev:1;)
alert tcp $HOME_NET any -> [47.92.200.141] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255265; rev:1;)
alert tcp $HOME_NET any -> [121.40.139.97] 17500  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255263; rev:1;)
alert tcp $HOME_NET any -> [121.40.139.97] 44888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255264; rev:1;)
alert tcp $HOME_NET any -> [8.130.143.185] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255261; rev:1;)
alert tcp $HOME_NET any -> [120.24.170.13] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255262; rev:1;)
alert tcp $HOME_NET any -> [8.130.98.244] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255259; rev:1;)
alert tcp $HOME_NET any -> [8.130.142.27] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255260; rev:1;)
alert tcp $HOME_NET any -> [206.233.128.64] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255356; rev:1;)
alert tcp $HOME_NET any -> [45.77.24.231] 9090  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255388; rev:1;)
alert tcp $HOME_NET any -> [181.162.187.238] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255353; rev:1;)
alert tcp $HOME_NET any -> [184.190.169.22] 3389  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255354; rev:1;)
alert tcp $HOME_NET any -> [185.174.101.93] 6546  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255355; rev:1;)
alert tcp $HOME_NET any -> [8.130.34.199] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255349; rev:1;)
alert tcp $HOME_NET any -> [150.158.139.196] 6666  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255352; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.190] 8084  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255350; rev:1;)
alert tcp $HOME_NET any -> [103.143.15.58] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255351; rev:1;)
alert tcp $HOME_NET any -> [38.6.178.161] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255331; rev:1;)
alert tcp $HOME_NET any -> [38.6.178.161] 8010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255332; rev:1;)
alert tcp $HOME_NET any -> [172.247.5.223] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255329; rev:1;)
alert tcp $HOME_NET any -> [23.224.143.16] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255330; rev:1;)
alert tcp $HOME_NET any -> [45.145.228.157] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"fairfurryfriends.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"fairfurryfriends.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255309; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"newintento777.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"akademipraktik.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"akademipraktik.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255288; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.45] 20000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255389; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.45] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255390; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.159] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255391; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.159] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255392; rev:1;)
alert tcp $HOME_NET any -> [49.232.55.153] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255131; rev:1;)
alert tcp $HOME_NET any -> [49.232.208.22] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255144; rev:1;)
alert tcp $HOME_NET any -> [43.136.90.70] 50034  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255096; rev:1;)
alert tcp $HOME_NET any -> [45.89.53.187] 445  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255085; rev:1;)
alert tcp $HOME_NET any -> [159.100.30.207] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255393; rev:1;)
alert tcp $HOME_NET any -> [193.143.1.168] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255387/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255387; rev:1;)
alert tcp $HOME_NET any -> [193.143.1.168] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255386/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255386; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.11] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255385/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255385; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.11] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255384/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255384; rev:1;)
alert tcp $HOME_NET any -> [52.143.157.84] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255383; rev:1;)
alert tcp $HOME_NET any -> [52.143.157.84] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255382/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255382; rev:1;)
alert tcp $HOME_NET any -> [185.209.162.38] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255381/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255381; rev:1;)
alert tcp $HOME_NET any -> [185.209.162.38] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255380/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255380; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.209] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255379/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255379; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.209] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255378/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255378; rev:1;)
alert tcp $HOME_NET any -> [95.164.2.59] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255377/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255377; rev:1;)
alert tcp $HOME_NET any -> [95.164.2.59] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255376/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255376; rev:1;)
alert tcp $HOME_NET any -> [62.113.119.199] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255375/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255375; rev:1;)
alert tcp $HOME_NET any -> [62.113.119.199] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255374/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255374; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.145] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255373/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255373; rev:1;)
alert tcp $HOME_NET any -> [193.143.1.226] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255372/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255372; rev:1;)
alert tcp $HOME_NET any -> [193.143.1.226] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255371/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255371; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.109] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255370/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255370; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.109] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255369/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255369; rev:1;)
alert tcp $HOME_NET any -> [217.182.197.48] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255368/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255368; rev:1;)
alert tcp $HOME_NET any -> [217.182.197.48] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255367/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255367; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.26] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255366/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255366; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.26] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255365/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255365; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.208] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255364/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255364; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.208] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255363/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255363; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.97] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255362/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255362; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.97] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255361/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255361; rev:1;)
alert tcp $HOME_NET any -> [91.202.233.204] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255360/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255360; rev:1;)
alert tcp $HOME_NET any -> [91.202.233.204] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255359/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255359; rev:1;)
alert tcp $HOME_NET any -> [147.45.78.181] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255358/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255358; rev:1;)
alert tcp $HOME_NET any -> [147.45.78.181] 22  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255357/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255357; rev:1;)
alert tcp $HOME_NET any -> [188.166.232.102] 35769  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255348/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255348; rev:1;)
alert tcp $HOME_NET any -> [45.67.86.155] 9009  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255347/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255347; rev:1;)
alert tcp $HOME_NET any -> [209.141.37.216] 3074  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255346/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255346; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.130] 1337  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255345/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255345; rev:1;)
alert tcp $HOME_NET any -> [45.67.86.157] 9009  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255344/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255344; rev:1;)
alert tcp $HOME_NET any -> [51.68.213.73] 25  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255343/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255343; rev:1;)
alert tcp $HOME_NET any -> [206.217.139.231] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255342/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255342; rev:1;)
alert tcp $HOME_NET any -> [103.97.58.61] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255341/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255341; rev:1;)
alert tcp $HOME_NET any -> [185.158.132.135] 80  (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255340/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255340; rev:1;)
alert tcp $HOME_NET any -> [79.132.140.216] 50054  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255339/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255339; rev:1;)
alert tcp $HOME_NET any -> [60.204.242.181] 7018  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255338/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255338; rev:1;)
alert tcp $HOME_NET any -> [147.78.47.15] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255337/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255337; rev:1;)
alert tcp $HOME_NET any -> [182.92.216.171] 57001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255336/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255336; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.116] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255335/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255335; rev:1;)
alert tcp $HOME_NET any -> [62.234.166.174] 6789  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255334/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255334; rev:1;)
alert tcp $HOME_NET any -> [81.19.137.205] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255333/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255333; rev:1;)
alert tcp $HOME_NET any -> [107.167.93.99] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255328/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255328; rev:1;)
alert tcp $HOME_NET any -> [64.94.85.165] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255327/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255327; rev:1;)
alert tcp $HOME_NET any -> [92.42.96.24] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255326/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255326; rev:1;)
alert tcp $HOME_NET any -> [77.221.156.212] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255325; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.114] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255324/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255324; rev:1;)
alert tcp $HOME_NET any -> [141.195.117.127] 80  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255323/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255323; rev:1;)
alert tcp $HOME_NET any -> [188.40.248.148] 80  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255322/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255322; rev:1;)
alert tcp $HOME_NET any -> [91.227.40.93] 80  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255321/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255321; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.182] 10000  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255320/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255320; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.182] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255319/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255319; rev:1;)
alert tcp $HOME_NET any -> [178.62.239.104] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255318/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255318; rev:1;)
alert tcp $HOME_NET any -> [64.7.199.224] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255317/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255317; rev:1;)
alert tcp $HOME_NET any -> [89.238.170.230] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255316; rev:1;)
alert tcp $HOME_NET any -> [185.17.40.132] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255315/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255315; rev:1;)
alert tcp $HOME_NET any -> [146.70.135.158] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255314; rev:1;)
alert tcp $HOME_NET any -> [91.198.166.140] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255313/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255313; rev:1;)
alert tcp $HOME_NET any -> [192.227.94.170] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255312/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255312; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.111] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255311/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255311; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.38] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255310/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255310; rev:1;)
alert tcp $HOME_NET any -> [116.203.15.173] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255307/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255307; rev:1;)
alert tcp $HOME_NET any -> [195.201.250.50] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255306/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255306; rev:1;)
alert tcp $HOME_NET any -> [159.69.102.165] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255305/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255305; rev:1;)
alert tcp $HOME_NET any -> [195.201.47.206] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255304/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255304; rev:1;)
alert tcp $HOME_NET any -> [78.47.141.20] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255303/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255303; rev:1;)
alert tcp $HOME_NET any -> [95.217.240.145] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255302/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255302; rev:1;)
alert tcp $HOME_NET any -> [115.74.21.108] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255301/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255301; rev:1;)
alert tcp $HOME_NET any -> [115.74.21.108] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255300/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255300; rev:1;)
alert tcp $HOME_NET any -> [86.106.87.158] 2222  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255299/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255299; rev:1;)
alert tcp $HOME_NET any -> [139.180.171.110] 22841  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255298/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255298; rev:1;)
alert tcp $HOME_NET any -> [185.224.135.175] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255297/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255297; rev:1;)
alert tcp $HOME_NET any -> [101.237.34.239] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255296/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255296; rev:1;)
alert tcp $HOME_NET any -> [173.248.141.247] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255295/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255295; rev:1;)
alert tcp $HOME_NET any -> [98.191.141.157] 2000  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255294/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255294; rev:1;)
alert tcp $HOME_NET any -> [111.173.116.170] 1235  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255293; rev:1;)
alert tcp $HOME_NET any -> [37.221.93.29] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255292/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255292; rev:1;)
alert tcp $HOME_NET any -> [171.249.235.149] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255291/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255291; rev:1;)
alert tcp $HOME_NET any -> [154.62.175.113] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255289/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ms_excel_azure_cloud_open_document.vbs"; depth:41; nocase; http.host; content:"45.89.53.187"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255084; rev:1;)
alert tcp $HOME_NET any -> [103.124.106.237] 80  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255083; rev:1;)
alert tcp $HOME_NET any -> [192.3.95.135] 80  (msg:"ThreatFox Remcos payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xampp/kjk/weareverybeautifulgirlsxygirlwantokissmeharderthanbeforetogetmeback___sheisverybeeautifulgirlforme.doc"; depth:113; nocase; http.host; content:"192.3.95.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m0804t/wininit.exe"; depth:19; nocase; http.host; content:"192.3.95.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255080; rev:1;)
alert tcp $HOME_NET any -> [103.151.123.225] 1664  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255071; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tzitziklishop4.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"bannerbarter.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"bannerbarter.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255075; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shgoini.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255076; rev:1;)
alert tcp $HOME_NET any -> [107.175.229.143] 30902  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255077; rev:1;)
alert tcp $HOME_NET any -> [66.204.14.97] 20256  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255073/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_09; classtype:trojan-activity; sid:91255073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.236.171.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255070; rev:1;)
alert tcp $HOME_NET any -> [8.220.200.34] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.220.200.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.100.107.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255066; rev:1;)
alert tcp $HOME_NET any -> [39.100.107.190] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255067; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.91] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255064; rev:1;)
alert tcp $HOME_NET any -> [107.172.148.197] 4781  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tdpzx.scr"; depth:10; nocase; http.host; content:"universalmovies.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255063; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"psolver827.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1255062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255062; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.218] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"117.50.182.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"116.205.228.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"206.189.182.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255056; rev:1;)
alert tcp $HOME_NET any -> [192.3.216.142] 7232  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/de17fs"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199667616374"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.243.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255052; rev:1;)
alert tcp $HOME_NET any -> [65.109.243.220] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255051; rev:1;)
alert tcp $HOME_NET any -> [147.135.119.43] 8081  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255046; rev:1;)
alert tcp $HOME_NET any -> [134.255.218.111] 8081  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255047; rev:1;)
alert tcp $HOME_NET any -> [147.135.119.43] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255048; rev:1;)
alert tcp $HOME_NET any -> [134.255.218.111] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255049; rev:1;)
alert tcp $HOME_NET any -> [185.150.26.199] 9931  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255050/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255044; rev:1;)
alert tcp $HOME_NET any -> [195.133.44.41] 2295  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255043; rev:1;)
alert tcp $HOME_NET any -> [164.155.128.124] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.18.202.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"114.55.1.119"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"120.55.65.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"114.55.1.119"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255037; rev:1;)
alert tcp $HOME_NET any -> [23.95.182.33] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255036; rev:1;)
alert tcp $HOME_NET any -> [23.95.182.33] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255035; rev:1;)
alert tcp $HOME_NET any -> [193.57.41.184] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255034; rev:1;)
alert tcp $HOME_NET any -> [193.57.41.185] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255033; rev:1;)
alert tcp $HOME_NET any -> [178.128.106.68] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255032; rev:1;)
alert tcp $HOME_NET any -> [3.22.252.148] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255031; rev:1;)
alert tcp $HOME_NET any -> [109.107.181.48] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255030; rev:1;)
alert tcp $HOME_NET any -> [109.120.178.115] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255029; rev:1;)
alert tcp $HOME_NET any -> [111.231.145.137] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255028; rev:1;)
alert tcp $HOME_NET any -> [45.61.150.7] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255027/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255027; rev:1;)
alert tcp $HOME_NET any -> [185.123.53.157] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255026/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255026; rev:1;)
alert tcp $HOME_NET any -> [34.84.42.35] 2095  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255025/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255025; rev:1;)
alert tcp $HOME_NET any -> [148.66.5.228] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255024; rev:1;)
alert tcp $HOME_NET any -> [111.223.247.232] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255023/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255023; rev:1;)
alert tcp $HOME_NET any -> [8.140.205.59] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255022/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255022; rev:1;)
alert tcp $HOME_NET any -> [45.76.142.33] 1604  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255021; rev:1;)
alert tcp $HOME_NET any -> [85.209.195.22] 1337  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255020; rev:1;)
alert tcp $HOME_NET any -> [151.30.250.89] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255019; rev:1;)
alert tcp $HOME_NET any -> [165.227.223.174] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255018/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255018; rev:1;)
alert tcp $HOME_NET any -> [165.227.223.174] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255017; rev:1;)
alert tcp $HOME_NET any -> [138.197.80.243] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255016; rev:1;)
alert tcp $HOME_NET any -> [68.183.56.211] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255014/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255014; rev:1;)
alert tcp $HOME_NET any -> [68.183.56.211] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255015; rev:1;)
alert tcp $HOME_NET any -> [137.184.78.220] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255013/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255013; rev:1;)
alert tcp $HOME_NET any -> [159.223.0.103] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255012/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255012; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20006  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255011/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255011; rev:1;)
alert tcp $HOME_NET any -> [203.96.177.103] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255010/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255010; rev:1;)
alert tcp $HOME_NET any -> [99.83.207.194] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255009/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255009; rev:1;)
alert tcp $HOME_NET any -> [39.100.72.235] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255008/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255008; rev:1;)
alert tcp $HOME_NET any -> [165.227.90.98] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255007/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255007; rev:1;)
alert tcp $HOME_NET any -> [3.125.188.168] 13306  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91255004; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"appdiscordgg.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254995; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 14391  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254991/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91254991; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"firmes777.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91254988; rev:1;)
alert tcp $HOME_NET any -> [172.94.73.133] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254967; rev:1;)
alert tcp $HOME_NET any -> [179.13.0.175] 5555  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_09; classtype:trojan-activity; sid:91254987; rev:1;)
alert tcp $HOME_NET any -> [128.90.123.160] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254966; rev:1;)
alert tcp $HOME_NET any -> [93.183.95.223] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255006/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_09; classtype:trojan-activity; sid:91255006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/990ecb7630625681.php"; depth:21; nocase; http.host; content:"93.123.39.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1255005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255005; rev:1;)
alert tcp $HOME_NET any -> [3.67.15.169] 13306  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255003; rev:1;)
alert tcp $HOME_NET any -> [3.68.56.232] 13306  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255002; rev:1;)
alert tcp $HOME_NET any -> [3.126.224.214] 13306  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255000; rev:1;)
alert tcp $HOME_NET any -> [3.124.67.191] 13306  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1255001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91255001; rev:1;)
alert tcp $HOME_NET any -> [35.157.111.131] 13306  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254999; rev:1;)
alert tcp $HOME_NET any -> [105.154.228.255] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_09; classtype:trojan-activity; sid:91254998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/pomo/po.php"; depth:24; nocase; http.host; content:"kenesrakishev.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vsdjcn3khs/index.php"; depth:21; nocase; http.host; content:"atillapro.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254996; rev:1;)
alert tcp $HOME_NET any -> [200.217.111.70] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254994; rev:1;)
alert tcp $HOME_NET any -> [191.89.247.6] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254993; rev:1;)
alert tcp $HOME_NET any -> [81.214.136.253] 125  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254992; rev:1;)
alert tcp $HOME_NET any -> [91.207.102.163] 9899  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254990; rev:1;)
alert tcp $HOME_NET any -> [45.129.199.228] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254989; rev:1;)
alert tcp $HOME_NET any -> [23.137.253.76] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254986/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254986; rev:1;)
alert tcp $HOME_NET any -> [23.137.253.76] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254985/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254985; rev:1;)
alert tcp $HOME_NET any -> [91.215.85.131] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254984; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.80] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254983; rev:1;)
alert tcp $HOME_NET any -> [147.45.69.114] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254982; rev:1;)
alert tcp $HOME_NET any -> [37.221.93.9] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254981; rev:1;)
alert tcp $HOME_NET any -> [107.172.157.239] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254980; rev:1;)
alert tcp $HOME_NET any -> [8.218.138.77] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254979; rev:1;)
alert tcp $HOME_NET any -> [117.50.179.126] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254978; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.6] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254977; rev:1;)
alert tcp $HOME_NET any -> [217.165.15.163] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254976; rev:1;)
alert tcp $HOME_NET any -> [78.172.87.190] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254975; rev:1;)
alert tcp $HOME_NET any -> [1.161.123.219] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254974; rev:1;)
alert tcp $HOME_NET any -> [23.95.182.10] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254973; rev:1;)
alert tcp $HOME_NET any -> [154.12.179.67] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254972; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20011  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254970; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20012  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254971; rev:1;)
alert tcp $HOME_NET any -> [128.14.226.110] 448  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254969; rev:1;)
alert tcp $HOME_NET any -> [139.144.96.187] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"linkerfunyfile.store"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254964; rev:1;)
alert tcp $HOME_NET any -> [38.180.62.112] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254965; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kibagendi.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254961; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karmaandfate.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254962; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"playfulyogi.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"gteairfone.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254953; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"christmascookie.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254954; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salesoftskills.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254955; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whattotext.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254956; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beaulieuhome.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254957; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gteairfone.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254958; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pillowscrawler.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254959; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"000111.org"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"playfulyogi.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"karmaandfate.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"kibagendi.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"000111.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"pillowscrawler.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"gteairfone.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"beaulieuhome.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"whattotext.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"salesoftskills.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"christmascookie.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254943; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stodia.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254938; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cytuns.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254939; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galvins.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254940; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"disear.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254941; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yetties.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254942; rev:1;)
alert tcp $HOME_NET any -> [95.217.241.187] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254931; rev:1;)
alert tcp $HOME_NET any -> [49.13.149.204] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254932; rev:1;)
alert tcp $HOME_NET any -> [195.201.250.50] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254933; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.143] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254934; rev:1;)
alert tcp $HOME_NET any -> [94.130.188.149] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254935; rev:1;)
alert tcp $HOME_NET any -> [116.203.12.29] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254936; rev:1;)
alert tcp $HOME_NET any -> [116.203.14.84] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254937; rev:1;)
alert tcp $HOME_NET any -> [95.217.212.139] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254929; rev:1;)
alert tcp $HOME_NET any -> [95.217.27.87] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"yetties.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"disear.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"galvins.xyz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cytuns.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stodia.fun"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.14.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.12.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.130.188.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.250.50"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.149.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.241.187"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.27.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.212.139"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254915; rev:1;)
alert tcp $HOME_NET any -> [51.79.171.174] 1337  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.81.17.166"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254676; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zopz-api.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"167.114.127.93"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254677; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuclear.mom"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254679; rev:1;)
alert tcp $HOME_NET any -> [51.81.230.244] 9900  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254577; rev:1;)
alert tcp $HOME_NET any -> [51.89.251.242] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254578; rev:1;)
alert tcp $HOME_NET any -> [51.222.204.13] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254579; rev:1;)
alert tcp $HOME_NET any -> [79.133.46.200] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254580; rev:1;)
alert tcp $HOME_NET any -> [79.137.203.236] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254581; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.107] 7070  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254582; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.132] 7070  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254583; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.144] 7070  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254584; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.195] 7070  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254585; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.205] 7070  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254586; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.206] 10000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254587; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.207] 7070  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254588; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.208] 7070  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254589; rev:1;)
alert tcp $HOME_NET any -> [85.203.42.64] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254590; rev:1;)
alert tcp $HOME_NET any -> [86.104.194.180] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254591; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.74] 999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254592; rev:1;)
alert tcp $HOME_NET any -> [91.103.253.34] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254593; rev:1;)
alert tcp $HOME_NET any -> [92.249.48.147] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254594; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.172] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254595; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.32] 9900  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254596; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.72] 7777  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254597; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.79] 7777  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254598; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.51] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254599; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.66] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254600; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.193] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254601; rev:1;)
alert tcp $HOME_NET any -> [103.82.135.217] 9900  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254602; rev:1;)
alert tcp $HOME_NET any -> [135.148.124.223] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254603; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.123] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254604; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.200] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254605; rev:1;)
alert tcp $HOME_NET any -> [144.172.73.9] 10000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254606; rev:1;)
alert tcp $HOME_NET any -> [144.172.73.20] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254607; rev:1;)
alert tcp $HOME_NET any -> [144.172.73.25] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254608; rev:1;)
alert tcp $HOME_NET any -> [144.172.73.26] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254609; rev:1;)
alert tcp $HOME_NET any -> [144.172.73.28] 10000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254610; rev:1;)
alert tcp $HOME_NET any -> [144.172.73.44] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254611; rev:1;)
alert tcp $HOME_NET any -> [144.217.16.164] 9900  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254612; rev:1;)
alert tcp $HOME_NET any -> [146.19.254.219] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254613; rev:1;)
alert tcp $HOME_NET any -> [149.56.79.118] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254614; rev:1;)
alert tcp $HOME_NET any -> [172.65.149.128] 22  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254616; rev:1;)
alert tcp $HOME_NET any -> [159.253.120.116] 7777  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254615; rev:1;)
alert tcp $HOME_NET any -> [185.91.127.66] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254617; rev:1;)
alert tcp $HOME_NET any -> [185.171.121.161] 420  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254618; rev:1;)
alert tcp $HOME_NET any -> [195.58.39.34] 6643  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254619; rev:1;)
alert tcp $HOME_NET any -> [198.98.57.36] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254620; rev:1;)
alert tcp $HOME_NET any -> [198.98.58.246] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254621; rev:1;)
alert tcp $HOME_NET any -> [205.185.119.42] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254623; rev:1;)
alert tcp $HOME_NET any -> [199.195.251.103] 22  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254622; rev:1;)
alert tcp $HOME_NET any -> [209.141.35.229] 27358  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254624; rev:1;)
alert tcp $HOME_NET any -> [216.107.139.159] 9966  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254625; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninja-cnc.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254638; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poggo-proxy.lol"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254636; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdnet-web.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254637; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leanc2.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254634; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poggo-proxy.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naucosi.cfd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254633; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxy-voidc2.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254630; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cumshot.vip"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254631; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuclear.baby"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254632; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lydiari.mrbonus.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254628; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pf7.prsv.ch"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254629; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fuzzyproxy.cc"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254627; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.184] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254626; rev:1;)
alert tcp $HOME_NET any -> [45.141.202.79] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254575; rev:1;)
alert tcp $HOME_NET any -> [51.81.115.26] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254576; rev:1;)
alert tcp $HOME_NET any -> [45.140.188.47] 911  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254574; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.138] 7070  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254572; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.169] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254573; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.85] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254570; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.100] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254571; rev:1;)
alert tcp $HOME_NET any -> [41.216.182.208] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254569; rev:1;)
alert tcp $HOME_NET any -> [23.160.193.4] 1225  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254565; rev:1;)
alert tcp $HOME_NET any -> [23.160.193.10] 1225  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254566; rev:1;)
alert tcp $HOME_NET any -> [23.160.194.106] 1225  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254567; rev:1;)
alert tcp $HOME_NET any -> [38.45.100.58] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254568; rev:1;)
alert tcp $HOME_NET any -> [15.204.18.204] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254561; rev:1;)
alert tcp $HOME_NET any -> [15.204.211.81] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254563; rev:1;)
alert tcp $HOME_NET any -> [15.204.240.170] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254564; rev:1;)
alert tcp $HOME_NET any -> [5.196.239.182] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254560; rev:1;)
alert tcp $HOME_NET any -> [15.204.22.165] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254562; rev:1;)
alert tcp $HOME_NET any -> [5.39.34.46] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254557; rev:1;)
alert tcp $HOME_NET any -> [5.196.162.1] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254559; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.64] 999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254558; rev:1;)
alert tcp $HOME_NET any -> [2.58.95.55] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254556; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.169] 21425  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254675; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.22] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254673; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.206] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254674; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.20] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254671; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.21] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254672; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.38] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254670; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.4] 16726  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254669; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tcpsyn.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254667; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tcpfin.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254668; rev:1;)
alert tcp $HOME_NET any -> [45.55.197.133] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254647; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.mypowerzip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254648; rev:1;)
alert tcp $HOME_NET any -> [139.59.127.44] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254645; rev:1;)
alert tcp $HOME_NET any -> [146.190.5.80] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254646; rev:1;)
alert tcp $HOME_NET any -> [51.195.124.239] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254644; rev:1;)
alert tcp $HOME_NET any -> [62.122.184.51] 6017  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254641; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.240] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254642/; target:src_ip; metadata: confidence_level 25, first_seen 2024_04_08; classtype:trojan-activity; sid:91254642; rev:1;)
alert tcp $HOME_NET any -> [80.66.87.240] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"80.66.87.240"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254665; rev:1;)
alert tcp $HOME_NET any -> [54.144.199.247] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/page/7384/word-macros-not-working/"; depth:35; nocase; http.host; content:"defender.us.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254662; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"defender.us.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"81.71.127.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254661; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taek.cp-redteam.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"taek.cp-redteam.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"42.51.37.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.134.89.221"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hubcap/mayo-clinic-radio-full-shows/"; depth:37; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"170.106.178.146"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"1.14.69.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"111.123.250.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254649; rev:1;)
alert tcp $HOME_NET any -> [81.17.17.70] 1198  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254640; rev:1;)
alert tcp $HOME_NET any -> [93.183.95.223] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254639; rev:1;)
alert tcp $HOME_NET any -> [103.35.191.158] 5851  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254555; rev:1;)
alert tcp $HOME_NET any -> [121.37.237.168] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254553; rev:1;)
alert tcp $HOME_NET any -> [121.37.237.168] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254554; rev:1;)
alert tcp $HOME_NET any -> [110.41.21.197] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254552; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.56] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254551/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254551; rev:1;)
alert tcp $HOME_NET any -> [8.137.116.204] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254548; rev:1;)
alert tcp $HOME_NET any -> [175.178.78.176] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254547; rev:1;)
alert tcp $HOME_NET any -> [39.105.141.35] 22222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254549; rev:1;)
alert tcp $HOME_NET any -> [92.249.48.39] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254550/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.34.69.249"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"198.27.107.169"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"38.45.100.58"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.89.251.242"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"41.216.182.208"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.123"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.103.253.34"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.10.46"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"79.133.46.200"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.222.204.13"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.254.109"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"205.185.119.42"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.35.18.98"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"85.203.42.64"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"199.195.251.103"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1254522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.131.99.113"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"159.253.120.116"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1254524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.35.18.35"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.217"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"92.249.48.147"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.208.103.203"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1254528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.71.66"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1254529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.232.43"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1254530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.140.188.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.61.188.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254539; rev:1;)
alert tcp $HOME_NET any -> [45.178.6.2] 4444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254531/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254531; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peurnick24.bumbleshrimp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.140.143.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.93.233.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"171.244.42.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"51.81.230.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"54.39.252.71"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"92.249.48.78"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"120.48.75.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254538; rev:1;)
alert tcp $HOME_NET any -> [49.234.17.50] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"49.234.17.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"120.48.75.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254535; rev:1;)
alert tcp $HOME_NET any -> [116.205.228.160] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"116.205.228.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254533; rev:1;)
alert tcp $HOME_NET any -> [45.88.90.160] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254507; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"packetinfo.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254499; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.ddosvps.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254500; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddosvps.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254501; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.przsc.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254502; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net.przsc.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254503; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.przsc.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254504; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"przsc.cn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254505; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wcjwcj.lol"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254506; rev:1;)
alert tcp $HOME_NET any -> [212.109.221.128] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254498; rev:1;)
alert tcp $HOME_NET any -> [193.143.1.161] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254497; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.127] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254496; rev:1;)
alert tcp $HOME_NET any -> [42.96.5.32] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254495; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.167] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254494; rev:1;)
alert tcp $HOME_NET any -> [82.147.85.159] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254493; rev:1;)
alert tcp $HOME_NET any -> [38.180.45.153] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254492; rev:1;)
alert tcp $HOME_NET any -> [91.202.233.174] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254491; rev:1;)
alert tcp $HOME_NET any -> [45.82.152.138] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254490; rev:1;)
alert tcp $HOME_NET any -> [109.120.184.181] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254489; rev:1;)
alert tcp $HOME_NET any -> [38.47.101.176] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254488; rev:1;)
alert tcp $HOME_NET any -> [99.196.212.115] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254487; rev:1;)
alert tcp $HOME_NET any -> [39.106.250.105] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254486; rev:1;)
alert tcp $HOME_NET any -> [39.106.250.105] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254485; rev:1;)
alert tcp $HOME_NET any -> [143.244.200.146] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254484; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20008  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254483; rev:1;)
alert tcp $HOME_NET any -> [167.71.184.214] 808  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_08; classtype:trojan-activity; sid:91254482; rev:1;)
alert tcp $HOME_NET any -> [34.159.237.198] 6668  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254322; rev:1;)
alert tcp $HOME_NET any -> [5.253.246.12] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254321; rev:1;)
alert tcp $HOME_NET any -> [193.181.23.187] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254323; rev:1;)
alert tcp $HOME_NET any -> [154.44.25.185] 36912  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254477; rev:1;)
alert tcp $HOME_NET any -> [41.142.31.190] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254479/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_08; classtype:trojan-activity; sid:91254479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php/927339792"; depth:20; nocase; http.host; content:"140.82.61.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254481; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.11] 57484  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254480; rev:1;)
alert tcp $HOME_NET any -> [103.35.191.158] 5515  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_08; classtype:trojan-activity; sid:91254478; rev:1;)
alert tcp $HOME_NET any -> [172.111.131.97] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254476; rev:1;)
alert tcp $HOME_NET any -> [193.32.149.59] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254475; rev:1;)
alert tcp $HOME_NET any -> [45.84.1.227] 45451  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254474; rev:1;)
alert tcp $HOME_NET any -> [45.141.87.233] 39200  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254473; rev:1;)
alert tcp $HOME_NET any -> [185.154.52.150] 45451  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254472; rev:1;)
alert tcp $HOME_NET any -> [38.60.200.161] 2086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254471; rev:1;)
alert tcp $HOME_NET any -> [38.54.111.45] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254470; rev:1;)
alert tcp $HOME_NET any -> [154.12.30.6] 3333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254469; rev:1;)
alert tcp $HOME_NET any -> [35.241.117.103] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254468; rev:1;)
alert tcp $HOME_NET any -> [35.234.1.138] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254466; rev:1;)
alert tcp $HOME_NET any -> [35.234.1.138] 8060  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254467; rev:1;)
alert tcp $HOME_NET any -> [43.251.159.58] 46675  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254465; rev:1;)
alert tcp $HOME_NET any -> [43.245.199.144] 10  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254464; rev:1;)
alert tcp $HOME_NET any -> [38.147.171.19] 2095  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254462; rev:1;)
alert tcp $HOME_NET any -> [38.147.171.19] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254463; rev:1;)
alert tcp $HOME_NET any -> [38.147.171.19] 2087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254461; rev:1;)
alert tcp $HOME_NET any -> [114.115.220.199] 9963  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254460; rev:1;)
alert tcp $HOME_NET any -> [206.237.2.159] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254459; rev:1;)
alert tcp $HOME_NET any -> [148.135.72.115] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254458; rev:1;)
alert tcp $HOME_NET any -> [54.250.253.8] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254456; rev:1;)
alert tcp $HOME_NET any -> [54.250.253.8] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254457; rev:1;)
alert tcp $HOME_NET any -> [18.176.57.203] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254455; rev:1;)
alert tcp $HOME_NET any -> [154.92.14.6] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254454; rev:1;)
alert tcp $HOME_NET any -> [20.237.62.65] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254453; rev:1;)
alert tcp $HOME_NET any -> [20.124.95.169] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254451; rev:1;)
alert tcp $HOME_NET any -> [20.124.95.169] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254452; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irreceiver.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254450; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hk.luckyu.icu"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254449; rev:1;)
alert tcp $HOME_NET any -> [192.227.155.158] 2052  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254448; rev:1;)
alert tcp $HOME_NET any -> [23.95.254.136] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254447; rev:1;)
alert tcp $HOME_NET any -> [23.94.123.235] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254446; rev:1;)
alert tcp $HOME_NET any -> [206.189.182.123] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254445; rev:1;)
alert tcp $HOME_NET any -> [206.189.182.123] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254444; rev:1;)
alert tcp $HOME_NET any -> [206.189.113.118] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254443; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alipan.lol"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254442; rev:1;)
alert tcp $HOME_NET any -> [152.42.188.132] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254440; rev:1;)
alert tcp $HOME_NET any -> [152.42.188.132] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254441; rev:1;)
alert tcp $HOME_NET any -> [47.236.185.166] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254438; rev:1;)
alert tcp $HOME_NET any -> [47.236.185.166] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254439; rev:1;)
alert tcp $HOME_NET any -> [47.236.171.179] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254437; rev:1;)
alert tcp $HOME_NET any -> [8.212.71.0] 8008  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254436; rev:1;)
alert tcp $HOME_NET any -> [124.70.158.35] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254435; rev:1;)
alert tcp $HOME_NET any -> [116.205.185.98] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254434; rev:1;)
alert tcp $HOME_NET any -> [110.41.17.183] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254433; rev:1;)
alert tcp $HOME_NET any -> [60.204.217.11] 9998  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254432; rev:1;)
alert tcp $HOME_NET any -> [1.94.2.161] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254431; rev:1;)
alert tcp $HOME_NET any -> [123.56.182.19] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254430; rev:1;)
alert tcp $HOME_NET any -> [47.98.247.113] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254422; rev:1;)
alert tcp $HOME_NET any -> [47.116.213.137] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254423; rev:1;)
alert tcp $HOME_NET any -> [101.201.54.74] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254424; rev:1;)
alert tcp $HOME_NET any -> [101.201.54.74] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254425; rev:1;)
alert tcp $HOME_NET any -> [114.55.1.119] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254426; rev:1;)
alert tcp $HOME_NET any -> [114.55.1.119] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254427; rev:1;)
alert tcp $HOME_NET any -> [120.55.75.220] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254428; rev:1;)
alert tcp $HOME_NET any -> [120.78.90.43] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254429; rev:1;)
alert tcp $HOME_NET any -> [39.100.111.77] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254417; rev:1;)
alert tcp $HOME_NET any -> [39.101.204.250] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254418; rev:1;)
alert tcp $HOME_NET any -> [39.104.200.45] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254419; rev:1;)
alert tcp $HOME_NET any -> [39.106.77.203] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254420; rev:1;)
alert tcp $HOME_NET any -> [47.98.247.113] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254421; rev:1;)
alert tcp $HOME_NET any -> [8.130.118.27] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254414; rev:1;)
alert tcp $HOME_NET any -> [8.130.121.45] 9000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254415; rev:1;)
alert tcp $HOME_NET any -> [39.100.107.190] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254416; rev:1;)
alert tcp $HOME_NET any -> [43.143.170.206] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254408; rev:1;)
alert tcp $HOME_NET any -> [81.71.18.121] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254409; rev:1;)
alert tcp $HOME_NET any -> [81.71.127.160] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254410; rev:1;)
alert tcp $HOME_NET any -> [101.34.221.218] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254411; rev:1;)
alert tcp $HOME_NET any -> [114.132.62.71] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254412; rev:1;)
alert tcp $HOME_NET any -> [175.24.133.215] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254413; rev:1;)
alert tcp $HOME_NET any -> [1.14.202.205] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254402; rev:1;)
alert tcp $HOME_NET any -> [1.14.202.205] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254403; rev:1;)
alert tcp $HOME_NET any -> [42.192.53.52] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254404; rev:1;)
alert tcp $HOME_NET any -> [43.138.72.60] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254405; rev:1;)
alert tcp $HOME_NET any -> [43.138.111.120] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254406; rev:1;)
alert tcp $HOME_NET any -> [43.143.165.217] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254407; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254401; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254391; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254392; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254393; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254394; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254395; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254396; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254397; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254398; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254399; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254400; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.42] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254381; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.42] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254382; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.42] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254383; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.42] 1892  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254384; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.42] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254385; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.42] 1648  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254386; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.42] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254387; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254388; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254389; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.238] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254390; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254372; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254373; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.251] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254374; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.251] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254375; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.251] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254376; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.251] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254377; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.251] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254378; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.42] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254379; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.42] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254380; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254362; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254363; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254364; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254365; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254366; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254367; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 1982  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254368; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254369; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254370; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254371; rev:1;)
alert tcp $HOME_NET any -> [187.135.94.250] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254356; rev:1;)
alert tcp $HOME_NET any -> [187.135.94.250] 2281  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254357; rev:1;)
alert tcp $HOME_NET any -> [187.135.94.250] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254358; rev:1;)
alert tcp $HOME_NET any -> [187.135.94.250] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254359; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254360; rev:1;)
alert tcp $HOME_NET any -> [187.135.141.72] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254361; rev:1;)
alert tcp $HOME_NET any -> [105.101.65.139] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254355; rev:1;)
alert tcp $HOME_NET any -> [172.111.245.98] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254354; rev:1;)
alert tcp $HOME_NET any -> [128.90.103.14] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254349; rev:1;)
alert tcp $HOME_NET any -> [128.90.103.14] 1018  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254350; rev:1;)
alert tcp $HOME_NET any -> [146.103.11.88] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254351; rev:1;)
alert tcp $HOME_NET any -> [172.94.8.100] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254352; rev:1;)
alert tcp $HOME_NET any -> [172.111.245.38] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254353; rev:1;)
alert tcp $HOME_NET any -> [5.63.21.76] 1604  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254342; rev:1;)
alert tcp $HOME_NET any -> [15.204.170.41] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254343; rev:1;)
alert tcp $HOME_NET any -> [38.180.31.223] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254344; rev:1;)
alert tcp $HOME_NET any -> [95.216.41.33] 82  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254345; rev:1;)
alert tcp $HOME_NET any -> [103.47.147.22] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254346; rev:1;)
alert tcp $HOME_NET any -> [123.253.32.76] 22  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254347; rev:1;)
alert tcp $HOME_NET any -> [128.90.102.230] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254348; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.186] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254341; rev:1;)
alert tcp $HOME_NET any -> [185.102.172.72] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254340; rev:1;)
alert tcp $HOME_NET any -> [173.212.219.194] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254339; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.150] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254338; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.116] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254337; rev:1;)
alert tcp $HOME_NET any -> [20.55.63.136] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254336; rev:1;)
alert tcp $HOME_NET any -> [79.137.207.33] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254335; rev:1;)
alert tcp $HOME_NET any -> [159.203.174.80] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254334; rev:1;)
alert tcp $HOME_NET any -> [39.99.225.218] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254333; rev:1;)
alert tcp $HOME_NET any -> [184.89.62.16] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254332; rev:1;)
alert tcp $HOME_NET any -> [173.255.230.190] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254331/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254331; rev:1;)
alert tcp $HOME_NET any -> [8.217.88.225] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254330/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254330; rev:1;)
alert tcp $HOME_NET any -> [154.12.179.67] 10000  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254329/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254329; rev:1;)
alert tcp $HOME_NET any -> [110.40.133.81] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254328/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254328; rev:1;)
alert tcp $HOME_NET any -> [137.220.197.178] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254327/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254327; rev:1;)
alert tcp $HOME_NET any -> [116.203.56.238] 1194  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254326/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254326; rev:1;)
alert tcp $HOME_NET any -> [103.137.27.83] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254325/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254325; rev:1;)
alert tcp $HOME_NET any -> [103.99.178.207] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254324/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254324; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.34] 666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254265; rev:1;)
alert tcp $HOME_NET any -> [2.58.56.66] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254266; rev:1;)
alert tcp $HOME_NET any -> [86.242.42.233] 1194  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254267; rev:1;)
alert tcp $HOME_NET any -> [128.199.66.119] 18982  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254268; rev:1;)
alert tcp $HOME_NET any -> [181.162.141.33] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254270; rev:1;)
alert tcp $HOME_NET any -> [147.45.189.30] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254269; rev:1;)
alert tcp $HOME_NET any -> [181.162.177.83] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254271; rev:1;)
alert tcp $HOME_NET any -> [185.245.183.74] 2  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254272; rev:1;)
alert tcp $HOME_NET any -> [187.35.7.95] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254273; rev:1;)
alert tcp $HOME_NET any -> [189.110.0.220] 6653  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254274; rev:1;)
alert tcp $HOME_NET any -> [191.82.201.30] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254275; rev:1;)
alert tcp $HOME_NET any -> [191.82.231.105] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254276; rev:1;)
alert tcp $HOME_NET any -> [128.199.66.119] 57411  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254277; rev:1;)
alert tcp $HOME_NET any -> [1.14.126.22] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254280; rev:1;)
alert tcp $HOME_NET any -> [8.210.3.81] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254281; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cd.qqweixinzhuce.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254320; rev:1;)
alert tcp $HOME_NET any -> [8.217.88.225] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254282; rev:1;)
alert tcp $HOME_NET any -> [8.217.140.110] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254283; rev:1;)
alert tcp $HOME_NET any -> [8.217.225.19] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"cd.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254319; rev:1;)
alert tcp $HOME_NET any -> [8.218.27.81] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254285; rev:1;)
alert tcp $HOME_NET any -> [38.147.172.16] 443  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254286; rev:1;)
alert tcp $HOME_NET any -> [39.101.177.68] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254287; rev:1;)
alert tcp $HOME_NET any -> [47.76.41.68] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254288; rev:1;)
alert tcp $HOME_NET any -> [47.242.64.202] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254289; rev:1;)
alert tcp $HOME_NET any -> [47.243.4.123] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254290; rev:1;)
alert tcp $HOME_NET any -> [58.87.70.252] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254291; rev:1;)
alert tcp $HOME_NET any -> [88.99.214.187] 3232  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254292; rev:1;)
alert tcp $HOME_NET any -> [89.105.201.158] 591  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254293; rev:1;)
alert tcp $HOME_NET any -> [89.105.201.158] 4444  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254294; rev:1;)
alert tcp $HOME_NET any -> [89.105.201.158] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254295; rev:1;)
alert tcp $HOME_NET any -> [89.105.201.158] 8090  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254296; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.207] 8081  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254297; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.244] 8845  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254298; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.244] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254299; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.249] 8845  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254300; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.249] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254301; rev:1;)
alert tcp $HOME_NET any -> [144.91.127.15] 4546  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254302; rev:1;)
alert tcp $HOME_NET any -> [160.20.109.7] 2003  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254303; rev:1;)
alert tcp $HOME_NET any -> [206.233.128.142] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254304; rev:1;)
alert tcp $HOME_NET any -> [206.238.43.147] 65503  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254305; rev:1;)
alert tcp $HOME_NET any -> [206.238.196.192] 8090  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254306; rev:1;)
alert tcp $HOME_NET any -> [211.101.247.89] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254307; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marinion.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254308; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rooty.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254309; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254310; rev:1;)
alert tcp $HOME_NET any -> [103.67.197.152] 2023  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254311; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.35] 6788  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254312; rev:1;)
alert tcp $HOME_NET any -> [23.95.182.31] 1024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254313; rev:1;)
alert tcp $HOME_NET any -> [46.102.174.17] 1024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254314; rev:1;)
alert tcp $HOME_NET any -> [185.65.205.158] 1024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254315; rev:1;)
alert tcp $HOME_NET any -> [185.224.128.34] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254316; rev:1;)
alert tcp $HOME_NET any -> [185.94.29.111] 1302  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254317/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"softultra.info"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254318; rev:1;)
alert tcp $HOME_NET any -> [137.184.10.195] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254278; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.155] 1337  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254279/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254279; rev:1;)
alert tcp $HOME_NET any -> [81.19.137.171] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254258; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.202] 2301  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254259; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.44] 1339  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254260; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.122] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254261; rev:1;)
alert tcp $HOME_NET any -> [172.94.73.162] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254262; rev:1;)
alert tcp $HOME_NET any -> [192.210.255.140] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254263; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 14620  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254264/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254264; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sex.secure-cyber-security-rebirthltd.su"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254255; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.209] 59962  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254257; rev:1;)
alert tcp $HOME_NET any -> [52.28.112.211] 12117  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254253/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_07; classtype:trojan-activity; sid:91254253; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure-network-rebirthltd.ru"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254252; rev:1;)
alert tcp $HOME_NET any -> [193.149.187.16] 443  (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254251/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254251; rev:1;)
alert tcp $HOME_NET any -> [94.98.185.133] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254250; rev:1;)
alert tcp $HOME_NET any -> [45.154.96.48] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254249/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254249; rev:1;)
alert tcp $HOME_NET any -> [82.67.69.234] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254248/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254248; rev:1;)
alert tcp $HOME_NET any -> [45.74.50.53] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254247/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254247; rev:1;)
alert tcp $HOME_NET any -> [185.174.101.246] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254246/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254246; rev:1;)
alert tcp $HOME_NET any -> [195.3.223.146] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254245/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254245; rev:1;)
alert tcp $HOME_NET any -> [128.90.103.14] 9443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254244/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_07; classtype:trojan-activity; sid:91254244; rev:1;)
alert tcp $HOME_NET any -> [2.58.56.216] 38382  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254243; rev:1;)
alert tcp $HOME_NET any -> [45.63.121.237] 8082  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254242/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254242; rev:1;)
alert tcp $HOME_NET any -> [23.224.4.162] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254241/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254241; rev:1;)
alert tcp $HOME_NET any -> [139.180.157.87] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254240; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.114] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254239/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254239; rev:1;)
alert tcp $HOME_NET any -> [108.61.250.107] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254238; rev:1;)
alert tcp $HOME_NET any -> [146.56.214.238] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254237; rev:1;)
alert tcp $HOME_NET any -> [154.90.63.63] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254236; rev:1;)
alert tcp $HOME_NET any -> [45.152.115.131] 8000  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254235/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254235; rev:1;)
alert tcp $HOME_NET any -> [45.156.85.187] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254234/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254234; rev:1;)
alert tcp $HOME_NET any -> [94.237.56.207] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254233/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_07; classtype:trojan-activity; sid:91254233; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wave-assistant.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254223; rev:1;)
alert tcp $HOME_NET any -> [185.125.50.49] 48860  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure7multi/temporaryjavascript0base/7/eternalimagetoprocessorcentral.php"; depth:75; nocase; http.host; content:"77.105.161.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c9cac53e5e9ec7ba.php"; depth:21; nocase; http.host; content:"62.113.119.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigloadtempcentraldownloads.php"; depth:32; nocase; http.host; content:"267097cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_07; classtype:trojan-activity; sid:91254230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.100.111.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254228; rev:1;)
alert tcp $HOME_NET any -> [160.178.39.123] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yixc"; depth:5; nocase; http.host; content:"120.78.65.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254226; rev:1;)
alert tcp $HOME_NET any -> [120.78.65.206] 44444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254225; rev:1;)
alert tcp $HOME_NET any -> [185.123.53.250] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254224/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"194.33.191.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"24.199.71.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"64.23.168.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"103.54.57.251"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"91.194.135.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"147.45.45.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"212.64.217.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/webpanel/login.php"; depth:19; nocase; http.host; content:"www.guncelmetin2hile.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"mileminer.000webhostapp.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unamwebpanel-master/unamwebpanel/pages/login.php"; depth:49; nocase; http.host; content:"toktokwebpanel.elementfx.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"scarwrld.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"badtrippaap.store"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nam/pages/login.php"; depth:20; nocase; http.host; content:"anbu.bond"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"173.201.180.75"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"modules.su"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"linkerfunyfile.store"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awdrgyj/pages/login.php"; depth:24; nocase; http.host; content:"46.23.108.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"dvr.getenjoyment.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"95.216.253.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"vh373519.hostline.su"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.php"; depth:10; nocase; http.host; content:"smartpanel.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"18.191.246.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dxrxcloud.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"12pintsandacurry.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"temptraffsolutions.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ultralowsulphurgas.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mailhost.freemsk.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gordeeva.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"trattles.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"whukkers.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"davidpeterinteriors.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"simplyavailable.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cartelsclothing.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blythwood-plant.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dumpthedebt.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"miopart.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"celebrationgenerator.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"reginacrowley.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"diyshopper.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"designgeneralstore.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"office.freemsk.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eastlothianpropertymanagement.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.66.25"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"freemsk.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"www.simplyavailable.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.42.66.4"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ganjawars.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"0p2q9.com.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"tectumio.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.86.229"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254094/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.221.148.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254096/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"46.226.166.200"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254095/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254097/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.40.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254098/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"91.103.255.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254099/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.120.177.177"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254100/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"217.196.98.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254101/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254101; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.65] 47232  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254102; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.221] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dtyedh/five/fre.php"; depth:20; nocase; http.host; content:"91.92.253.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/"; depth:19; nocase; http.host; content:"iseberkis.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/"; depth:19; nocase; http.host; content:"dumingas.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/"; depth:19; nocase; http.host; content:"musarno.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/"; depth:19; nocase; http.host; content:"somakop.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254141; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.155] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.109.58.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/category/research-2/"; depth:21; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"chniabank.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"172.121.5.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254213; rev:1;)
alert tcp $HOME_NET any -> [78.24.217.201] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254212; rev:1;)
alert tcp $HOME_NET any -> [45.63.121.237] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254211; rev:1;)
alert tcp $HOME_NET any -> [149.88.67.97] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254210; rev:1;)
alert tcp $HOME_NET any -> [23.224.4.163] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254209; rev:1;)
alert tcp $HOME_NET any -> [23.224.4.165] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254195; rev:1;)
alert tcp $HOME_NET any -> [130.43.22.207] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254184; rev:1;)
alert tcp $HOME_NET any -> [165.22.39.29] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254183; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20017  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254182; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20007  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254181; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20009  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254179; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20002  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254180; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20005  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254178; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20003  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254176/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254176; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20004  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254177; rev:1;)
alert tcp $HOME_NET any -> [72.255.55.82] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254175/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"172.111.218.218"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254174; rev:1;)
alert tcp $HOME_NET any -> [217.237.84.33] 3389  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254173; rev:1;)
alert tcp $HOME_NET any -> [94.237.50.44] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.33.34.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254170; rev:1;)
alert tcp $HOME_NET any -> [89.105.201.43] 4001  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254124; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"altaskifer.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254060/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"christmascookie.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254079; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.207] 60195  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254087/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254087; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ezz.ust.cx"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254088/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254088; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.166] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254090/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"zarya-amura.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"sunvi.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254092/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"akros.in.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254091/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4d4d3a49ccbc77eb.php"; depth:21; nocase; http.host; content:"89.105.201.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254089; rev:1;)
alert tcp $HOME_NET any -> [149.129.131.163] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"nodejsmysql.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254085; rev:1;)
alert tcp $HOME_NET any -> [154.204.176.13] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254084; rev:1;)
alert tcp $HOME_NET any -> [149.129.131.163] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254083; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nodejsmysql.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"nodejsmysql.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"49.232.214.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254080; rev:1;)
alert tcp $HOME_NET any -> [164.155.128.124] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"164.155.128.124"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254077; rev:1;)
alert tcp $HOME_NET any -> [123.57.143.169] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"123.57.143.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254075; rev:1;)
alert tcp $HOME_NET any -> [154.204.176.13] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254074; rev:1;)
alert tcp $HOME_NET any -> [111.230.117.89] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"111.230.207.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.230.117.89"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.230.121.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254070; rev:1;)
alert tcp $HOME_NET any -> [42.192.53.52] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"i.xlei.cc"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254067; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"i.xlei.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254068; rev:1;)
alert tcp $HOME_NET any -> [116.205.189.199] 3333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"206.189.182.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.236.230.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"107.151.247.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"107.151.247.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"110.34.30.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"altaskifer.sbs"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254058/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254058; rev:1;)
alert tcp $HOME_NET any -> [89.105.201.240] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254057; rev:1;)
alert tcp $HOME_NET any -> [154.9.255.11] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254056; rev:1;)
alert tcp $HOME_NET any -> [109.120.177.177] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254055; rev:1;)
alert tcp $HOME_NET any -> [23.224.4.166] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254054; rev:1;)
alert tcp $HOME_NET any -> [23.224.4.164] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254053; rev:1;)
alert tcp $HOME_NET any -> [216.224.119.201] 8889  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254052; rev:1;)
alert tcp $HOME_NET any -> [74.48.129.190] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254051; rev:1;)
alert tcp $HOME_NET any -> [41.97.189.195] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254050; rev:1;)
alert tcp $HOME_NET any -> [4.236.36.4] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254049; rev:1;)
alert tcp $HOME_NET any -> [62.72.26.78] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254048; rev:1;)
alert tcp $HOME_NET any -> [52.223.20.75] 8443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254047/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254047; rev:1;)
alert tcp $HOME_NET any -> [88.130.123.89] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254046/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254046; rev:1;)
alert tcp $HOME_NET any -> [104.156.255.239] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254045/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254045; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.48] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91254044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"135.125.124.72"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253950/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"8.20.255.249"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253951/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"201.222.146.184"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"148.153.34.82"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"132.148.79.222"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"132.148.73.117"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"139.144.31.103"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253939/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.131.108.250"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"38.242.240.28"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.68.146.19"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.16.122.250"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.106.94.174"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253943/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.235.143.190"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"104.200.28.75"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.76.223.93"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.79.174.92"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.97.98.95"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"154.61.75.156"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.97.97.181"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"158.220.90.199"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"155.138.203.158"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"57.128.83.129"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"139.180.185.171"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.95.108.252"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"66.135.31.146"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.232.186.100"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.226.138.143"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"154.12.248.41"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253920/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"178.18.246.136"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253921/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.72.104.80"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253918/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"209.126.86.48"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"192.9.135.73"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253917/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253917; rev:1;)
alert tcp $HOME_NET any -> [8.220.200.34] 10086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.233.91.144"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253916/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.232.173.13"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"139.180.137.30"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"149.28.189.244"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"vmd129057.contaboserver.net"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1253924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"24.199.109.6"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253952/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.154.24.57"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.151.20.137"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"129.153.135.83"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"129.213.54.49"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.122.200.171"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.134.126.43"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1253959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"85.215.162.167"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"67.21.33.208"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.85.235.39"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1253962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"109.123.244.131"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.87.148.132"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.122.186.107"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1253965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"129.213.79.229"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.122.128.77"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"129.80.253.141"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"150.136.16.205"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1253969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_06; classtype:trojan-activity; sid:91253969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"202.61.141.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"103.229.60.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"104.168.122.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"8.134.69.22"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"39.101.70.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"38.6.218.204"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"107.175.35.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"120.48.99.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"117.72.9.31"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"124.70.143.234"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"101.35.198.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login/"; depth:18; nocase; http.host; content:"122.10.5.85"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"20.205.173.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.132.193.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"103.163.208.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"142.171.62.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"43.136.20.206"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"167.71.91.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"172.245.81.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"34.81.83.87"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"123.1.189.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"122.10.10.100"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/login.php"; depth:21; nocase; http.host; content:"platformforcreateinterest.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/login.php"; depth:21; nocase; http.host; content:"bestofthebesttraining.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7vaficzogd/login.php"; depth:21; nocase; http.host; content:"pleasurecanbesafe.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j4fvskd3/login.php"; depth:19; nocase; http.host; content:"topgamecheats.dev"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pneh2sxqk0/login.php"; depth:21; nocase; http.host; content:"193.233.132.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j4fvskd3/login.php"; depth:19; nocase; http.host; content:"ruspyc.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yandex/login.php"; depth:17; nocase; http.host; content:"185.215.113.32"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enigma/login.php"; depth:17; nocase; http.host; content:"193.233.132.167"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b8sdjsdks/login.php"; depth:20; nocase; http.host; content:"185.196.10.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u8v5zeq/login.php"; depth:18; nocase; http.host; content:"193.3.19.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd9dd3vw/login.php"; depth:19; nocase; http.host; content:"second.amadgood.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"retromuzsika.hu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253867/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kawapopularna.pl"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253868/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smartgamepiano.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253869/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.eurotranschanet.fr"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253870/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"americanbussales.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253871/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mediterranews.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253879/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shodo.cosavostra.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253880/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tophomenews.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253881/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"osinkokuningas.fi"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253882/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"iveri.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253883/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"atvtrade.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253884/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"systra-logistik.de"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253885/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cremer-fliesen.de"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253886/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_06; classtype:trojan-activity; sid:91253886; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"asegurar1s.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253887/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91253887; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 18746  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91253908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7t6x/certificate.crt"; depth:21; nocase; http.host; content:"cdnforfiles.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7t6x/certificate.crt"; depth:21; nocase; http.host; content:"file-transfer.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"107.175.28.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.120.177.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"8.134.126.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"103.161.224.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.106.164"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"46.226.164.150"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"huboftest.ir"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.156.10.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.48"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/login.php"; depth:16; nocase; http.host; content:"65.20.106.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.226"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.156.8.188"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.138.16.166"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.15.156.142"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.65.117"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.42.92.73"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"101.99.92.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"193.233.132.11"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"95.216.41.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254017; rev:1;)
alert tcp $HOME_NET any -> [179.13.0.175] 5554  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"whattotext.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bvxny6r6"; depth:9; nocase; http.host; content:"gteairfone.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7t6x/certificate.crt"; depth:21; nocase; http.host; content:"thecheapestcdn.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ketmqfqxwbukenxmtkckkwyggqmbotuiaokzmnlumqfbcfiwdzobpipfkkymzpqlmqofkodnko"; depth:75; nocase; http.host; content:"thecheapestcdn.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91253915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8otabr/"; depth:8; nocase; http.host; content:"salesoftskills.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1254040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254040; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wasted9sss1-57718.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1254041/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254041; rev:1;)
alert tcp $HOME_NET any -> [16.171.25.219] 8099  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_06; classtype:trojan-activity; sid:91254043; rev:1;)
alert tcp $HOME_NET any -> [77.221.157.58] 38538  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_06; classtype:trojan-activity; sid:91254042; rev:1;)
alert tcp $HOME_NET any -> [162.209.178.189] 38433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1254001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91254001; rev:1;)
alert tcp $HOME_NET any -> [162.209.178.188] 38433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253999; rev:1;)
alert tcp $HOME_NET any -> [162.209.178.187] 38433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253998; rev:1;)
alert tcp $HOME_NET any -> [162.209.178.190] 38433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accelerate/members/9zbukm2fct"; depth:30; nocase; http.host; content:"162.209.178.186"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253996; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcnlaleanae8.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253910; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcnlaleanae9.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253911; rev:1;)
alert tcp $HOME_NET any -> [193.143.1.197] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253907/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253907; rev:1;)
alert tcp $HOME_NET any -> [195.211.124.144] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253906/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253906; rev:1;)
alert tcp $HOME_NET any -> [212.224.86.223] 8056  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253905; rev:1;)
alert tcp $HOME_NET any -> [62.109.2.162] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253904; rev:1;)
alert tcp $HOME_NET any -> [89.208.103.64] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253903; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.125] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253902; rev:1;)
alert tcp $HOME_NET any -> [57.151.90.74] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253901; rev:1;)
alert tcp $HOME_NET any -> [106.53.186.12] 8012  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253900; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.3] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253899; rev:1;)
alert tcp $HOME_NET any -> [20.199.44.70] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253898; rev:1;)
alert tcp $HOME_NET any -> [85.101.93.234] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253897; rev:1;)
alert tcp $HOME_NET any -> [149.88.67.40] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253896; rev:1;)
alert tcp $HOME_NET any -> [141.164.57.125] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253895; rev:1;)
alert tcp $HOME_NET any -> [93.127.163.159] 4433  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253894; rev:1;)
alert tcp $HOME_NET any -> [38.55.201.92] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253893; rev:1;)
alert tcp $HOME_NET any -> [45.66.217.179] 45  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253892; rev:1;)
alert tcp $HOME_NET any -> [128.199.224.162] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253891; rev:1;)
alert tcp $HOME_NET any -> [128.199.224.162] 63333  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.113.195.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253888; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.18] 5050  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253878; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 11964  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253877; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 11964  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253876; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 11964  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253875; rev:1;)
alert tcp $HOME_NET any -> [3.68.171.119] 11964  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253874; rev:1;)
alert tcp $HOME_NET any -> [52.28.247.255] 11964  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253873; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 11964  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253872; rev:1;)
alert tcp $HOME_NET any -> [141.11.228.23] 65483  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253866/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bgagro.bg"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253841/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pinokiosacz.pl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253842/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"spinmortgage.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253843/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"javtorrent.me"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253844/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"adktechs.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253845/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"janniolssondeler.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253846/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hubby69.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253847/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eneva.ru"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253848/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.debarcadere.be"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253849/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bluewateryoga.com.au"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253850/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"atasafaris.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253851/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"granitedevices.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253852/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"76crimes.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253853/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"guitardivision.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253854/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"activefisher.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253856/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"searkweather.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253855/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"waheeda.nl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253857/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wakapi.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253858/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"limatuju.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253859/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.absoluteestimating.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253860/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"canadajobbank.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253861/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"xvideospornor.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253862/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sterling-sound.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253863/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"fantasy-hive.co.uk"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253864/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"virusvaria.nl"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253865/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_05; classtype:trojan-activity; sid:91253865; rev:1;)
alert tcp $HOME_NET any -> [179.13.0.175] 5553  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253838/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253838; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"promesasalvaro1.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253839/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253839; rev:1;)
alert tcp $HOME_NET any -> [104.198.2.251] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253671/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253671; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jyiikm.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"kapandayarankal.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"kanepedeyatan.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"kapandayarkarnaval.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"karakasabadakan.online"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mjm2ytbkogjlzju1/"; depth:18; nocase; http.host; content:"karakamazandar.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_05; classtype:trojan-activity; sid:91253678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/securebigloadprotecttemporary.php"; depth:34; nocase; http.host; content:"38.180.35.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253673; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.75] 8823  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253670/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253670; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.47] 3778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253669/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253669; rev:1;)
alert tcp $HOME_NET any -> [45.87.153.190] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253668/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.109.58.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"chniabank.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"service-43eyvs26-1312185610.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/improve/ustats/kozht9uj"; depth:24; nocase; http.host; content:"47.236.43.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.138.0.70"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0938913.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253662; rev:1;)
alert tcp $HOME_NET any -> [46.29.234.85] 35727  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253661; rev:1;)
alert tcp $HOME_NET any -> [154.204.177.22] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253657; rev:1;)
alert tcp $HOME_NET any -> [154.201.89.19] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253658; rev:1;)
alert tcp $HOME_NET any -> [107.149.240.218] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"update.winservers-network.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253654; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.winservers-network.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253655; rev:1;)
alert tcp $HOME_NET any -> [154.204.177.22] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"101.201.155.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253651; rev:1;)
alert tcp $HOME_NET any -> [122.51.59.18] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"122.51.59.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"119.3.190.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253648; rev:1;)
alert tcp $HOME_NET any -> [122.51.59.18] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"122.51.59.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253646; rev:1;)
alert tcp $HOME_NET any -> [43.139.48.143] 1450  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253645; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"platformforcreateinterest.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253640/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253640; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cdnforbusiness.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253642/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253642; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"creationofprogress.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253641/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253641; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fastestfreecdn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253643/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pufpufooootools/150_clwwfhzotee"; depth:32; nocase; http.host; content:"leibk.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253644; rev:1;)
alert tcp $HOME_NET any -> [172.233.155.253] 2078  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253639; rev:1;)
alert tcp $HOME_NET any -> [212.192.15.251] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253638; rev:1;)
alert tcp $HOME_NET any -> [45.241.37.251] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253637; rev:1;)
alert tcp $HOME_NET any -> [41.96.66.25] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253636; rev:1;)
alert tcp $HOME_NET any -> [141.164.57.125] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253635; rev:1;)
alert tcp $HOME_NET any -> [217.196.60.141] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253634; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bestofthebesttraining.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_05; classtype:trojan-activity; sid:91253633; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 10468  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253625; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"newnano-shel.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253624/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253624; rev:1;)
alert tcp $HOME_NET any -> [209.73.100.130] 6969  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253621; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kingjoker420.ddnsking.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253622; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njpantalla.4cloud.click"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253623/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bestofthebesttraining.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1253604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8bvxwqdec3/index.php"; depth:21; nocase; http.host; content:"bestofthebesttraining.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253605; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.135] 118  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253617; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 18511  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253626; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 18511  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253627/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253627; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 18511  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253628/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253628; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 14390  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253629; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 10543  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253630/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253630; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 14390  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253631/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253631; rev:1;)
alert tcp $HOME_NET any -> [35.158.159.254] 11464  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_05; classtype:trojan-activity; sid:91253632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0938327.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253620; rev:1;)
alert tcp $HOME_NET any -> [105.154.98.75] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"192.227.94.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_05; classtype:trojan-activity; sid:91253618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oraclecloudsig.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253615; rev:1;)
alert tcp $HOME_NET any -> [31.172.87.230] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/translated"; depth:11; nocase; http.host; content:"oraclecloudsig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253614; rev:1;)
alert tcp $HOME_NET any -> [38.180.82.154] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"38.180.82.154"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253612; rev:1;)
alert tcp $HOME_NET any -> [193.143.1.198] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253611/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253611; rev:1;)
alert tcp $HOME_NET any -> [193.143.1.207] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253610/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253610; rev:1;)
alert tcp $HOME_NET any -> [193.143.1.196] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253609/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253609; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.58] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253608/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253608; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.115] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253603; rev:1;)
alert tcp $HOME_NET any -> [20.124.81.203] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253602; rev:1;)
alert tcp $HOME_NET any -> [43.143.112.29] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253601; rev:1;)
alert tcp $HOME_NET any -> [178.73.218.14] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253600; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.18] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253599; rev:1;)
alert tcp $HOME_NET any -> [78.161.126.239] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253598; rev:1;)
alert tcp $HOME_NET any -> [104.236.70.31] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253597; rev:1;)
alert tcp $HOME_NET any -> [141.164.57.125] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253596; rev:1;)
alert tcp $HOME_NET any -> [162.33.177.165] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253595; rev:1;)
alert tcp $HOME_NET any -> [86.125.229.50] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253594; rev:1;)
alert tcp $HOME_NET any -> [47.243.188.147] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253593; rev:1;)
alert tcp $HOME_NET any -> [47.238.200.165] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253592; rev:1;)
alert tcp $HOME_NET any -> [151.236.220.113] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253591; rev:1;)
alert tcp $HOME_NET any -> [81.43.22.106] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253590; rev:1;)
alert tcp $HOME_NET any -> [192.121.162.196] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253589; rev:1;)
alert tcp $HOME_NET any -> [109.116.170.118] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4/longpoll/6/secure/eternallowdatalifebetter/linuxpublic4base/longpollwindowsprocessor/0poll/line/poll38processor/request7serverapi/dleupdate6/eternallowprocessorauthdblocaluploads.php"; depth:185; nocase; http.host; content:"80.71.227.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qs5d"; depth:5; nocase; http.host; content:"123.60.162.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253586/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/discussion/mayo-clinic-radio-als/"; depth:34; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253585; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.9] 3030  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253584; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lesserafimeasy.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253583; rev:1;)
alert tcp $HOME_NET any -> [45.147.229.134] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253581/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253581; rev:1;)
alert tcp $HOME_NET any -> [45.155.250.106] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253582/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/useraccount.aspx"; depth:17; nocase; http.host; content:"iseberkis.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/useraccount.aspx"; depth:17; nocase; http.host; content:"dumingas.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.aspx"; depth:11; nocase; http.host; content:"somakop.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.aspx"; depth:11; nocase; http.host; content:"musarno.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253370; rev:1;)
alert tcp $HOME_NET any -> [179.13.0.175] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253366; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.169] 3434  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253365; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt-stealer.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253349; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt-stealer.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253350; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbystealer.com.tr"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253351; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt-stealer.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253352; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbystealer.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253354; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbystealer.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253353; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbystealer.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"20.110.42.40"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nt-stealer.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nt-stealer.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbystealer.com.tr"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nt-stealer.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbystealer.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbystealer.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"bbystealer.xyz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253363; rev:1;)
alert tcp $HOME_NET any -> [20.110.42.40] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"64.176.41.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.140.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253347; rev:1;)
alert tcp $HOME_NET any -> [104.168.145.228] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253346; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipv6.beijing-qax.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ipv6.beijing-qax.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253344; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"canarapay-f5agf9ccgteqbpg2.z03.azurefd.net"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safebrowsing/i7f9l/s0rm6wozidfyrb6yai2d"; depth:40; nocase; http.host; content:"canarapay-f5agf9ccgteqbpg2.z03.azurefd.net"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"49.233.244.7"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"106.75.6.207"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"64.176.41.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"shop.amazon-aws.fr"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253338; rev:1;)
alert tcp $HOME_NET any -> [129.211.26.3] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"129.211.26.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253335; rev:1;)
alert tcp $HOME_NET any -> [81.17.17.70] 62520  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253334/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253334; rev:1;)
alert tcp $HOME_NET any -> [141.98.102.227] 30311  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253333/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253333; rev:1;)
alert tcp $HOME_NET any -> [74.91.29.102] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/display/chan/ib61i7mya"; depth:23; nocase; http.host; content:"74.91.29.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253331; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.209] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yjm2njm4yte3zjq2/"; depth:18; nocase; http.host; content:"185.161.248.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimdnq4mgqwzti1/"; depth:19; nocase; http.host; content:"psgrcsklmmallocprisma.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253315/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimeq4mgqwzti1/"; depth:18; nocase; http.host; content:"psgrcsklmmalloc2prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimvq4mgqwzti1/"; depth:18; nocase; http.host; content:"psgrcsklmmalloc3prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253317/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimeq4mgqwzti1/"; depth:18; nocase; http.host; content:"psgrcsklmmalloc5prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253319/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimrq4mgqwzti1/"; depth:18; nocase; http.host; content:"psgrcsklmmalloc4prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253318/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ythimmdmq4mgqwzti1/"; depth:20; nocase; http.host; content:"psgrcsklmmalloc6prisma.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253320/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_04; classtype:trojan-activity; sid:91253320; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.64] 11837  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"154.12.30.6"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.159.58.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"118.25.182.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"60.204.217.11"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.201.155.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"47.109.137.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"49.233.244.7"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253322; rev:1;)
alert tcp $HOME_NET any -> [139.9.193.13] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253321; rev:1;)
alert tcp $HOME_NET any -> [192.3.216.139] 44800  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253313/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253313; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.150] 2505  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253312/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"bertol-metal.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253311/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253311; rev:1;)
alert tcp $HOME_NET any -> [212.109.220.144] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253310; rev:1;)
alert tcp $HOME_NET any -> [45.32.156.218] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253309; rev:1;)
alert tcp $HOME_NET any -> [172.233.221.61] 5938  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253308; rev:1;)
alert tcp $HOME_NET any -> [124.223.180.54] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253307; rev:1;)
alert tcp $HOME_NET any -> [104.168.122.113] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253306; rev:1;)
alert tcp $HOME_NET any -> [103.229.60.151] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253305; rev:1;)
alert tcp $HOME_NET any -> [18.167.51.188] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253304; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.9] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253303; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.224] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253302; rev:1;)
alert tcp $HOME_NET any -> [94.98.76.27] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253301; rev:1;)
alert tcp $HOME_NET any -> [41.96.20.226] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253300; rev:1;)
alert tcp $HOME_NET any -> [159.246.29.74] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253299/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253299; rev:1;)
alert tcp $HOME_NET any -> [104.236.70.31] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253298; rev:1;)
alert tcp $HOME_NET any -> [86.104.72.149] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253297; rev:1;)
alert tcp $HOME_NET any -> [43.198.82.119] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253296; rev:1;)
alert tcp $HOME_NET any -> [80.87.206.160] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253295; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 14555  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253294; rev:1;)
alert tcp $HOME_NET any -> [148.135.40.198] 60000  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253293; rev:1;)
alert tcp $HOME_NET any -> [148.135.40.198] 8080  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253292; rev:1;)
alert tcp $HOME_NET any -> [148.135.40.198] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_04; classtype:trojan-activity; sid:91253291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.47.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253290; rev:1;)
alert tcp $HOME_NET any -> [195.201.47.206] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253289; rev:1;)
alert tcp $HOME_NET any -> [185.174.101.164] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253228; rev:1;)
alert tcp $HOME_NET any -> [185.174.101.246] 6006  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253229; rev:1;)
alert tcp $HOME_NET any -> [101.43.219.232] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253230; rev:1;)
alert tcp $HOME_NET any -> [172.111.137.194] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253227; rev:1;)
alert tcp $HOME_NET any -> [128.90.122.249] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253225; rev:1;)
alert tcp $HOME_NET any -> [128.90.123.31] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253226; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.251] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253224; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.190] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253223; rev:1;)
alert tcp $HOME_NET any -> [106.53.164.29] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253231; rev:1;)
alert tcp $HOME_NET any -> [124.222.52.190] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253232; rev:1;)
alert tcp $HOME_NET any -> [124.223.15.17] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253233; rev:1;)
alert tcp $HOME_NET any -> [124.223.15.17] 49227  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253234; rev:1;)
alert tcp $HOME_NET any -> [162.14.73.154] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253235; rev:1;)
alert tcp $HOME_NET any -> [39.100.85.244] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253236; rev:1;)
alert tcp $HOME_NET any -> [47.94.246.144] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253237; rev:1;)
alert tcp $HOME_NET any -> [47.95.37.53] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253238; rev:1;)
alert tcp $HOME_NET any -> [47.96.38.241] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253239; rev:1;)
alert tcp $HOME_NET any -> [47.116.33.203] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253240; rev:1;)
alert tcp $HOME_NET any -> [112.74.180.175] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253241; rev:1;)
alert tcp $HOME_NET any -> [118.178.231.167] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253242; rev:1;)
alert tcp $HOME_NET any -> [120.55.74.104] 7443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253243; rev:1;)
alert tcp $HOME_NET any -> [120.55.240.246] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253244; rev:1;)
alert tcp $HOME_NET any -> [1.92.112.211] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253246; rev:1;)
alert tcp $HOME_NET any -> [1.94.103.1] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253247; rev:1;)
alert tcp $HOME_NET any -> [119.3.190.89] 2082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253248; rev:1;)
alert tcp $HOME_NET any -> [47.236.230.99] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253249; rev:1;)
alert tcp $HOME_NET any -> [8.219.48.197] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253250; rev:1;)
alert tcp $HOME_NET any -> [165.232.67.3] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253251; rev:1;)
alert tcp $HOME_NET any -> [165.232.67.3] 4848  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253252; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chu-healthcare-infra.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1253253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253253; rev:1;)
alert tcp $HOME_NET any -> [143.198.126.173] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253254; rev:1;)
alert tcp $HOME_NET any -> [107.174.90.234] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253255; rev:1;)
alert tcp $HOME_NET any -> [170.106.178.146] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253256; rev:1;)
alert tcp $HOME_NET any -> [106.75.6.207] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253257; rev:1;)
alert tcp $HOME_NET any -> [64.176.41.98] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253258; rev:1;)
alert tcp $HOME_NET any -> [64.176.41.98] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253259; rev:1;)
alert tcp $HOME_NET any -> [66.135.4.59] 8010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253260; rev:1;)
alert tcp $HOME_NET any -> [139.180.198.241] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253261; rev:1;)
alert tcp $HOME_NET any -> [154.92.14.6] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253262; rev:1;)
alert tcp $HOME_NET any -> [66.103.204.115] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253263; rev:1;)
alert tcp $HOME_NET any -> [118.107.4.157] 7443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253270; rev:1;)
alert tcp $HOME_NET any -> [117.72.35.189] 1231  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253271; rev:1;)
alert tcp $HOME_NET any -> [18.119.137.185] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253272; rev:1;)
alert tcp $HOME_NET any -> [18.119.137.185] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253273; rev:1;)
alert tcp $HOME_NET any -> [43.203.118.25] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253274; rev:1;)
alert tcp $HOME_NET any -> [45.142.214.245] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253275; rev:1;)
alert tcp $HOME_NET any -> [172.98.22.48] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253276; rev:1;)
alert tcp $HOME_NET any -> [107.151.247.136] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253277; rev:1;)
alert tcp $HOME_NET any -> [107.151.247.136] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253278; rev:1;)
alert tcp $HOME_NET any -> [103.188.244.189] 2024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253279; rev:1;)
alert tcp $HOME_NET any -> [146.103.11.88] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253288; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 10468  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253286; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 10468  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253287; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 10468  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253285; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 10468  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253284; rev:1;)
alert tcp $HOME_NET any -> [45.133.174.81] 2020  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253283/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_04; classtype:trojan-activity; sid:91253283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updatelongpollprotect.php"; depth:26; nocase; http.host; content:"77.221.143.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253282; rev:1;)
alert tcp $HOME_NET any -> [173.254.204.77] 8026  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_04; classtype:trojan-activity; sid:91253281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2a0949c1.php"; depth:13; nocase; http.host; content:"a0933252.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"170.106.178.146"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253269; rev:1;)
alert tcp $HOME_NET any -> [172.233.1.132] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/resc/ewk"; depth:9; nocase; http.host; content:"172.233.1.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253267; rev:1;)
alert tcp $HOME_NET any -> [47.92.213.31] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"47.92.213.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1253265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253265; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.226] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253264; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.226] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253245; rev:1;)
alert tcp $HOME_NET any -> [192.236.146.112] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253222; rev:1;)
alert tcp $HOME_NET any -> [77.221.154.28] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253221; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.202] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253220; rev:1;)
alert tcp $HOME_NET any -> [95.164.85.68] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253219/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253219; rev:1;)
alert tcp $HOME_NET any -> [20.117.210.254] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253218/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253218; rev:1;)
alert tcp $HOME_NET any -> [5.182.86.229] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253217/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253217; rev:1;)
alert tcp $HOME_NET any -> [79.137.202.60] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253216/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253216; rev:1;)
alert tcp $HOME_NET any -> [91.103.255.188] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253215/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253215; rev:1;)
alert tcp $HOME_NET any -> [38.55.201.18] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253214; rev:1;)
alert tcp $HOME_NET any -> [86.38.247.112] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253213/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253213; rev:1;)
alert tcp $HOME_NET any -> [185.23.182.196] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253212; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.15] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253211; rev:1;)
alert tcp $HOME_NET any -> [105.97.193.91] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253210; rev:1;)
alert tcp $HOME_NET any -> [86.185.5.114] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253209; rev:1;)
alert tcp $HOME_NET any -> [189.140.48.94] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253208/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253208; rev:1;)
alert tcp $HOME_NET any -> [37.114.41.230] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253207/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253207; rev:1;)
alert tcp $HOME_NET any -> [3.83.189.245] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253206/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253206; rev:1;)
alert tcp $HOME_NET any -> [185.149.146.252] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253205/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253205; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20001  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253204/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253204; rev:1;)
alert tcp $HOME_NET any -> [130.193.40.102] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253203/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253203; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.115] 53535  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253202/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253202; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.115] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253201/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253201; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.166] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253200/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91253200; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.166] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253199; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 10543  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253198; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 10543  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1253197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91253197; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"healitytherapy.pro"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"emonteiroadm.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"emonteiroadm.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.14.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.179.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199662282318"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t8jmhl"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252954; rev:1;)
alert tcp $HOME_NET any -> [95.216.179.73] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252949; rev:1;)
alert tcp $HOME_NET any -> [116.203.14.35] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252950; rev:1;)
alert tcp $HOME_NET any -> [95.217.31.228] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252951; rev:1;)
alert tcp $HOME_NET any -> [65.109.241.38] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252952; rev:1;)
alert tcp $HOME_NET any -> [65.109.243.191] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252953; rev:1;)
alert tcp $HOME_NET any -> [146.103.11.88] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bootstrap-5.3.1.min.js"; depth:23; nocase; http.host; content:"service-qwflcy7c-1305872204.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252946; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-qwflcy7c-1305872204.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"154.3.8.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252945; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.253] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252944; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.253] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252942; rev:1;)
alert tcp $HOME_NET any -> [91.207.102.163] 9771  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_03; classtype:trojan-activity; sid:91252939; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.222] 36829  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252938/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_03; classtype:trojan-activity; sid:91252938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"goldensoftware.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252937; rev:1;)
alert tcp $HOME_NET any -> [154.221.16.3] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"service-kjjaddjc-1309114380.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.222.52.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252934; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.139] 7775  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_03; classtype:trojan-activity; sid:91252933; rev:1;)
alert tcp $HOME_NET any -> [154.221.16.3] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252932; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-kjjaddjc-1309114380.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"service-kjjaddjc-1309114380.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252930; rev:1;)
alert tcp $HOME_NET any -> [124.222.52.190] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252929; rev:1;)
alert tcp $HOME_NET any -> [65.109.13.226] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252928; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drive-east-us-fahybddhebhxejbb.z02.azurefd.net"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/686c6c647a/api-get"; depth:19; nocase; http.host; content:"drive-east-us-fahybddhebhxejbb.z02.azurefd.net"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252926; rev:1;)
alert tcp $HOME_NET any -> [47.236.43.234] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.236.43.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipesecure.php"; depth:15; nocase; http.host; content:"firerebbit.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/discussion/mayo-clinic-radio-als/"; depth:34; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"newstatisc.googleinfo.se"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"172.121.5.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"213.109.202.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252914; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-n14rot1h-1303081427.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-n14rot1h-1303081427.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/o4gyipjzznwaey19wvgnuy7r2i"; depth:31; nocase; http.host; content:"gostatts.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252911; rev:1;)
alert tcp $HOME_NET any -> [47.92.140.21] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"213.109.202.135"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252908; rev:1;)
alert tcp $HOME_NET any -> [213.109.202.135] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252909; rev:1;)
alert tcp $HOME_NET any -> [46.101.71.182] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/onedrive"; depth:9; nocase; http.host; content:"chu-healthcare-infra.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252905; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chu-healthcare-infra.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252906; rev:1;)
alert tcp $HOME_NET any -> [194.32.149.189] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252904; rev:1;)
alert tcp $HOME_NET any -> [45.94.4.36] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252903; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.112] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252902; rev:1;)
alert tcp $HOME_NET any -> [45.76.180.152] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252901; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.37] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252900; rev:1;)
alert tcp $HOME_NET any -> [77.124.103.14] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252899; rev:1;)
alert tcp $HOME_NET any -> [207.180.230.175] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252898; rev:1;)
alert tcp $HOME_NET any -> [91.219.236.89] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252897; rev:1;)
alert tcp $HOME_NET any -> [168.119.236.136] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252896; rev:1;)
alert tcp $HOME_NET any -> [193.142.146.203] 80  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/centralsql/localvmasync0/trafficwindows/apitosql/proton/pythondefaultapi/defaulteternal6/better_3/dlehttp/wordpress8/6test6/temporary4privatemulti/linejs_multiprotecttrafficpublictemp.php"; depth:188; nocase; http.host; content:"185.230.64.239"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252895; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"comigoninguempodes.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252828; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"limpandoacasa.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252829; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"saldaolegal.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252830; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"cinemaeuquero.cloud"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252831; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"31yc.com"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/project/five/fre.php"; depth:21; nocase; http.host; content:"ebnsina.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.171.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloadsdump/7downloadsjs/lowmulti/generatorasyncgeneratordatalife/to/javascript/processpacket/videoimage7/linepollserverdatalife.php"; depth:135; nocase; http.host; content:"91.107.120.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252889; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.167] 1986  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_03; classtype:trojan-activity; sid:91252888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.242.237.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_03; classtype:trojan-activity; sid:91252887; rev:1;)
alert tcp $HOME_NET any -> [105.155.169.10] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252886; rev:1;)
alert tcp $HOME_NET any -> [192.153.57.54] 80  (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252885; rev:1;)
alert tcp $HOME_NET any -> [52.71.150.237] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252884; rev:1;)
alert tcp $HOME_NET any -> [100.24.150.174] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252883; rev:1;)
alert tcp $HOME_NET any -> [44.194.68.71] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252882; rev:1;)
alert tcp $HOME_NET any -> [5.252.177.195] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252881; rev:1;)
alert tcp $HOME_NET any -> [14.225.208.190] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252880; rev:1;)
alert tcp $HOME_NET any -> [144.91.109.161] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252879; rev:1;)
alert tcp $HOME_NET any -> [103.174.73.85] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252878; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.34] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252877; rev:1;)
alert tcp $HOME_NET any -> [14.225.213.142] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252876/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252876; rev:1;)
alert tcp $HOME_NET any -> [51.254.186.98] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252875/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252875; rev:1;)
alert tcp $HOME_NET any -> [94.98.181.154] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252874/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252874; rev:1;)
alert tcp $HOME_NET any -> [94.98.186.180] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252873; rev:1;)
alert tcp $HOME_NET any -> [66.50.8.125] 1800  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252872; rev:1;)
alert tcp $HOME_NET any -> [41.107.100.224] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252871/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252871; rev:1;)
alert tcp $HOME_NET any -> [154.197.69.33] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252870; rev:1;)
alert tcp $HOME_NET any -> [125.160.213.15] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252869; rev:1;)
alert tcp $HOME_NET any -> [41.232.216.196] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252868; rev:1;)
alert tcp $HOME_NET any -> [147.50.253.190] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252867/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252867; rev:1;)
alert tcp $HOME_NET any -> [39.120.184.43] 80  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252866/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252866; rev:1;)
alert tcp $HOME_NET any -> [89.213.140.91] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252865/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252865; rev:1;)
alert tcp $HOME_NET any -> [172.111.139.246] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252864/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252864; rev:1;)
alert tcp $HOME_NET any -> [23.94.30.124] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252863/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252863; rev:1;)
alert tcp $HOME_NET any -> [45.74.50.132] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252862; rev:1;)
alert tcp $HOME_NET any -> [41.68.131.21] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252861; rev:1;)
alert tcp $HOME_NET any -> [111.229.114.158] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252860/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252860; rev:1;)
alert tcp $HOME_NET any -> [2.224.144.191] 8089  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252859/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252859; rev:1;)
alert tcp $HOME_NET any -> [184.182.242.110] 3306  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252858/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252858; rev:1;)
alert tcp $HOME_NET any -> [3.17.181.161] 443  (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252857/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252857; rev:1;)
alert tcp $HOME_NET any -> [220.69.33.83] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252856/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252856; rev:1;)
alert tcp $HOME_NET any -> [211.226.30.202] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252854/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252854; rev:1;)
alert tcp $HOME_NET any -> [125.141.145.190] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252853; rev:1;)
alert tcp $HOME_NET any -> [211.226.30.198] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252852/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252852; rev:1;)
alert tcp $HOME_NET any -> [172.187.180.204] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252851/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252851; rev:1;)
alert tcp $HOME_NET any -> [13.38.235.203] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/853aaed2e28950b2.php"; depth:21; nocase; http.host; content:"89.105.223.142"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252849; rev:1;)
alert tcp $HOME_NET any -> [103.180.186.144] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252848; rev:1;)
alert tcp $HOME_NET any -> [3.92.185.192] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252847; rev:1;)
alert tcp $HOME_NET any -> [54.226.31.121] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252846; rev:1;)
alert tcp $HOME_NET any -> [47.120.14.97] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252845; rev:1;)
alert tcp $HOME_NET any -> [13.200.127.74] 80  (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252844; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.16] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252843; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.11] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252842; rev:1;)
alert tcp $HOME_NET any -> [82.156.43.68] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252841/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252841; rev:1;)
alert tcp $HOME_NET any -> [37.37.183.28] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252840/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252840; rev:1;)
alert tcp $HOME_NET any -> [152.42.140.119] 9001  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252839/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252839; rev:1;)
alert tcp $HOME_NET any -> [103.86.177.103] 443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252838/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252838; rev:1;)
alert tcp $HOME_NET any -> [65.109.124.116] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252837/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252837; rev:1;)
alert tcp $HOME_NET any -> [156.192.141.126] 443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252836/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252836; rev:1;)
alert tcp $HOME_NET any -> [132.145.80.201] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252835/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252835; rev:1;)
alert tcp $HOME_NET any -> [3.115.218.3] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252834/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252834; rev:1;)
alert tcp $HOME_NET any -> [86.106.20.179] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252833/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dle1update/generatorprotect00/linuxprivatedownloadsprocess/toauth/dumpmariadbbetterjavascript/privatephpline/multiprotectuploads0/baseuniversal_windows/cdn/multi/6/8wordpress/5/uploadsservercdn/http/requestgamemultidefaultdle.php"; depth:230; nocase; http.host; content:"62.109.7.175"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252832; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.69] 80  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252827; rev:1;)
alert tcp $HOME_NET any -> [85.114.96.4] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252826/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252826; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.96] 443  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252825/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252825; rev:1;)
alert tcp $HOME_NET any -> [194.116.214.7] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252824/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252824; rev:1;)
alert tcp $HOME_NET any -> [83.136.232.33] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252823; rev:1;)
alert tcp $HOME_NET any -> [5.42.106.136] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252822; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.67] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252821; rev:1;)
alert tcp $HOME_NET any -> [27.124.32.60] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252820/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252820; rev:1;)
alert tcp $HOME_NET any -> [38.55.201.16] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252819/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252819; rev:1;)
alert tcp $HOME_NET any -> [1.161.115.247] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252818/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252818; rev:1;)
alert tcp $HOME_NET any -> [103.20.60.248] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252817; rev:1;)
alert tcp $HOME_NET any -> [64.176.224.27] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252816; rev:1;)
alert tcp $HOME_NET any -> [101.33.35.171] 8081  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252815; rev:1;)
alert tcp $HOME_NET any -> [51.159.183.32] 9000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252814; rev:1;)
alert tcp $HOME_NET any -> [64.7.198.249] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252813; rev:1;)
alert tcp $HOME_NET any -> [103.20.60.248] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252812; rev:1;)
alert tcp $HOME_NET any -> [62.171.158.126] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252811; rev:1;)
alert tcp $HOME_NET any -> [206.188.196.174] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252810; rev:1;)
alert tcp $HOME_NET any -> [206.188.196.174] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252809; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galvaoministerio.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252807; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brigadafraternidade.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252808; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 18511  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252806; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 18511  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252805; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 18511  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0938575.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252803; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twiceoohah.uk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252800; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"healitytherapy.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"semikan.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252798/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zjm0njuxndm5mmvi/"; depth:18; nocase; http.host; content:"bavuor.bond"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252799/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_02; classtype:trojan-activity; sid:91252799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getpassword"; depth:38; nocase; http.host; content:"111.230.207.249"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252801; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 14390  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252563; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.37] 65480  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252562/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ahryssa.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"ahryssa.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252560; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.123] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252561; rev:1;)
alert tcp $HOME_NET any -> [5.188.87.50] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252558; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.109] 671  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252557/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252557; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"trembolone.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252545/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252545; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.229] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"81.70.232.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w/index.php"; depth:12; nocase; http.host; content:"116.62.34.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.26.243.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252554; rev:1;)
alert tcp $HOME_NET any -> [81.70.232.50] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"81.70.232.50"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.92.147.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.106.77.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"5.188.87.50"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252549; rev:1;)
alert tcp $HOME_NET any -> [164.155.128.124] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"164.155.128.124"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252547; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.106] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252546; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.106] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252543; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.121] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"185.196.10.121"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252541; rev:1;)
alert tcp $HOME_NET any -> [42.193.17.127] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"42.193.17.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252539; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.253] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"111.231.140.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"js.msedgeupdate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.93.63.179"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.117.232.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.222.97.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.104.179.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"213.109.202.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252527; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bind.bestresulttostart.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.220.192.251"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252526; rev:1;)
alert tcp $HOME_NET any -> [103.116.247.207] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"115.159.50.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252523; rev:1;)
alert tcp $HOME_NET any -> [103.116.247.207] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252522; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs.xfdaili.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"cs.xfdaili.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.76.218.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"42.192.36.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.136.13.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252516; rev:1;)
alert tcp $HOME_NET any -> [43.136.13.96] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.136.81.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252514; rev:1;)
alert tcp $HOME_NET any -> [43.136.81.17] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"45.182.189.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252512; rev:1;)
alert tcp $HOME_NET any -> [45.182.189.102] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252513; rev:1;)
alert tcp $HOME_NET any -> [45.182.189.102] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"45.182.189.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/getb"; depth:12; nocase; http.host; content:"45.144.136.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.208.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ob/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252506; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.157] 3361  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252505; rev:1;)
alert tcp $HOME_NET any -> [202.61.141.168] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252504; rev:1;)
alert tcp $HOME_NET any -> [202.61.141.147] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252503/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252503; rev:1;)
alert tcp $HOME_NET any -> [139.199.2.99] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252502/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252502; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.212] 2222  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252501/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252501; rev:1;)
alert tcp $HOME_NET any -> [187.224.25.138] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252500; rev:1;)
alert tcp $HOME_NET any -> [161.35.138.53] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252499; rev:1;)
alert tcp $HOME_NET any -> [172.233.230.75] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252498; rev:1;)
alert tcp $HOME_NET any -> [194.246.114.147] 40050  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252497; rev:1;)
alert tcp $HOME_NET any -> [51.195.115.244] 7639  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252496; rev:1;)
alert tcp $HOME_NET any -> [13.112.154.194] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252495; rev:1;)
alert tcp $HOME_NET any -> [104.234.155.118] 5040  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252494; rev:1;)
alert tcp $HOME_NET any -> [142.93.79.177] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_02; classtype:trojan-activity; sid:91252493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"discovus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"discovus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"discovus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252491; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.229] 4718  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"saubere-dienste.de"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"buhexpert8.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252485/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_02; classtype:trojan-activity; sid:91252485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"balabaksha.kz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252486/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_02; classtype:trojan-activity; sid:91252486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"alcorfund.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252487/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_02; classtype:trojan-activity; sid:91252487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"unimus.ac.id"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252488/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_02; classtype:trojan-activity; sid:91252488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"arquivisticalocal.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mtlaikins.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"schedule.golfballnutz.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"147.45.47.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scripts/theme.js"; depth:17; nocase; http.host; content:"147.45.47.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"smtp.thanhancompony.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"thanhancompony.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252480; rev:1;)
alert tcp $HOME_NET any -> [104.168.32.17] 21425  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252473/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252473; rev:1;)
alert tcp $HOME_NET any -> [104.234.204.151] 100  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252471; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.116] 1337  (msg:"ThreatFox Kaiten botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252470; rev:1;)
alert tcp $HOME_NET any -> [185.224.128.36] 33335  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252469; rev:1;)
alert tcp $HOME_NET any -> [104.234.204.161] 100  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252460; rev:1;)
alert tcp $HOME_NET any -> [85.239.33.129] 12345  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252459; rev:1;)
alert tcp $HOME_NET any -> [104.234.204.151] 1  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252440; rev:1;)
alert tcp $HOME_NET any -> [185.141.63.27] 2023  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252458; rev:1;)
alert tcp $HOME_NET any -> [195.154.173.35] 2023  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252457; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.250] 21425  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252472/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_02; classtype:trojan-activity; sid:91252472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.34.207"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252483; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.229] 4781  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"93757283cm.whiteproducts.ru"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_02; classtype:trojan-activity; sid:91252481; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lesserafine.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252468; rev:1;)
alert tcp $HOME_NET any -> [18.175.57.54] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umo3uuoo57.execute-api.us-east-1.amazonaws.com"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/search/"; depth:12; nocase; http.host; content:"umo3uuoo57.execute-api.us-east-1.amazonaws.com"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"172.111.218.218"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252464; rev:1;)
alert tcp $HOME_NET any -> [94.131.13.68] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252463; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.updateservices.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"api.updateservices.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252461; rev:1;)
alert tcp $HOME_NET any -> [103.145.191.100] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252456/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252456; rev:1;)
alert tcp $HOME_NET any -> [202.61.141.166] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252455; rev:1;)
alert tcp $HOME_NET any -> [149.104.30.4] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252454; rev:1;)
alert tcp $HOME_NET any -> [150.109.241.155] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252453; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.15] 7000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252452; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.15] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252451; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.2] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252450; rev:1;)
alert tcp $HOME_NET any -> [105.103.18.143] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252449; rev:1;)
alert tcp $HOME_NET any -> [78.181.209.3] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252448; rev:1;)
alert tcp $HOME_NET any -> [39.40.151.24] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252447; rev:1;)
alert tcp $HOME_NET any -> [41.96.91.111] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252446; rev:1;)
alert tcp $HOME_NET any -> [151.236.26.171] 3410  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252445; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.7] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252444; rev:1;)
alert tcp $HOME_NET any -> [47.116.25.208] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252443; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.98] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252442; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.98] 53535  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252441; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gostatts.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252408; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.236] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252409; rev:1;)
alert tcp $HOME_NET any -> [103.106.203.165] 443  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252410; rev:1;)
alert tcp $HOME_NET any -> [94.156.10.119] 443  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252411; rev:1;)
alert tcp $HOME_NET any -> [41.97.204.61] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252412; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"applereports.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252413; rev:1;)
alert tcp $HOME_NET any -> [94.156.10.119] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252414; rev:1;)
alert tcp $HOME_NET any -> [45.63.52.184] 8094  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"axskowoe20.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"fqfqosoleosak23.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"xkslsxll294os.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252433/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"vaodfko2342o.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"kamalankaranda.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252431/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"vasderosxls11.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252432/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252432; rev:1;)
alert tcp $HOME_NET any -> [45.131.111.159] 777  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252416; rev:1;)
alert tcp $HOME_NET any -> [67.217.60.78] 7855  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"aaaaoooopppplllll33.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252437/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmu2yzq2njzlnjc2/"; depth:18; nocase; http.host; content:"lauytropopo.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_04_01; classtype:trojan-activity; sid:91252438; rev:1;)
alert tcp $HOME_NET any -> [38.15.51.3] 4444  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252338; rev:1;)
alert tcp $HOME_NET any -> [50.34.35.222] 4444  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252339; rev:1;)
alert tcp $HOME_NET any -> [51.223.58.16] 2404  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252340; rev:1;)
alert tcp $HOME_NET any -> [82.69.26.196] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252341; rev:1;)
alert tcp $HOME_NET any -> [116.204.42.20] 80  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252342; rev:1;)
alert tcp $HOME_NET any -> [181.162.159.238] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252343; rev:1;)
alert tcp $HOME_NET any -> [190.203.52.245] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252344; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.116] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"arquivisticalocal.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"arquivisticalocal.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"mtlaikins.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252348; rev:1;)
alert tcp $HOME_NET any -> [173.201.180.75] 49737  (msg:"ThreatFox Agent Tesla payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252370; rev:1;)
alert tcp $HOME_NET any -> [173.201.180.75] 49739  (msg:"ThreatFox Agent Tesla payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252371; rev:1;)
alert tcp $HOME_NET any -> [1.14.66.185] 7443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c.bywe.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252373; rev:1;)
alert tcp $HOME_NET any -> [1.14.152.195] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252374; rev:1;)
alert tcp $HOME_NET any -> [49.233.244.7] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252375; rev:1;)
alert tcp $HOME_NET any -> [49.233.244.7] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252376; rev:1;)
alert tcp $HOME_NET any -> [124.220.192.251] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252377; rev:1;)
alert tcp $HOME_NET any -> [8.130.88.184] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252378; rev:1;)
alert tcp $HOME_NET any -> [8.130.118.53] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252379; rev:1;)
alert tcp $HOME_NET any -> [8.137.126.202] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252380; rev:1;)
alert tcp $HOME_NET any -> [8.140.254.212] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252381; rev:1;)
alert tcp $HOME_NET any -> [47.93.12.178] 50002  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252383; rev:1;)
alert tcp $HOME_NET any -> [47.94.241.49] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252384; rev:1;)
alert tcp $HOME_NET any -> [112.124.64.105] 7894  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252385; rev:1;)
alert tcp $HOME_NET any -> [115.29.202.95] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252386; rev:1;)
alert tcp $HOME_NET any -> [118.31.8.234] 6664  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252387; rev:1;)
alert tcp $HOME_NET any -> [8.217.127.240] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252388; rev:1;)
alert tcp $HOME_NET any -> [47.76.101.44] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252389; rev:1;)
alert tcp $HOME_NET any -> [198.12.107.149] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252390; rev:1;)
alert tcp $HOME_NET any -> [116.196.92.13] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252391; rev:1;)
alert tcp $HOME_NET any -> [124.156.213.14] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252393; rev:1;)
alert tcp $HOME_NET any -> [144.202.43.169] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252394; rev:1;)
alert tcp $HOME_NET any -> [144.202.43.169] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252395; rev:1;)
alert tcp $HOME_NET any -> [128.14.229.56] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252396; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.234] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252397; rev:1;)
alert tcp $HOME_NET any -> [45.135.118.251] 35201  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252398; rev:1;)
alert tcp $HOME_NET any -> [123.184.43.123] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252399; rev:1;)
alert tcp $HOME_NET any -> [89.147.108.109] 5093  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252400; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.237] 64980  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252401; rev:1;)
alert tcp $HOME_NET any -> [193.32.162.70] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252402; rev:1;)
alert tcp $HOME_NET any -> [77.91.122.210] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252403; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.214] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ilearnschools.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252405/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_01; classtype:trojan-activity; sid:91252405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lokersma.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252406/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_01; classtype:trojan-activity; sid:91252406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 60%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"emmikochteinfach.de"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252407/; target:src_ip; metadata: confidence_level 60, first_seen 2024_04_01; classtype:trojan-activity; sid:91252407; rev:1;)
alert tcp $HOME_NET any -> [3.12.160.6] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252325; rev:1;)
alert tcp $HOME_NET any -> [20.19.89.127] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252326; rev:1;)
alert tcp $HOME_NET any -> [45.8.146.124] 2004  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252327; rev:1;)
alert tcp $HOME_NET any -> [51.195.94.201] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252328; rev:1;)
alert tcp $HOME_NET any -> [88.229.5.89] 20000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252329; rev:1;)
alert tcp $HOME_NET any -> [88.252.160.133] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252330; rev:1;)
alert tcp $HOME_NET any -> [91.110.144.1] 9000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252331; rev:1;)
alert tcp $HOME_NET any -> [156.195.238.74] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252332; rev:1;)
alert tcp $HOME_NET any -> [172.94.8.163] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252333; rev:1;)
alert tcp $HOME_NET any -> [172.94.9.138] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252334; rev:1;)
alert tcp $HOME_NET any -> [207.180.232.14] 1973  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search"; depth:7; nocase; http.host; content:"81.181.110.95"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252439; rev:1;)
alert tcp $HOME_NET any -> [146.70.113.136] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252430; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.googletagmauager.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252429; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.googletagmauager.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stviw.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252422; rev:1;)
alert tcp $HOME_NET any -> [78.47.221.177] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252423; rev:1;)
alert tcp $HOME_NET any -> [168.119.60.168] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252424; rev:1;)
alert tcp $HOME_NET any -> [95.217.155.87] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252425; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mogor.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252426; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stviw.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mogor.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.155.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.60.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.221.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ca87122.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0934860.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5bd4c8b2.php"; depth:13; nocase; http.host; content:"a0936238.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252368; rev:1;)
alert tcp $HOME_NET any -> [77.221.156.45] 18734  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tracktrafficprivatetest/javascript/dle0/0downloads02/geocpupython/universalsecure/javascriptauth.php"; depth:101; nocase; http.host; content:"91.92.252.39"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//receive.php"; depth:13; nocase; http.host; content:"botnetera.pagekite.me"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"huinyao.hunamuna.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252364; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.244] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cf73329.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252362; rev:1;)
alert tcp $HOME_NET any -> [5.61.63.125] 35333  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"490523cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252360; rev:1;)
alert tcp $HOME_NET any -> [104.250.169.162] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252359; rev:1;)
alert tcp $HOME_NET any -> [195.3.223.146] 6668  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longpollflower.php"; depth:19; nocase; http.host; content:"77.105.161.254"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252357; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.84] 35966  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eb488f9cb9d466ca.php"; depth:21; nocase; http.host; content:"185.216.70.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252355; rev:1;)
alert tcp $HOME_NET any -> [144.217.189.92] 3000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252354; rev:1;)
alert tcp $HOME_NET any -> [163.5.112.53] 51523  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252353; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 18950  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252352; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 18950  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252351; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 18950  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252350; rev:1;)
alert tcp $HOME_NET any -> [154.236.129.160] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ch"; depth:3; nocase; http.host; content:"big-walls.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252323; rev:1;)
alert tcp $HOME_NET any -> [195.137.220.121] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252324; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heicehjuisyq.bond"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252321; rev:1;)
alert tcp $HOME_NET any -> [109.199.108.92] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/omentget"; depth:9; nocase; http.host; content:"heicehjuisyq.bond"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"156.224.24.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"62.234.180.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"154.201.89.19"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kj"; depth:3; nocase; http.host; content:"195.137.220.121"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252315; rev:1;)
alert tcp $HOME_NET any -> [195.137.220.121] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"222.112.93.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.60.162.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"62.234.180.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.223.15.17"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"115.29.202.95"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"183.255.43.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"111.230.207.249"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252307; rev:1;)
alert tcp $HOME_NET any -> [111.230.207.249] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252308; rev:1;)
alert tcp $HOME_NET any -> [52.235.59.107] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ldap.htm"; depth:9; nocase; http.host; content:"goliathms.azureedge.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252304; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goliathms.azureedge.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252303; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rdtest.static.hao123-wise.otp.baidu.com.cn.cdn.dnsv1.com"; depth:56; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/compute/cd/k7ba6v385v"; depth:22; nocase; http.host; content:"rdtest.static.hao123-wise.otp.baidu.com.cn.cdn.dnsv1.com"; depth:56; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252301; rev:1;)
alert tcp $HOME_NET any -> [47.101.170.17] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0935095.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252299; rev:1;)
alert tcp $HOME_NET any -> [77.91.123.52] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252298; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.125] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252297; rev:1;)
alert tcp $HOME_NET any -> [45.77.40.77] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252296; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.240] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252295; rev:1;)
alert tcp $HOME_NET any -> [38.6.218.204] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252294; rev:1;)
alert tcp $HOME_NET any -> [137.220.197.178] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252293; rev:1;)
alert tcp $HOME_NET any -> [151.80.152.122] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252292; rev:1;)
alert tcp $HOME_NET any -> [137.220.197.198] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252291; rev:1;)
alert tcp $HOME_NET any -> [137.220.197.198] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252290; rev:1;)
alert tcp $HOME_NET any -> [137.220.197.198] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252289/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252289; rev:1;)
alert tcp $HOME_NET any -> [193.124.205.100] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252288/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252288; rev:1;)
alert tcp $HOME_NET any -> [104.248.44.99] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252287/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252287; rev:1;)
alert tcp $HOME_NET any -> [111.180.192.60] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252286/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252286; rev:1;)
alert tcp $HOME_NET any -> [57.180.189.117] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252285; rev:1;)
alert tcp $HOME_NET any -> [3.36.144.103] 443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252284; rev:1;)
alert tcp $HOME_NET any -> [23.94.44.162] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252283/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/z.png"; depth:8; nocase; http.host; content:"193.233.132.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/0x.png"; depth:9; nocase; http.host; content:"193.233.132.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a/a.png"; depth:8; nocase; http.host; content:"193.233.132.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252255; rev:1;)
alert tcp $HOME_NET any -> [5.253.246.170] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_04_01; classtype:trojan-activity; sid:91252278; rev:1;)
alert tcp $HOME_NET any -> [8.134.126.121] 8086  (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252282/; target:src_ip; metadata: confidence_level 50, first_seen 2024_04_01; classtype:trojan-activity; sid:91252282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dockerupdate.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252280; rev:1;)
alert tcp $HOME_NET any -> [185.239.84.203] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"dockerupdate.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_04_01; classtype:trojan-activity; sid:91252279; rev:1;)
alert tcp $HOME_NET any -> [195.123.217.22] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"195.123.217.22"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"185.236.231.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252274; rev:1;)
alert tcp $HOME_NET any -> [185.236.231.201] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"172.121.5.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252273; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.67] 80  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252272/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252272; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.181] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252271; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.181] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252270; rev:1;)
alert tcp $HOME_NET any -> [185.43.4.238] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252269; rev:1;)
alert tcp $HOME_NET any -> [137.184.228.202] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252268; rev:1;)
alert tcp $HOME_NET any -> [18.166.113.24] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252267; rev:1;)
alert tcp $HOME_NET any -> [188.48.80.235] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252266; rev:1;)
alert tcp $HOME_NET any -> [172.233.120.154] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252265; rev:1;)
alert tcp $HOME_NET any -> [92.116.36.36] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252264; rev:1;)
alert tcp $HOME_NET any -> [159.65.173.112] 9443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252263; rev:1;)
alert tcp $HOME_NET any -> [3.111.169.215] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252262; rev:1;)
alert tcp $HOME_NET any -> [146.190.108.145] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252261; rev:1;)
alert tcp $HOME_NET any -> [146.190.108.145] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"45.93.20.242"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252259; rev:1;)
alert tcp $HOME_NET any -> [8.147.132.135] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"chniabank.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chniabank.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hentaiworld.tv"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252248/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.8ktv-test.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252249/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mlwmlw.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"seorongdaiduong.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252251/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252251; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"serenitytherapy.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252246; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"illitmagnetic.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252247; rev:1;)
alert tcp $HOME_NET any -> [93.185.166.60] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/common.css"; depth:11; nocase; http.host; content:"93.185.166.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.94.241.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252243; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.360safety.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"update.360safety.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.99.177.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"service-43eyvs26-1312185610.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252239; rev:1;)
alert tcp $HOME_NET any -> [8.147.132.135] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-43eyvs26-1312185610.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252236; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-43eyvs26-1312185610.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252235; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"plano-safra.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252234/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252234; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"huboftest.ir"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252233/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252233; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"bnd-servers.komakhazine.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252232/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252232; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giga.giganoob.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252231; rev:1;)
alert tcp $HOME_NET any -> [193.141.60.143] 6789  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252229/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252229; rev:1;)
alert tcp $HOME_NET any -> [193.141.60.143] 59432  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252230/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252230; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giga.giganoob.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252228; rev:1;)
alert tcp $HOME_NET any -> [103.35.190.189] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252227/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252227; rev:1;)
alert tcp $HOME_NET any -> [103.35.190.238] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252226; rev:1;)
alert tcp $HOME_NET any -> [45.61.136.169] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"45.61.136.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252224; rev:1;)
alert tcp $HOME_NET any -> [124.223.220.143] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252223; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3g.ali213.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info"; depth:5; nocase; http.host; content:"3g.ali213.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/info"; depth:5; nocase; http.host; content:"m.old.gxjczx.gov.cn"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252219; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m.old.gxjczx.gov.cn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252220; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.156] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252218; rev:1;)
alert tcp $HOME_NET any -> [192.236.176.143] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"192.236.176.143"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252216; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.101] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"121.199.0.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252213; rev:1;)
alert tcp $HOME_NET any -> [121.199.0.54] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252214; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.233] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252212; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.233] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252210/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252210; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.233] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252211/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252211; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.233] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252209; rev:1;)
alert tcp $HOME_NET any -> [45.152.86.86] 56789  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252207/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252207; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"a.iruko.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252208/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_31; classtype:trojan-activity; sid:91252208; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.150] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252206/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252206; rev:1;)
alert tcp $HOME_NET any -> [86.38.247.37] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252205/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252205; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.201] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252204/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252204; rev:1;)
alert tcp $HOME_NET any -> [94.228.169.68] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252203/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252203; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.54] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252202/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252202; rev:1;)
alert tcp $HOME_NET any -> [142.11.236.34] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252201/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252201; rev:1;)
alert tcp $HOME_NET any -> [134.209.34.122] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252200/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252200; rev:1;)
alert tcp $HOME_NET any -> [43.132.193.188] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252199/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252199; rev:1;)
alert tcp $HOME_NET any -> [38.45.126.181] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252198/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252198; rev:1;)
alert tcp $HOME_NET any -> [45.207.36.50] 2086  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252197/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252197; rev:1;)
alert tcp $HOME_NET any -> [38.45.126.182] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252196/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252196; rev:1;)
alert tcp $HOME_NET any -> [38.45.126.178] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252195; rev:1;)
alert tcp $HOME_NET any -> [71.88.244.13] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252194/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252194; rev:1;)
alert tcp $HOME_NET any -> [175.10.220.47] 4432  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252193/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252193; rev:1;)
alert tcp $HOME_NET any -> [165.232.68.248] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252192/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252192; rev:1;)
alert tcp $HOME_NET any -> [16.16.187.254] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252191; rev:1;)
alert tcp $HOME_NET any -> [5.181.20.63] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252190; rev:1;)
alert tcp $HOME_NET any -> [15.197.164.51] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252189/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252189; rev:1;)
alert tcp $HOME_NET any -> [43.138.0.70] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251883; rev:1;)
alert tcp $HOME_NET any -> [42.194.251.253] 10080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251882; rev:1;)
alert tcp $HOME_NET any -> [42.192.36.31] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hitech-us.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eatech.uk"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"topcoloringpages.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252163/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"seiji-folk.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ww4.amazila.cz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252165/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wielkopolskamagazyn.pl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252181/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tanya-tanya.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252182/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"baaghitv.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252183/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"192-168-1-1-admin-admin.ru"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252184/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lasantaespina.cat"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252185/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mepiu.it"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252186/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"vipaco.vn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252187/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.beeldvorm.eu"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252188/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_31; classtype:trojan-activity; sid:91252188; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nocapsrt.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252030; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nocapsrt.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91252031; rev:1;)
alert tcp $HOME_NET any -> [40.66.40.211] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1076575623880921249/1223388963822375054/sky-beta-setup.rar"; depth:71; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_31; classtype:trojan-activity; sid:91251909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"115.49.156.167"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_31; classtype:trojan-activity; sid:91252180; rev:1;)
alert tcp $HOME_NET any -> [5.188.86.215] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab.html"; depth:8; nocase; http.host; content:"86.106.20.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252177; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.250] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252176; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.121] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252175; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.143] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252174; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.206] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252173; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.214] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252172; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.71] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252170; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-bjb5aex0-1318428097.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/user"; depth:9; nocase; http.host; content:"service-bjb5aex0-1318428097.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252166; rev:1;)
alert tcp $HOME_NET any -> [20.115.56.254] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252029/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91252029; rev:1;)
alert tcp $HOME_NET any -> [165.232.68.248] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252028/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91252028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pr8c"; depth:5; nocase; http.host; content:"112.124.64.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91252027; rev:1;)
alert tcp $HOME_NET any -> [197.202.118.111] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"124.71.136.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1252025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252025; rev:1;)
alert tcp $HOME_NET any -> [47.109.53.241] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252021; rev:1;)
alert tcp $HOME_NET any -> [38.45.126.179] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252019; rev:1;)
alert tcp $HOME_NET any -> [38.45.126.180] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252020; rev:1;)
alert tcp $HOME_NET any -> [222.112.93.163] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252017; rev:1;)
alert tcp $HOME_NET any -> [176.32.35.104] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252015; rev:1;)
alert tcp $HOME_NET any -> [176.32.35.104] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252016; rev:1;)
alert tcp $HOME_NET any -> [103.97.176.249] 10  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252013; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.226] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252011; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.226] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252012; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.210] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252010; rev:1;)
alert tcp $HOME_NET any -> [209.141.44.168] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252009; rev:1;)
alert tcp $HOME_NET any -> [94.103.188.162] 443  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252008; rev:1;)
alert tcp $HOME_NET any -> [198.98.53.81] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252006; rev:1;)
alert tcp $HOME_NET any -> [198.98.53.81] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252007; rev:1;)
alert tcp $HOME_NET any -> [45.15.156.142] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252005/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91252005; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cleaninghouseinc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1252004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252004; rev:1;)
alert tcp $HOME_NET any -> [170.130.55.104] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252001; rev:1;)
alert tcp $HOME_NET any -> [170.130.165.44] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252002; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.205] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252003; rev:1;)
alert tcp $HOME_NET any -> [103.30.76.64] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1252000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91252000; rev:1;)
alert tcp $HOME_NET any -> [206.237.2.203] 28080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251999; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.121] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251998; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.110] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251996; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.110] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251997; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.111] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251995; rev:1;)
alert tcp $HOME_NET any -> [23.224.196.53] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251991; rev:1;)
alert tcp $HOME_NET any -> [23.225.14.81] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251992; rev:1;)
alert tcp $HOME_NET any -> [38.6.177.16] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251993; rev:1;)
alert tcp $HOME_NET any -> [38.6.178.161] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251994; rev:1;)
alert tcp $HOME_NET any -> [165.154.162.112] 2323  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251990; rev:1;)
alert tcp $HOME_NET any -> [148.135.67.47] 6443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251989; rev:1;)
alert tcp $HOME_NET any -> [148.135.127.214] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251987; rev:1;)
alert tcp $HOME_NET any -> [148.135.127.214] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251988; rev:1;)
alert tcp $HOME_NET any -> [117.50.188.167] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251986; rev:1;)
alert tcp $HOME_NET any -> [172.212.14.172] 9005  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251985; rev:1;)
alert tcp $HOME_NET any -> [20.2.85.120] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251984; rev:1;)
alert tcp $HOME_NET any -> [182.61.148.159] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251980; rev:1;)
alert tcp $HOME_NET any -> [192.3.128.204] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251981; rev:1;)
alert tcp $HOME_NET any -> [208.87.201.226] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251982; rev:1;)
alert tcp $HOME_NET any -> [211.101.244.196] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251983; rev:1;)
alert tcp $HOME_NET any -> [149.104.26.163] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251973; rev:1;)
alert tcp $HOME_NET any -> [154.3.2.171] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251974; rev:1;)
alert tcp $HOME_NET any -> [154.8.177.111] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251975; rev:1;)
alert tcp $HOME_NET any -> [154.12.19.39] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251976; rev:1;)
alert tcp $HOME_NET any -> [166.88.61.173] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251977; rev:1;)
alert tcp $HOME_NET any -> [172.247.34.5] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251978; rev:1;)
alert tcp $HOME_NET any -> [182.43.85.190] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251979; rev:1;)
alert tcp $HOME_NET any -> [123.57.65.209] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251968; rev:1;)
alert tcp $HOME_NET any -> [123.57.237.103] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251969; rev:1;)
alert tcp $HOME_NET any -> [124.220.70.96] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251970; rev:1;)
alert tcp $HOME_NET any -> [124.221.254.249] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251971; rev:1;)
alert tcp $HOME_NET any -> [139.196.84.232] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251972; rev:1;)
alert tcp $HOME_NET any -> [111.92.241.105] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251961; rev:1;)
alert tcp $HOME_NET any -> [115.159.149.77] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251962; rev:1;)
alert tcp $HOME_NET any -> [118.25.195.224] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251963; rev:1;)
alert tcp $HOME_NET any -> [120.46.65.104] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251964; rev:1;)
alert tcp $HOME_NET any -> [120.53.241.93] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251965; rev:1;)
alert tcp $HOME_NET any -> [120.76.250.182] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251966; rev:1;)
alert tcp $HOME_NET any -> [123.56.22.128] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251967; rev:1;)
alert tcp $HOME_NET any -> [103.214.174.123] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251957; rev:1;)
alert tcp $HOME_NET any -> [103.234.72.24] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251958; rev:1;)
alert tcp $HOME_NET any -> [106.54.62.117] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251959; rev:1;)
alert tcp $HOME_NET any -> [107.172.159.139] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251960; rev:1;)
alert tcp $HOME_NET any -> [47.113.144.237] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251951; rev:1;)
alert tcp $HOME_NET any -> [47.120.34.9] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251952; rev:1;)
alert tcp $HOME_NET any -> [47.245.117.119] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251953; rev:1;)
alert tcp $HOME_NET any -> [74.48.220.31] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251954; rev:1;)
alert tcp $HOME_NET any -> [81.70.207.90] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251955; rev:1;)
alert tcp $HOME_NET any -> [82.156.183.197] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251956; rev:1;)
alert tcp $HOME_NET any -> [39.106.7.95] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251945; rev:1;)
alert tcp $HOME_NET any -> [39.108.11.237] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251946; rev:1;)
alert tcp $HOME_NET any -> [45.32.8.82] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251947; rev:1;)
alert tcp $HOME_NET any -> [47.76.197.224] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251948; rev:1;)
alert tcp $HOME_NET any -> [47.95.39.96] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251949; rev:1;)
alert tcp $HOME_NET any -> [47.108.145.56] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251950; rev:1;)
alert tcp $HOME_NET any -> [8.130.36.30] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251937; rev:1;)
alert tcp $HOME_NET any -> [8.134.166.14] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251938; rev:1;)
alert tcp $HOME_NET any -> [8.138.16.56] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251939; rev:1;)
alert tcp $HOME_NET any -> [8.141.82.134] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251940; rev:1;)
alert tcp $HOME_NET any -> [14.36.168.161] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251941; rev:1;)
alert tcp $HOME_NET any -> [16.162.105.39] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251942; rev:1;)
alert tcp $HOME_NET any -> [27.0.232.30] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251943; rev:1;)
alert tcp $HOME_NET any -> [38.54.85.190] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251944; rev:1;)
alert tcp $HOME_NET any -> [1.92.66.44] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251936; rev:1;)
alert tcp $HOME_NET any -> [38.147.170.150] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251934; rev:1;)
alert tcp $HOME_NET any -> [38.147.170.150] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251935; rev:1;)
alert tcp $HOME_NET any -> [149.104.30.223] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251931; rev:1;)
alert tcp $HOME_NET any -> [149.104.26.45] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251932; rev:1;)
alert tcp $HOME_NET any -> [45.144.136.182] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251933; rev:1;)
alert tcp $HOME_NET any -> [167.179.111.67] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251930; rev:1;)
alert tcp $HOME_NET any -> [64.176.71.36] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251926; rev:1;)
alert tcp $HOME_NET any -> [139.180.154.208] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251927; rev:1;)
alert tcp $HOME_NET any -> [45.63.119.177] 445  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251928; rev:1;)
alert tcp $HOME_NET any -> [207.148.109.8] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251929; rev:1;)
alert tcp $HOME_NET any -> [114.115.159.80] 60443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251925; rev:1;)
alert tcp $HOME_NET any -> [117.50.185.133] 6444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251924; rev:1;)
alert tcp $HOME_NET any -> [114.115.174.131] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251923; rev:1;)
alert tcp $HOME_NET any -> [114.115.174.131] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251922; rev:1;)
alert tcp $HOME_NET any -> [45.15.156.142] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251921; rev:1;)
alert tcp $HOME_NET any -> [192.227.248.201] 9633  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251919; rev:1;)
alert tcp $HOME_NET any -> [192.227.248.201] 50057  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251920; rev:1;)
alert tcp $HOME_NET any -> [172.245.45.163] 2052  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251912; rev:1;)
alert tcp $HOME_NET any -> [23.94.200.249] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251913; rev:1;)
alert tcp $HOME_NET any -> [23.94.200.249] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251914; rev:1;)
alert tcp $HOME_NET any -> [23.94.200.249] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251915; rev:1;)
alert tcp $HOME_NET any -> [107.172.157.70] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251916; rev:1;)
alert tcp $HOME_NET any -> [107.174.254.9] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251917; rev:1;)
alert tcp $HOME_NET any -> [107.174.254.9] 7890  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251918; rev:1;)
alert tcp $HOME_NET any -> [107.173.114.222] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"175.27.137.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251907; rev:1;)
alert tcp $HOME_NET any -> [47.236.41.162] 5000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251906; rev:1;)
alert tcp $HOME_NET any -> [8.217.117.6] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251903; rev:1;)
alert tcp $HOME_NET any -> [8.217.117.6] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251904; rev:1;)
alert tcp $HOME_NET any -> [8.217.117.6] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251905; rev:1;)
alert tcp $HOME_NET any -> [47.76.219.122] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251902; rev:1;)
alert tcp $HOME_NET any -> [8.210.224.32] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251901; rev:1;)
alert tcp $HOME_NET any -> [8.217.137.245] 60012  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251900; rev:1;)
alert tcp $HOME_NET any -> [47.254.46.30] 60891  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251899; rev:1;)
alert tcp $HOME_NET any -> [8.219.0.189] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251898; rev:1;)
alert tcp $HOME_NET any -> [47.236.111.110] 8899  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251897; rev:1;)
alert tcp $HOME_NET any -> [134.122.74.37] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251896; rev:1;)
alert tcp $HOME_NET any -> [68.183.92.175] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251895; rev:1;)
alert tcp $HOME_NET any -> [64.227.148.40] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251894; rev:1;)
alert tcp $HOME_NET any -> [24.144.96.216] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251893; rev:1;)
alert tcp $HOME_NET any -> [82.157.190.109] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251888; rev:1;)
alert tcp $HOME_NET any -> [111.231.146.98] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251889; rev:1;)
alert tcp $HOME_NET any -> [124.222.78.73] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251890; rev:1;)
alert tcp $HOME_NET any -> [150.158.37.125] 55555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251891; rev:1;)
alert tcp $HOME_NET any -> [159.75.188.216] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251892; rev:1;)
alert tcp $HOME_NET any -> [49.232.129.71] 9000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251884; rev:1;)
alert tcp $HOME_NET any -> [49.235.87.201] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251885; rev:1;)
alert tcp $HOME_NET any -> [62.234.180.148] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251886; rev:1;)
alert tcp $HOME_NET any -> [81.69.250.247] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251887; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.113] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251880; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.67] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251879; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.142] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251878; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.99] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251877; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.120] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251876; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.205] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251875; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.231] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251874; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.227] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251873; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.198] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251872; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.80] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251871; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.86] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251870; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.134] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251869; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.115] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251868; rev:1;)
alert tcp $HOME_NET any -> [175.27.137.15] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"service-b7okr3qc-1300276284.nj.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251865; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-b7okr3qc-1300276284.nj.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251866; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.85] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"139.198.33.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251863; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.77] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251862; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.203] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251861; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.117] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251860; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.243] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251859; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.75] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251858; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.194] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251857; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.228] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251856; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.201] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251855; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.252] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251854; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.75] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251853; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.148] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251852; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.100] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251851; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.93] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251850; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.210] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251849; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.130] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251848; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.210] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251847; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.89] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251846; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.82] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251845; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.72] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251844; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.238] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251843; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.73] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251842; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.215] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"120.25.1.52"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251840; rev:1;)
alert tcp $HOME_NET any -> [137.175.88.241] 1430  (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251829/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251829; rev:1;)
alert tcp $HOME_NET any -> [137.175.88.242] 1430  (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251830/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251830; rev:1;)
alert tcp $HOME_NET any -> [137.175.88.243] 1430  (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251831/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251831; rev:1;)
alert tcp $HOME_NET any -> [137.175.88.244] 1430  (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251832/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251832; rev:1;)
alert tcp $HOME_NET any -> [137.175.88.245] 1430  (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251833; rev:1;)
alert tcp $HOME_NET any -> [198.2.217.64] 1430  (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251834; rev:1;)
alert tcp $HOME_NET any -> [198.2.217.65] 1430  (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251835/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251835; rev:1;)
alert tcp $HOME_NET any -> [198.2.217.66] 1430  (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251836; rev:1;)
alert tcp $HOME_NET any -> [198.2.217.67] 1430  (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251837/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251837; rev:1;)
alert tcp $HOME_NET any -> [198.2.217.68] 1430  (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251838/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251838; rev:1;)
alert tcp $HOME_NET any -> [198.2.217.69] 1430  (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251839/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251839; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.nnmm234.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251828; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.xxcc789.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251825; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.jjkk567.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251826; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dd.vvbb321.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251827; rev:1;)
alert tcp $HOME_NET any -> [8.137.91.85] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251754; rev:1;)
alert tcp $HOME_NET any -> [8.137.127.73] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251755; rev:1;)
alert tcp $HOME_NET any -> [8.130.48.46] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251752; rev:1;)
alert tcp $HOME_NET any -> [8.130.165.254] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251753; rev:1;)
alert tcp $HOME_NET any -> [8.130.37.38] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251750; rev:1;)
alert tcp $HOME_NET any -> [8.130.45.8] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251751; rev:1;)
alert tcp $HOME_NET any -> [172.94.8.37] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251748; rev:1;)
alert tcp $HOME_NET any -> [8.130.34.85] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251749; rev:1;)
alert tcp $HOME_NET any -> [91.92.120.13] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251747; rev:1;)
alert tcp $HOME_NET any -> [77.105.219.98] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251745; rev:1;)
alert tcp $HOME_NET any -> [88.229.0.76] 20000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251746; rev:1;)
alert tcp $HOME_NET any -> [39.100.68.188] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251756; rev:1;)
alert tcp $HOME_NET any -> [39.101.75.126] 37777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251757; rev:1;)
alert tcp $HOME_NET any -> [39.103.196.134] 33889  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251758; rev:1;)
alert tcp $HOME_NET any -> [39.105.24.180] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251759; rev:1;)
alert tcp $HOME_NET any -> [39.105.184.73] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251760; rev:1;)
alert tcp $HOME_NET any -> [47.92.140.21] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251761; rev:1;)
alert tcp $HOME_NET any -> [47.92.147.123] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251762; rev:1;)
alert tcp $HOME_NET any -> [47.94.220.159] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251763; rev:1;)
alert tcp $HOME_NET any -> [47.105.69.34] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251764; rev:1;)
alert tcp $HOME_NET any -> [47.108.24.97] 6000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251765; rev:1;)
alert tcp $HOME_NET any -> [47.108.157.156] 50099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251766; rev:1;)
alert tcp $HOME_NET any -> [47.108.180.121] 50001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251767; rev:1;)
alert tcp $HOME_NET any -> [47.108.254.149] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251768; rev:1;)
alert tcp $HOME_NET any -> [47.113.147.219] 50080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251769; rev:1;)
alert tcp $HOME_NET any -> [47.113.188.133] 83  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251770; rev:1;)
alert tcp $HOME_NET any -> [47.115.210.48] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251771; rev:1;)
alert tcp $HOME_NET any -> [47.120.45.70] 60000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251772; rev:1;)
alert tcp $HOME_NET any -> [59.110.142.91] 13564  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251774; rev:1;)
alert tcp $HOME_NET any -> [47.120.67.163] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251773; rev:1;)
alert tcp $HOME_NET any -> [60.205.2.104] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251775; rev:1;)
alert tcp $HOME_NET any -> [101.201.53.70] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251776; rev:1;)
alert tcp $HOME_NET any -> [106.14.56.137] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251777; rev:1;)
alert tcp $HOME_NET any -> [116.62.4.148] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251778; rev:1;)
alert tcp $HOME_NET any -> [116.62.34.159] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251779; rev:1;)
alert tcp $HOME_NET any -> [120.26.102.134] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251780; rev:1;)
alert tcp $HOME_NET any -> [120.26.195.1] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251781; rev:1;)
alert tcp $HOME_NET any -> [120.55.47.4] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251782; rev:1;)
alert tcp $HOME_NET any -> [120.55.183.142] 9000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251783; rev:1;)
alert tcp $HOME_NET any -> [121.43.114.9] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251784; rev:1;)
alert tcp $HOME_NET any -> [121.199.0.54] 14443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251785; rev:1;)
alert tcp $HOME_NET any -> [139.224.194.38] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.donquichottedeladendre-ath.be"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251798/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"stanta.co.uk"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251799/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"juststories.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251800/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kemilektioner.se"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251801/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"support.dotregis.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251802/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cantinalandi.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251803/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"descarca.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251804/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"exceloffthegrid.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251805/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251805; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anbu.bond"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251742; rev:1;)
alert tcp $HOME_NET any -> [167.86.115.184] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251744; rev:1;)
alert tcp $HOME_NET any -> [195.10.205.203] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251741; rev:1;)
alert tcp $HOME_NET any -> [2.58.56.109] 9090  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251743; rev:1;)
alert tcp $HOME_NET any -> [89.213.140.115] 443  (msg:"ThreatFox Nova Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251736; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"89.213.140.115.nerozix.ovh"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251738; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onsttuiona.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251737; rev:1;)
alert tcp $HOME_NET any -> [185.224.128.34] 33335  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251739; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.58] 5140  (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/mauqes.rar"; depth:20; nocase; http.host; content:"www.gamerforyou.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251734; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"bitonecore.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/scl/fi/8xgv80zsbs5mp92wr3xrj/onebit-core.zip"; depth:45; nocase; http.host; content:"www.dropbox.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251716; rev:1;)
alert tcp $HOME_NET any -> [176.113.115.229] 36576  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_30; classtype:trojan-activity; sid:91251732; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 14500  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251712/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_30; classtype:trojan-activity; sid:91251712; rev:1;)
alert tcp $HOME_NET any -> [92.63.192.108] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251824/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251824; rev:1;)
alert tcp $HOME_NET any -> [147.182.199.146] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251823; rev:1;)
alert tcp $HOME_NET any -> [77.221.156.22] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251822; rev:1;)
alert tcp $HOME_NET any -> [143.198.54.223] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251821; rev:1;)
alert tcp $HOME_NET any -> [45.207.36.45] 2086  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251820/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251820; rev:1;)
alert tcp $HOME_NET any -> [104.161.53.196] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251819/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251819; rev:1;)
alert tcp $HOME_NET any -> [125.209.169.44] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251818/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251818; rev:1;)
alert tcp $HOME_NET any -> [41.96.180.49] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251817; rev:1;)
alert tcp $HOME_NET any -> [97.118.60.71] 993  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251816; rev:1;)
alert tcp $HOME_NET any -> [140.246.157.86] 4433  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251815; rev:1;)
alert tcp $HOME_NET any -> [110.40.133.81] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251814; rev:1;)
alert tcp $HOME_NET any -> [92.116.39.126] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251813; rev:1;)
alert tcp $HOME_NET any -> [185.234.216.209] 20000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251812; rev:1;)
alert tcp $HOME_NET any -> [8.219.236.149] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251811; rev:1;)
alert tcp $HOME_NET any -> [217.182.79.54] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251810; rev:1;)
alert tcp $HOME_NET any -> [217.237.82.88] 3389  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251809; rev:1;)
alert tcp $HOME_NET any -> [121.127.33.69] 8080  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"27.215.123.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251807/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251807; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.108] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251806/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_30; classtype:trojan-activity; sid:91251806; rev:1;)
alert tcp $HOME_NET any -> [194.67.193.69] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251797/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_30; classtype:trojan-activity; sid:91251797; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.80] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251795; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.155] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251794; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.212] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251793; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.69] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251792; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.131] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251791; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.245] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251790; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.44] 4787  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251789; rev:1;)
alert tcp $HOME_NET any -> [217.63.234.90] 1313  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251788; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.108] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0935883.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251740; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.210] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251731/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251731; rev:1;)
alert tcp $HOME_NET any -> [195.133.88.120] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251730/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251730; rev:1;)
alert tcp $HOME_NET any -> [174.138.63.63] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251729/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251729; rev:1;)
alert tcp $HOME_NET any -> [45.207.36.33] 2086  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251728/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251728; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 12853  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251727/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251727; rev:1;)
alert tcp $HOME_NET any -> [45.241.43.95] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251726/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251726; rev:1;)
alert tcp $HOME_NET any -> [2.50.51.175] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251725/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251725; rev:1;)
alert tcp $HOME_NET any -> [185.239.209.56] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251724/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251724; rev:1;)
alert tcp $HOME_NET any -> [62.171.158.126] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251723; rev:1;)
alert tcp $HOME_NET any -> [45.77.255.164] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251722; rev:1;)
alert tcp $HOME_NET any -> [183.36.40.98] 10004  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251721; rev:1;)
alert tcp $HOME_NET any -> [103.169.126.238] 44447  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251720; rev:1;)
alert tcp $HOME_NET any -> [164.90.238.212] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251719; rev:1;)
alert tcp $HOME_NET any -> [210.215.129.104] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251718; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.169] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91251714; rev:1;)
alert tcp $HOME_NET any -> [162.120.71.68] 4483  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"widur.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.176.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.221.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251710; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"widur.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251708; rev:1;)
alert tcp $HOME_NET any -> [95.216.176.246] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251706; rev:1;)
alert tcp $HOME_NET any -> [78.47.221.177] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251707; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.169] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251705; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.122] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251704; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.81] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251703; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.103] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251702; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.91] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251701; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.104] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251700; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.103] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251699; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.84] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251698; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.235] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251697; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.200] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251696; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.70] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251695; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.109] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251694; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.236] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251693; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.239] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251692; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.202] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251691; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.216] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251690; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.91] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251689; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.88] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251688; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.121] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251687; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.9] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251686; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.132] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251685; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.139] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251684; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.195] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251683; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.157] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251682; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.153] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251681; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.92] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251680; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.203] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251679; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.145] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251678; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.107] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251677; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.82] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251676; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.152] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251675; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.86] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251674; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.211] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"ezshipsy.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ezshipsy.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"edulokam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251434; rev:1;)
alert tcp $HOME_NET any -> [5.181.156.5] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"jsluna.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"jsluna.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251437; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 5491  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251652/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251652; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"registration-nil.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251653/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251653; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.149] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251672; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.118] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251671; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.79] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251670; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.108] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251669; rev:1;)
alert tcp $HOME_NET any -> [122.10.78.230] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251668; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.251] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251667; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.234] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251666; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.83] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251665; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.119] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251664; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.2] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251663; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.218] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251662; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.67] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251661; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.221] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251660; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.93] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251659; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.237] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251658; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.66] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251657; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.246] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251656; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.233] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251655; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.71] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmtojssqldblinuxtrafficlocal.php"; depth:33; nocase; http.host; content:"131217cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251651; rev:1;)
alert tcp $HOME_NET any -> [8.218.29.187] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251431/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91251431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.140.188.212"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.90.13.125"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.141.202.78"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.90.12.98"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.140.188.152"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.137.207.144"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.141.202.71"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.140.188.19"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.232.85"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"//84.54.51.144:7070"; depth:19; nocase; http.host; content:"http"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.205"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.208"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.207"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.107"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.195"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.132"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"84.54.51.206"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"2.58.95.55"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1251322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.232.138"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.81.230.244"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"54.39.67.23"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.204.132.100"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.204.211.81"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.196.162.3"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.222.196.58"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.59.65.43"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"15.204.22.165"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.5"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.196.244.80"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"142.44.236.7"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.44"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.9"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.8"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.91.127.66"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"144.172.73.20"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.53"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.200"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.41"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.2"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1251343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.7"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1251345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.37"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.160.193.4"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.160.194.10"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"158.51.96.17"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.160.193.106"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"198.98.57.36"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"198.98.58.246"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"199.195.251.103"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"209.141.35.229"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.71.51"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.255.74"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.71.193"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"79.137.203.236"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.103.253.34"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"41.216.182.208"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"195.58.39.34"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.82.135.217"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"86.104.194.180"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"216.107.139.159"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.4.235.175"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"93.123.85.59"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.148.241.107"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"92.249.48.147"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1251367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.64"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1251368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.171.121.161"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251369; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"betaproxy.herios-stresser.space"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251370/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251370; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chrysler.vip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251371/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251371; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chryslernetwork.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gorillaproxy.cloud"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251375/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251375; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kane.kingswoklongwood.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251373/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251373; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"proxys.herios-stress.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251374/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251374; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gorillaproxy.su"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251376/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251376; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"balkanskiskidovi.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251377/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251377; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blyndz.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251378/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251378; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"egirls.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251379/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251379; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"holding.homes"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251380/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251380; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"santa.army"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251381/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251381; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"seized.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251382/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251382; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stitch.army"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251383/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251383; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"caovh.lol"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251384/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251384; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ddos.nekofish.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251385/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251385; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"metis-kill-faggots.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251386/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251386; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"niggakilla.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251387/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251387; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"proxy.iswearimnotgay.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251388/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.140.141.160"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.90.13.164"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1251303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.141.202.162"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251302; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"poggo-proxy.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251392/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251392; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tomware.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251389/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dash.authillusion.online"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251391/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251391; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"eternalservices.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251390/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"frostedfamily.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251393/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251393; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aeicjslvodjfklllf.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251394/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251394; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aemvieudjkscbbb.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251395/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251395; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aenbcisbflkdjjjccc.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251396/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251396; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"aeocidkcsjxxcxcc.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251397/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251397; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xs.ooxxoxox.win"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251398/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251398; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"a.refusal.biz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251399/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251399; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bl.refusal.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251400/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251400; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cafe.refusal.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251401/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251401; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"info.refusal.biz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251402/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251402; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"refusal.biz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251403/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251403; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"report.refusal.biz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251404; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sb.refusal.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251405; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alo.taxido.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251407; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wyng.whiting.io"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251406; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"fleurs-parfaites.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251408; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cdnet-web.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251409/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.254.198.211"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251410; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"royalparac2.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251411; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"royalparadisec2.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251412; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madeyourbackup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251413; rev:1;)
alert tcp $HOME_NET any -> [103.173.178.208] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251428/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251428; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ap.akdns.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251429/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251429; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.144] 7888  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251427; rev:1;)
alert tcp $HOME_NET any -> [47.120.13.85] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.218.29.187"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251425; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.120] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/faqpage.js"; depth:11; nocase; http.host; content:"averatechsolutions.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251422; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"averatechsolutions.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"212.129.223.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251421; rev:1;)
alert tcp $HOME_NET any -> [3.133.159.129] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"3.133.159.129"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ipv6test/test"; depth:14; nocase; http.host; content:"47.113.179.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251418; rev:1;)
alert tcp $HOME_NET any -> [92.63.193.141] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"gays.egorvlasov.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251416; rev:1;)
alert tcp $HOME_NET any -> [170.64.236.133] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"170.64.236.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251414; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.124] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251301; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.198] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251300; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.253] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251299; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.204] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251298; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.74] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251297; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.222] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251296; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.241] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251295; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.188] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251293; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.94] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251292; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.97] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251291; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.124] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251290; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.94] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251289; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.82] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251288; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.112] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251287; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.87] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251286; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.111] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251285; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.183] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251284; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.110] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251283; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.49] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251282; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.205] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251281; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.126] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251280; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.133] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251279; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.232] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251278; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.116] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251277; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.249] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251276; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.74] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251275; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.85] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251274; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.91] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251273; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.135] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251272; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.154] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251271; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.76] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251270; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.111] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251269; rev:1;)
alert tcp $HOME_NET any -> [92.63.193.141] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251268; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gays.egorvlasov.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"gays.egorvlasov.ru"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251266; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.92] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251265; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.105] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251264; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.147] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251263; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.230] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251262; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.137] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251261; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.69] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251260; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.141] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251259; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.176] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251258; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.66] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251257; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.126] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251256; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.150] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251255; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.184] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251254; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.12] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251253; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.248] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251252; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.219] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251251; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.68] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251250; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.42] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251249; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.132] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251248; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.199] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251247; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.217] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251246; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.68] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251245; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.77] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251244; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.219] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251243; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.147] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251242; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.70] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251241; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.71] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251240; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.89] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251239; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.247] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251238; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.204] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251237; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.79] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251236; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.66] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251235; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.208] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251234; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.90] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251233; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.69] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251232; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.151] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251231; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.145] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251230; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.92] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251229; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.83] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251228; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.254] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251227; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.90] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"82.157.44.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251225; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.98] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251224; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.138] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251223; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.207] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251222; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.76] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251221; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.83] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251220; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.209] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251219; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.72] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251218; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.87] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251217; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.98] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251216; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.78] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251215; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.226] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251214; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.136] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251213; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.135] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251212; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.114] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251211; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.93] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251210; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.144] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251209; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.75] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"161.35.168.216"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251207; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.123] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251206; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.78] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251205; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.185] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251204; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.102] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251203; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.5] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251202; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.154] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251201; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.83] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251200; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.213] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251199; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.37] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251198; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.229] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251197; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.88] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251196; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.158] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251195; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.146] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251194; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.177] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251193; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.68] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251190; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.71] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251189; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.244] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251188; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.220] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251187; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.163] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251186; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.106] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251185; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.141] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251184; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251158; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.88] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251183; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.196] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251182; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rawapi.nekololis.ovh"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251160; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251156; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251157; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251154; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tomhxhk.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251155; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.hxhk.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251152; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hxhk.cc"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251153; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251150; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251151; rev:1;)
alert tcp $HOME_NET any -> [77.73.68.225] 1688  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251147; rev:1;)
alert tcp $HOME_NET any -> [193.35.18.62] 3778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251148; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.hxhk.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251149; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.103] 56999  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251138/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251138; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.94] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251140/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251140; rev:1;)
alert tcp $HOME_NET any -> [197.253.114.16] 37215  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251137/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251137; rev:1;)
alert tcp $HOME_NET any -> [177.165.108.44] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251139/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251139; rev:1;)
alert tcp $HOME_NET any -> [162.20.184.46] 37215  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251136/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251136; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.240] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251181; rev:1;)
alert tcp $HOME_NET any -> [193.35.18.56] 65490  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251115; rev:1;)
alert tcp $HOME_NET any -> [45.13.226.34] 9932  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251123; rev:1;)
alert tcp $HOME_NET any -> [185.117.3.184] 3569  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251124; rev:1;)
alert tcp $HOME_NET any -> [34.125.17.32] 6668  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251125; rev:1;)
alert tcp $HOME_NET any -> [213.129.216.207] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251126; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.73] 6789  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251127; rev:1;)
alert tcp $HOME_NET any -> [67.217.60.78] 7854  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251128; rev:1;)
alert tcp $HOME_NET any -> [118.227.92.21] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251129; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.213] 6789  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251131; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jhbaghjbasdg.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251132; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.nekololis.ovh"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251159; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subphattai.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.35.249.113"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1251162/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251162; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nt.zua6.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"103.173.178.208"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1251163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251163; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bt.zoml.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251165; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abc.anti-ddos.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251166; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fw1.anti-ddos.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251168; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fw.anti-ddos.io.vn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251167; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anti-ddos.io.vn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251169; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mainnetwork.sysromeu.eu.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251170; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdh32fsdfhs.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251171; rev:1;)
alert tcp $HOME_NET any -> [156.232.192.125] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251180; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.73] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251179; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.201] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251178; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.140] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251177; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.84] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251176; rev:1;)
alert tcp $HOME_NET any -> [154.219.177.140] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251175; rev:1;)
alert tcp $HOME_NET any -> [154.219.145.81] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251174; rev:1;)
alert tcp $HOME_NET any -> [156.232.186.197] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"sares.xyz"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.102.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.125.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251144; rev:1;)
alert tcp $HOME_NET any -> [49.13.125.250] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251142; rev:1;)
alert tcp $HOME_NET any -> [159.69.102.165] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251143; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sares.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blogs/skinny/bleat/index.php"; depth:29; nocase; http.host; content:"gammaproject.dev"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251135/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91251135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/medical/plan/oslo/posting/index.php"; depth:36; nocase; http.host; content:"somakop.app"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/traffic/link/posting/index.php"; depth:31; nocase; http.host; content:"muagol.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1251133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251133; rev:1;)
alert tcp $HOME_NET any -> [121.40.119.94] 8087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251130/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91251130; rev:1;)
alert tcp $HOME_NET any -> [95.216.41.236] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251122; rev:1;)
alert tcp $HOME_NET any -> [86.106.20.179] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91251121; rev:1;)
alert tcp $HOME_NET any -> [47.99.177.59] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1251120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91251120; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"somakop.app"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251116; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dumingas.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251117; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iseberkis.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251118; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"musarno.app"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1251119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91251119; rev:1;)
alert tcp $HOME_NET any -> [95.214.53.95] 57896  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250910; rev:1;)
alert tcp $HOME_NET any -> [69.53.121.162] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250908; rev:1;)
alert tcp $HOME_NET any -> [90.62.10.177] 2222  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250909; rev:1;)
alert tcp $HOME_NET any -> [46.39.224.38] 9876  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250906; rev:1;)
alert tcp $HOME_NET any -> [47.97.41.73] 6000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250907; rev:1;)
alert tcp $HOME_NET any -> [1.9.177.252] 9876  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250904; rev:1;)
alert tcp $HOME_NET any -> [5.102.157.70] 4872  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250905; rev:1;)
alert tcp $HOME_NET any -> [101.43.109.204] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250894; rev:1;)
alert tcp $HOME_NET any -> [106.53.213.253] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250895; rev:1;)
alert tcp $HOME_NET any -> [62.234.55.243] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250896; rev:1;)
alert tcp $HOME_NET any -> [81.71.153.127] 83  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250897; rev:1;)
alert tcp $HOME_NET any -> [101.34.93.112] 40045  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250898; rev:1;)
alert tcp $HOME_NET any -> [192.227.177.214] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250899; rev:1;)
alert tcp $HOME_NET any -> [172.214.98.73] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250900; rev:1;)
alert tcp $HOME_NET any -> [170.130.55.130] 445  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250901; rev:1;)
alert tcp $HOME_NET any -> [82.156.211.202] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250902; rev:1;)
alert tcp $HOME_NET any -> [80.77.23.102] 48129  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250903; rev:1;)
alert tcp $HOME_NET any -> [43.139.21.199] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250892; rev:1;)
alert tcp $HOME_NET any -> [43.143.112.156] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250893; rev:1;)
alert tcp $HOME_NET any -> [1.13.169.95] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250891; rev:1;)
alert tcp $HOME_NET any -> [119.29.238.196] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250890; rev:1;)
alert tcp $HOME_NET any -> [111.231.18.116] 84  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250888; rev:1;)
alert tcp $HOME_NET any -> [106.55.225.79] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250889; rev:1;)
alert tcp $HOME_NET any -> [124.220.148.63] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250885; rev:1;)
alert tcp $HOME_NET any -> [111.231.18.116] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250886; rev:1;)
alert tcp $HOME_NET any -> [111.231.18.116] 83  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250887; rev:1;)
alert tcp $HOME_NET any -> [123.60.79.118] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250882; rev:1;)
alert tcp $HOME_NET any -> [1.94.132.240] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250883; rev:1;)
alert tcp $HOME_NET any -> [212.129.223.49] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250884; rev:1;)
alert tcp $HOME_NET any -> [139.9.193.13] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250881; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.57] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250966; rev:1;)
alert tcp $HOME_NET any -> [45.67.230.75] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250965; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.211] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250964; rev:1;)
alert tcp $HOME_NET any -> [124.13.185.107] 9876  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250911; rev:1;)
alert tcp $HOME_NET any -> [124.223.48.86] 4285  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250912; rev:1;)
alert tcp $HOME_NET any -> [161.97.162.173] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250913; rev:1;)
alert tcp $HOME_NET any -> [172.111.148.62] 19933  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250914; rev:1;)
alert tcp $HOME_NET any -> [172.111.148.69] 19933  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250915; rev:1;)
alert tcp $HOME_NET any -> [184.107.123.217] 1990  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250916; rev:1;)
alert tcp $HOME_NET any -> [189.78.187.139] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250917; rev:1;)
alert tcp $HOME_NET any -> [191.82.209.29] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250918; rev:1;)
alert tcp $HOME_NET any -> [198.167.201.212] 19132  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250919; rev:1;)
alert tcp $HOME_NET any -> [43.129.74.117] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250963; rev:1;)
alert tcp $HOME_NET any -> [1.92.98.76] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm"; depth:17; nocase; http.host; content:"kamalankaranda.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250853; rev:1;)
alert tcp $HOME_NET any -> [104.194.9.116] 7000  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"kanardansaydan1.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250851/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"sayankarakam2.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250852/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odlimzblmgq5oguz/"; depth:18; nocase; http.host; content:"prizurisaby.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250849/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nmvmzmjlzta2mdnm/"; depth:18; nocase; http.host; content:"kamanbarsayan.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/odlimzblmgq5oguz/"; depth:18; nocase; http.host; content:"iakyanalica.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250848; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 15422  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250847; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 15422  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250846/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"zero.bbxstresser.cloud"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1250837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cnc.bbxstresser.cloud"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1250838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"api.ngocphong.space"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1250839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"stress.ngocphong.space"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1250840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ramagans.id"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1250841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.211"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.223"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.226"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.228"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250845; rev:1;)
alert tcp $HOME_NET any -> [107.175.35.40] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250962; rev:1;)
alert tcp $HOME_NET any -> [38.6.190.122] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250961; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"secure01-redirect.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250599/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250599; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servicehelper.oss"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250594; rev:1;)
alert tcp $HOME_NET any -> [34.162.170.92] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250598/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250598; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amandaxthomas.dyn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250592; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cynthiaoperez.geek"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250593; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wowyoursocute.oss"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250590; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"peterhware.dyn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250591; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sydneyrmartinez.geek"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250589; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ashleyobyrd.oss"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250587; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"richardpjones.oss"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250588; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"luiseryan.oss"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250586; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"robertmlewis.dyn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250585; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliciacmorton.oss"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250584; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hailbot.geek"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250582; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jiggaboo.oss"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250583; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kimberlyngomez.geek"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250581; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yoursocuteong.dyn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250579; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brianystafford.geek"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250580; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfdopospdofpsdo.dyn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.226"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250577/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"haytoplokezdolezdominec.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hakolgemezedod.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250921; rev:1;)
alert tcp $HOME_NET any -> [104.21.50.30] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_29; classtype:trojan-activity; sid:91250927; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.4] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250960; rev:1;)
alert tcp $HOME_NET any -> [72.27.97.198] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250959; rev:1;)
alert tcp $HOME_NET any -> [41.97.143.89] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250958; rev:1;)
alert tcp $HOME_NET any -> [64.227.25.183] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250957/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250957; rev:1;)
alert tcp $HOME_NET any -> [101.33.35.171] 10000  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250956; rev:1;)
alert tcp $HOME_NET any -> [52.173.131.28] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250955/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250955; rev:1;)
alert tcp $HOME_NET any -> [192.52.166.37] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250954/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250954; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webstat.page"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250932; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"softkey.app"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250933; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sweetapp.page"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8polldbvoiddb/datalifeflowerwp/processbasemariadb1/defaultbigloadpython/generator/videolowupdatedbasync.php"; depth:108; nocase; http.host; content:"89.23.98.225"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250931; rev:1;)
alert tcp $HOME_NET any -> [119.91.209.244] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250930/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250930; rev:1;)
alert tcp $HOME_NET any -> [101.32.37.92] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250929/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250929; rev:1;)
alert tcp $HOME_NET any -> [39.100.86.42] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250928/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_29; classtype:trojan-activity; sid:91250928; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"spencerstuartllc.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_29; classtype:trojan-activity; sid:91250926; rev:1;)
alert tcp $HOME_NET any -> [160.176.152.91] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/five/fre.php"; depth:22; nocase; http.host; content:"spencerstuartllc.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250924; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.150] 32356  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ct22043.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_29; classtype:trojan-activity; sid:91250922; rev:1;)
alert tcp $HOME_NET any -> [154.219.151.242] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250880; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.3] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250878; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.149] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"91.92.243.149"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250876; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.25] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250875; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.29] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250874; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.84] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250873; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.197] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250872; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.146] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250871; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.21] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250870; rev:1;)
alert tcp $HOME_NET any -> [120.46.152.202] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250869; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.47] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/~zadmin/ptr5/mono.php"; depth:22; nocase; http.host; content:"31.220.1.194"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e64f36763e423a50.php"; depth:21; nocase; http.host; content:"193.233.132.241"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250865; rev:1;)
alert tcp $HOME_NET any -> [188.120.248.175] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250864; rev:1;)
alert tcp $HOME_NET any -> [139.180.218.26] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250863; rev:1;)
alert tcp $HOME_NET any -> [202.182.107.193] 666  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250862; rev:1;)
alert tcp $HOME_NET any -> [39.101.70.82] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250861; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.206] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250860; rev:1;)
alert tcp $HOME_NET any -> [184.20.220.17] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250859/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250859; rev:1;)
alert tcp $HOME_NET any -> [3.86.233.198] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250858/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250858; rev:1;)
alert tcp $HOME_NET any -> [92.116.36.212] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250857/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250857; rev:1;)
alert tcp $HOME_NET any -> [192.121.162.196] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250856/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250856; rev:1;)
alert tcp $HOME_NET any -> [151.236.16.211] 33367  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250855/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250855; rev:1;)
alert tcp $HOME_NET any -> [64.176.80.227] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250854; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cowspidzu.pro"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250835/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250835; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"muratinue.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250836; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"certifacto.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250834; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bladisuka.red"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250833; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 15422  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250832; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.223] 1339  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"141.98.7.228"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bbxstresser.llc"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1250575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"brebes-bx.id"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1250576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerpipepythongeoupdatebigloaddownloads.php"; depth:48; nocase; http.host; content:"opratio.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"122.112.192.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250611; rev:1;)
alert tcp $HOME_NET any -> [122.51.7.163] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-ps16whvt-1304800271.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250608; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-ps16whvt-1304800271.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/socialapiversion=1.1"; depth:21; nocase; http.host; content:"43.134.228.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250605; rev:1;)
alert tcp $HOME_NET any -> [43.134.228.94] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"45.133.238.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250603; rev:1;)
alert tcp $HOME_NET any -> [45.133.238.41] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"5.161.242.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250602; rev:1;)
alert tcp $HOME_NET any -> [154.219.154.67] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"60.205.246.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.113.188.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"59.110.172.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250595; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.43] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250573; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.79] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250572; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.102] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250571; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.35] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250570; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.70] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250569; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.90] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250568; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.60] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250567; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.72] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250566; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.213] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250565; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.24] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250564; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.202] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250563; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.26] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250562; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.90] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250561; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.86] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250560; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.61] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250559; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.59] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250558; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.67] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250557; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.94] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250556; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.106] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250555; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.16] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250554; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.72] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250553; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.189] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250552; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.220] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250551; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.207] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250550; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.89] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250549; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.153] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250548; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.19] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250547; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.194] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250546; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.221] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250545; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.51] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250544; rev:1;)
alert tcp $HOME_NET any -> [120.89.71.246] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250543; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.36] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250542; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.139] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250541; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.94] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250540; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.110] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250539; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.136] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250538; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.187] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250537; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.172] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250536; rev:1;)
alert tcp $HOME_NET any -> [120.89.71.242] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250535; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.46] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250534; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.7] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250533; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.120] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250532; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.85] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250531; rev:1;)
alert tcp $HOME_NET any -> [82.156.224.103] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user"; depth:5; nocase; http.host; content:"82.156.224.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250529; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.174] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250528; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.165] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250527; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.82] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250526; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.74] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250525; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.114] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250524; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.175] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250523; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.14] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250522; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.78] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250521; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.17] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250520; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.143] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250519; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.216] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250518; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.100] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250517; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.243] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250516; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.13] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250515; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.181] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250514; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.105] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250513; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.215] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250512; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.133] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250511; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.68] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250510; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.162] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250509; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.76] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.53.213.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250507; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.69] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250506; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.39] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250505; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.178] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250504; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.79] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250503; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.74] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250502; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.95] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250501; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.52] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250500; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.230] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250499; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.208] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250498; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.222] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250497; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.130] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250496; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.157] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250495; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.87] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250494; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.155] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250493; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.40] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250492; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.50] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250491; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.123] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250490; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.156] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250489; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.32] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250488; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.4] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250487; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.92] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250486; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.113] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250485; rev:1;)
alert tcp $HOME_NET any -> [120.89.71.245] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250484; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.167] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250483; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.131] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250482; rev:1;)
alert tcp $HOME_NET any -> [120.89.71.244] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250481; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.166] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250480; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.116] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250479; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.75] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250478; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.87] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250477; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.151] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250476; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.169] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250475; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.84] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250474; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.101] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250473; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.137] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250472; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.38] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250471; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.160] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250470; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.240] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250469; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.190] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250468; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.41] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250467; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.48] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250466; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.218] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250465; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.214] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250464; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.78] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250463; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.138] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250462; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.142] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250461; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.202] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250460; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.173] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250459; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.134] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250458; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.144] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250457; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.118] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250456; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.122] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250455; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.112] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250454; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.86] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250453; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.8] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250452; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.20] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250451; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.10] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250450; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.212] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250449; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.80] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250448; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.73] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250447; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.23] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250446; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.15] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250445; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.179] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250444; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.170] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250443; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.119] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250442; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.54] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250441; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.159] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250440; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.77] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250439; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.158] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250438; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.34] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250437; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.22] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250436; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.109] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250435; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.182] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250434; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.232] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250433; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.58] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250432; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.117] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250431; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.148] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250430; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.199] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250429; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.55] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250428; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.57] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250427; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.77] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250426; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.18] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250425; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.125] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250424; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.150] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250423; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.28] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250422; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.186] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250421; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.161] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250420; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.152] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250419; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.81] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250418; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.33] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250417; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.80] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250416; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.99] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250415; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.89] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250414; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.53] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250413; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.93] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250412; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.31] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250411; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.11] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250410; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.195] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250409; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.73] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250408; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.44] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250407; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.6] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250406; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.56] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250405; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.107] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250404; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.108] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250403; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.211] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250402; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.91] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250401; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.180] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250400; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.45] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250399; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.222] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250398; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.62] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250397; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.96] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250396; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.209] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250395; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.30] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250394; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.168] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250393; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.171] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250392; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.88] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250391; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.215] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250390; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.200] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250389; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.76] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250388; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.233] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250387; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.206] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250386; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.196] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250385; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.149] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250384; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.115] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250383; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.81] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250382; rev:1;)
alert tcp $HOME_NET any -> [43.240.48.104] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250381; rev:1;)
alert tcp $HOME_NET any -> [43.240.49.164] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250380; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.70] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250379; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.214] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250378; rev:1;)
alert tcp $HOME_NET any -> [120.89.71.243] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250377; rev:1;)
alert tcp $HOME_NET any -> [154.219.164.217] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250376; rev:1;)
alert tcp $HOME_NET any -> [45.156.217.27] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250375; rev:1;)
alert tcp $HOME_NET any -> [5.188.88.177] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250374; rev:1;)
alert tcp $HOME_NET any -> [15.204.223.49] 9931  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250372; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.8] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250373/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250373; rev:1;)
alert tcp $HOME_NET any -> [34.168.202.91] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/localtestgeo/flower20flower/_packetwindowsvm/httpasyncbetterpacket/1/windows87downloads/temporarytraffic82/uploads/serverasyncvideoserver/geo/7/lowasyncserver/traffic66db/python/to/protonprivate3/gamegenerator/datalifedle/secure/topollhttpgeosqltestuniversaltempdownloads.php"; depth:276; nocase; http.host; content:"80.66.84.71"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250370; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.219] 4040  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250369; rev:1;)
alert tcp $HOME_NET any -> [35.243.180.101] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250368; rev:1;)
alert tcp $HOME_NET any -> [34.77.22.163] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250367; rev:1;)
alert tcp $HOME_NET any -> [8.222.178.224] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250366; rev:1;)
alert tcp $HOME_NET any -> [34.22.151.45] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baseuniversaluploads.php"; depth:25; nocase; http.host; content:"531995cl.nyashtop.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250364; rev:1;)
alert tcp $HOME_NET any -> [79.133.51.234] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250363/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250363; rev:1;)
alert tcp $HOME_NET any -> [54.248.193.226] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250362; rev:1;)
alert tcp $HOME_NET any -> [101.32.37.92] 65532  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250361; rev:1;)
alert tcp $HOME_NET any -> [142.171.62.107] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250360/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250360; rev:1;)
alert tcp $HOME_NET any -> [34.92.107.200] 8012  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250359/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250359; rev:1;)
alert tcp $HOME_NET any -> [41.96.114.1] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250358/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250358; rev:1;)
alert tcp $HOME_NET any -> [76.19.90.99] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250357/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250357; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"gammaproject.dev"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250356/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250356; rev:1;)
alert tcp $HOME_NET any -> [77.232.143.114] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250355/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250355; rev:1;)
alert tcp $HOME_NET any -> [185.94.165.191] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250354/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250354; rev:1;)
alert tcp $HOME_NET any -> [81.43.22.249] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250353/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250353; rev:1;)
alert tcp $HOME_NET any -> [43.198.243.210] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250352; rev:1;)
alert tcp $HOME_NET any -> [172.218.112.83] 8080  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_28; classtype:trojan-activity; sid:91250351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bulaintel.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bsdeboomgaard.be"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kayoanime.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.althaus-innenausbau.de"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"growthworks.io"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"taronews.tw"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"outdoorgearshub.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mcintoshdaily.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"buckcenter.edu.ec"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ffteducationdatalab.org.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cuinescalaf.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cityhomesedmonton.ca"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"aurory.io"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wildundhund.de"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"convertkit.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"celeritastransporte.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"overbeekphotos.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cumm.co.uk"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250329; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250307; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250308; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250309; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250310; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250311; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250312; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250313; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250314; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250315; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 2174  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250316; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250317; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250306; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250305; rev:1;)
alert tcp $HOME_NET any -> [187.135.93.207] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250304; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250303; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2188  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250302; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250301; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250300; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250299; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250298; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250297; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250296; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250295; rev:1;)
alert tcp $HOME_NET any -> [43.138.0.70] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250292; rev:1;)
alert tcp $HOME_NET any -> [43.139.101.86] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250291; rev:1;)
alert tcp $HOME_NET any -> [49.235.174.175] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250290; rev:1;)
alert tcp $HOME_NET any -> [101.43.164.28] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250289; rev:1;)
alert tcp $HOME_NET any -> [124.220.80.206] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250288; rev:1;)
alert tcp $HOME_NET any -> [150.158.19.54] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250287; rev:1;)
alert tcp $HOME_NET any -> [159.75.80.31] 6699  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250286; rev:1;)
alert tcp $HOME_NET any -> [38.180.92.22] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250285; rev:1;)
alert tcp $HOME_NET any -> [89.163.221.180] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250284; rev:1;)
alert tcp $HOME_NET any -> [89.163.221.180] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250283; rev:1;)
alert tcp $HOME_NET any -> [104.243.37.110] 6667  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250282; rev:1;)
alert tcp $HOME_NET any -> [109.199.120.42] 2023  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250281; rev:1;)
alert tcp $HOME_NET any -> [128.90.122.170] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250280; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.124] 8712  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250279; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.124] 8714  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250278; rev:1;)
alert tcp $HOME_NET any -> [172.94.9.23] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250274; rev:1;)
alert tcp $HOME_NET any -> [172.94.125.164] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250262; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 54056  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250293/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250293; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"results-outdoors.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250294/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mangacrab.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"catherinefoundation.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kinosait24.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"theyogainstitute.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bodylift.si"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"digitalmarketingcompany.me"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"prozhedownload.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"telegramguru.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"matchtime.co"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.215.113.32"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1250318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.233.132.56"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1250319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250319; rev:1;)
alert tcp $HOME_NET any -> [194.156.90.112] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250261; rev:1;)
alert tcp $HOME_NET any -> [206.123.132.165] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250260; rev:1;)
alert tcp $HOME_NET any -> [38.180.121.8] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1222548548235558974/1222550773380943902/mauqes.rar"; depth:63; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250233; rev:1;)
alert tcp $HOME_NET any -> [45.145.42.90] 6969  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_28; classtype:trojan-activity; sid:91250349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"111.231.18.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"111.231.18.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_28; classtype:trojan-activity; sid:91250347; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.250] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250277; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.239] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250276; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.247] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"154.12.29.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250273; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.211] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250272; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.216] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250271; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.237] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250270; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.228] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250269; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.254] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"111.231.18.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250267; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.198] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250266; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.194] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250265; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.238] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250264; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.231] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250263; rev:1;)
alert tcp $HOME_NET any -> [5.75.211.135] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250255; rev:1;)
alert tcp $HOME_NET any -> [88.99.122.130] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250256; rev:1;)
alert tcp $HOME_NET any -> [95.217.31.143] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250257; rev:1;)
alert tcp $HOME_NET any -> [80.66.84.68] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alexanderalbie.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250252; rev:1;)
alert tcp $HOME_NET any -> [88.99.122.130] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250253; rev:1;)
alert tcp $HOME_NET any -> [78.46.229.36] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"suggst.xyz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hepialid.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pvasms.top"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"alexanderarthur.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"80.66.84.68"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.122.130"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.229.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.243.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sa9ok"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199658817715"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250240; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexanderarthur.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250235; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pvasms.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250236; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hepialid.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250237; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suggst.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250238; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexanderalbie.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0934723.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250232; rev:1;)
alert tcp $HOME_NET any -> [88.119.175.92] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250231/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250231; rev:1;)
alert tcp $HOME_NET any -> [88.119.175.92] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250230/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250230; rev:1;)
alert tcp $HOME_NET any -> [20.2.234.76] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250229/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250229; rev:1;)
alert tcp $HOME_NET any -> [20.199.87.153] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250228/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250228; rev:1;)
alert tcp $HOME_NET any -> [154.247.228.146] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250227/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250227; rev:1;)
alert tcp $HOME_NET any -> [78.168.3.237] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250226; rev:1;)
alert tcp $HOME_NET any -> [194.67.103.231] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250225/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250225; rev:1;)
alert tcp $HOME_NET any -> [54.84.224.146] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250224; rev:1;)
alert tcp $HOME_NET any -> [77.232.143.114] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250223; rev:1;)
alert tcp $HOME_NET any -> [92.116.37.117] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250222; rev:1;)
alert tcp $HOME_NET any -> [64.23.140.175] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250221; rev:1;)
alert tcp $HOME_NET any -> [192.64.86.243] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250220; rev:1;)
alert tcp $HOME_NET any -> [87.120.204.101] 16053  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250219/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250219; rev:1;)
alert tcp $HOME_NET any -> [185.130.45.147] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250218/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250218; rev:1;)
alert tcp $HOME_NET any -> [185.130.45.147] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250217/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91250217; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"prior-gently.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250216/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250216; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.225] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250213; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.224] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250214; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.19] 5585  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250215; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-aws-amazon.nbcnews.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bm.css"; depth:7; nocase; http.host; content:"cdn-aws-amazon.nbcnews.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.113.188.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.221.17.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"38.207.178.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.assamjatiyabidyalay.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"designtoolsnetwork.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"vsenews.kr.ua"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"compose.ly"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gridlocktable.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wlmedia.co.uk"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"animalvictory.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"brokensilenze.one"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hidethatfat.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"timesit.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"amittiwari.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"abumarketrc.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.dizikonusu.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"astrolady.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"phongthuyphunggia.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ryver.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smokeshopdelivers.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hmidarjeeling.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"titikdua.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1250204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250204; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.feekstokandy.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250160/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250160; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.nemchaprues.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250161/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250161; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.fustindor.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250162/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250162; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.trondisaup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250163; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.trentimarsop.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250164/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250164; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.carsruitkan.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250165/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250165; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.boskajean.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250166/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250166; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.triopahom.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250167; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.illboardinj.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250168/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250168; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.transautomanf.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250169/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250169; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.minesotkarpid.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250170/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250170; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.dionaolesjob.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250171; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.skansnekssky.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250172; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.kevinbrawiewu.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250173/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250173; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.troffyfrutlot.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250174/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250174; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.skazifrant.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250175/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250175; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.neelsmagofter.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250176/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250176; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.qtargumanikar.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250177/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250177; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.strastkamenhoop.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250178/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250178; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.lergochatep.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250179/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250179; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.clainsrimauto.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250180/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250180; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.kaspimension.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250181/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250181; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.askamoshopsi.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250182/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250182; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.majzolimka.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250183/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250183; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.spakernakurs.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250184/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250184; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"adobeshare.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250185/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250185; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"adobeshare.blog"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250186/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250186; rev:1;)
alert tcp $HOME_NET any -> [216.250.253.35] 2356  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250159; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.0] 29587  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250158; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"soneypaly.club"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1250157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91250157; rev:1;)
alert tcp $HOME_NET any -> [51.77.167.59] 5951  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1250128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91250128; rev:1;)
alert tcp $HOME_NET any -> [185.130.46.168] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"38.207.178.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249911; rev:1;)
alert tcp $HOME_NET any -> [114.115.157.144] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"114.115.157.144"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249909; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs.buidu.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249908; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cs.buidu.site"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"38.47.101.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249904; rev:1;)
alert tcp $HOME_NET any -> [38.47.101.176] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"38.207.178.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249903; rev:1;)
alert tcp $HOME_NET any -> [185.130.46.168] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"tools.trtyr.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249900; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tools.trtyr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.130.43.95"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.60.181.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendorreact.dc6a29.chunk.js"; depth:28; nocase; http.host; content:"43.142.183.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249897; rev:1;)
alert tcp $HOME_NET any -> [45.207.58.79] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249896; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nimappche.buzz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"nimappche.buzz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/collector/2.0/settings/"; depth:24; nocase; http.host; content:"endpointinfrart.azureedge.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249892; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"endpointinfrart.azureedge.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"60.205.246.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249891; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mariyel-therapy.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/693775226584039476/1222130104944033792/mariyeltherapy_launcher.exe"; depth:79; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"camps.topgunnbaseball.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"146.19.254.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249887; rev:1;)
alert tcp $HOME_NET any -> [103.153.69.114] 56999  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249881; rev:1;)
alert tcp $HOME_NET any -> [103.188.244.189] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249882; rev:1;)
alert tcp $HOME_NET any -> [103.67.196.77] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249883; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.82] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249884; rev:1;)
alert tcp $HOME_NET any -> [74.50.85.233] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"www.apol.eu"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doc.php"; depth:8; nocase; http.host; content:"williesimpson.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249833; rev:1;)
alert tcp $HOME_NET any -> [139.59.88.74] 667  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249880/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249880; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.241] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249879; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.209] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249878; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.224] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249877; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.205] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249876; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.249] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249875; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.225] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249874; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.210] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249873; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.236] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249872; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.212] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249871; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.219] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249870; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.229] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249869; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.227] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249868; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.195] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249867; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.213] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249866; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.218] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249865; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.203] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249864; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.234] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249863; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.201] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249862; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.251] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249861; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.253] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249860; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.235] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249859; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.226] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249858; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.217] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249857; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.223] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249856; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.220] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249855; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.242] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249854; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.248] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249853; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.206] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249852; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.208] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249851; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2saemj0p-1319375115.bj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249849; rev:1;)
alert tcp $HOME_NET any -> [107.173.144.77] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"service-2saemj0p-1319375115.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249848; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.200] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249847; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.252] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249846; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.244] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249845; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.204] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249844; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.196] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249843; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.207] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249842; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.197] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249841; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.245] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249840; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.221] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249839; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.246] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-20ww8i3o-1300612713.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249835; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-20ww8i3o-1300612713.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.78.155.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"139.9.41.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"154.3.8.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dakee.ir"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.carercn.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"darmanet.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"empiretaxusa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"daarine.ir"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"boulangeriebezencon.ch"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rickwire.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"selekta.fi"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lollipophouse.ir"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.elgreco-sindlingen.de"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249827; rev:1;)
alert tcp $HOME_NET any -> [74.50.85.233] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249816/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249816; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"voidc2.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249817/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249817; rev:1;)
alert tcp $HOME_NET any -> [47.105.69.34] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249814; rev:1;)
alert tcp $HOME_NET any -> [47.105.69.34] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"www.flash-update.info"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249811; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.flash-update.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249812; rev:1;)
alert tcp $HOME_NET any -> [43.156.21.230] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.156.21.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"74.50.85.233"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1249805/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.128.232.82"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1249806/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"versenet.lol"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1249807/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249807; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apijsonparserkit.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249665; rev:1;)
alert tcp $HOME_NET any -> [1.94.11.195] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249783; rev:1;)
alert tcp $HOME_NET any -> [120.46.128.5] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249782; rev:1;)
alert tcp $HOME_NET any -> [120.26.169.152] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249780; rev:1;)
alert tcp $HOME_NET any -> [123.60.181.152] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249781; rev:1;)
alert tcp $HOME_NET any -> [118.190.147.246] 13443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249778; rev:1;)
alert tcp $HOME_NET any -> [120.26.105.94] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249779; rev:1;)
alert tcp $HOME_NET any -> [118.178.125.8] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249777; rev:1;)
alert tcp $HOME_NET any -> [47.109.60.225] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249774; rev:1;)
alert tcp $HOME_NET any -> [47.113.188.133] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249775; rev:1;)
alert tcp $HOME_NET any -> [60.205.246.3] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249776; rev:1;)
alert tcp $HOME_NET any -> [139.199.77.120] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249767; rev:1;)
alert tcp $HOME_NET any -> [8.138.26.50] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249772; rev:1;)
alert tcp $HOME_NET any -> [8.130.34.85] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249771; rev:1;)
alert tcp $HOME_NET any -> [47.106.122.50] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249773; rev:1;)
alert tcp $HOME_NET any -> [129.211.26.3] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249766; rev:1;)
alert tcp $HOME_NET any -> [122.51.27.35] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249764; rev:1;)
alert tcp $HOME_NET any -> [124.221.102.26] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249765; rev:1;)
alert tcp $HOME_NET any -> [82.157.71.34] 7898  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249763; rev:1;)
alert tcp $HOME_NET any -> [43.136.99.149] 5000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249761; rev:1;)
alert tcp $HOME_NET any -> [43.138.72.70] 8011  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249762; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"backupitfirst.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249759; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"withupdate.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249760; rev:1;)
alert tcp $HOME_NET any -> [179.60.147.91] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249738; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"arku.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249736/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249736; rev:1;)
alert tcp $HOME_NET any -> [3.33.130.190] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249735/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249735; rev:1;)
alert tcp $HOME_NET any -> [179.60.147.94] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249737; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"usersync.tiqcdn.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249734; rev:1;)
alert tcp $HOME_NET any -> [3.127.59.75] 19387  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249804/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_27; classtype:trojan-activity; sid:91249804; rev:1;)
alert tcp $HOME_NET any -> [117.41.187.235] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249506; rev:1;)
alert tcp $HOME_NET any -> [176.123.169.32] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249803/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249803; rev:1;)
alert tcp $HOME_NET any -> [45.151.44.159] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249802; rev:1;)
alert tcp $HOME_NET any -> [77.221.154.236] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249801/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249801; rev:1;)
alert tcp $HOME_NET any -> [117.72.9.31] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249800/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249800; rev:1;)
alert tcp $HOME_NET any -> [103.165.81.103] 1145  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249799/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249799; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.23] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249798/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249798; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.114] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249797/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249797; rev:1;)
alert tcp $HOME_NET any -> [68.32.77.99] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249796; rev:1;)
alert tcp $HOME_NET any -> [41.96.10.172] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249795/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249795; rev:1;)
alert tcp $HOME_NET any -> [52.173.131.28] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249794/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249794; rev:1;)
alert tcp $HOME_NET any -> [54.84.224.146] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249793; rev:1;)
alert tcp $HOME_NET any -> [92.116.36.151] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249792/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249792; rev:1;)
alert tcp $HOME_NET any -> [134.209.171.201] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249791/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249791; rev:1;)
alert tcp $HOME_NET any -> [92.118.112.155] 443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249790; rev:1;)
alert tcp $HOME_NET any -> [54.145.56.118] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_27; classtype:trojan-activity; sid:91249789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a7b6ac9c.php"; depth:13; nocase; http.host; content:"fire-studio.000webhostapp.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249788; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.158] 2323  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_27; classtype:trojan-activity; sid:91249786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oudowibspr"; depth:11; nocase; http.host; content:"withupdate.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wgfqneerod"; depth:11; nocase; http.host; content:"backupitfirst.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c16/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249770/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249770; rev:1;)
alert tcp $HOME_NET any -> [45.11.182.29] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c16/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1063894486901587979/1221860531594596433/2_npp.8.6.4.portable.x64.zip"; depth:81; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/operational-resources"; depth:22; nocase; http.host; content:"apllicam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/corporate-financial"; depth:20; nocase; http.host; content:"apllicam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/pam8oa.php"; depth:45; nocase; http.host; content:"lurdyvanafernandesmkd.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyten/b9un4f.php"; depth:39; nocase; http.host; content:"www.amysinger.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/n2gd2t.php"; depth:45; nocase; http.host; content:"www.yukon.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c9wfar.php"; depth:46; nocase; http.host; content:"alternativetracks.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/t51kkf.php"; depth:47; nocase; http.host; content:"13300.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/34uo7s.php"; depth:46; nocase; http.host; content:"www.alabamacarhorns.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assumendaipsam/point.exe"; depth:25; nocase; http.host; content:"ingatecsus.com.br"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249749; rev:1;)
alert tcp $HOME_NET any -> [172.232.208.90] 2223  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249744; rev:1;)
alert tcp $HOME_NET any -> [213.199.41.33] 13721  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249745; rev:1;)
alert tcp $HOME_NET any -> [194.233.91.144] 5000  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249746; rev:1;)
alert tcp $HOME_NET any -> [158.220.95.215] 5242  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249747; rev:1;)
alert tcp $HOME_NET any -> [84.247.157.112] 13783  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249748; rev:1;)
alert tcp $HOME_NET any -> [158.220.95.214] 5243  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249742; rev:1;)
alert tcp $HOME_NET any -> [64.23.199.206] 1194  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249743; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"g.fyss888.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249740; rev:1;)
alert tcp $HOME_NET any -> [154.219.163.85] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"g.fyss888.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249739; rev:1;)
alert tcp $HOME_NET any -> [77.238.249.17] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249516; rev:1;)
alert tcp $HOME_NET any -> [20.205.173.250] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249515/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249515; rev:1;)
alert tcp $HOME_NET any -> [122.10.10.100] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249514; rev:1;)
alert tcp $HOME_NET any -> [122.10.5.85] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249513; rev:1;)
alert tcp $HOME_NET any -> [47.236.244.14] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249512; rev:1;)
alert tcp $HOME_NET any -> [34.92.107.200] 8011  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249511; rev:1;)
alert tcp $HOME_NET any -> [91.102.163.73] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249510; rev:1;)
alert tcp $HOME_NET any -> [154.246.204.189] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249509; rev:1;)
alert tcp $HOME_NET any -> [39.40.187.88] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249508; rev:1;)
alert tcp $HOME_NET any -> [123.247.80.47] 10250  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249507; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.140] 562  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249505/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rosenfeldmedia.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"1poclimaty.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mindfulsearching.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"psdkits.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"porusski.me"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ketabpedia.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cultureroadtravel.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nzdcr.co.nz"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249497; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mythictherapy.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249496; rev:1;)
alert tcp $HOME_NET any -> [46.226.164.82] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249495; rev:1;)
alert tcp $HOME_NET any -> [74.50.65.52] 7855  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249494; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.207] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249492; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.218] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249493; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.srryontop.fr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249490; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srryontop.fr"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"129.204.201.114"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249489; rev:1;)
alert tcp $HOME_NET any -> [47.94.241.49] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.20.16.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"121.36.255.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.99.162.137"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249484; rev:1;)
alert tcp $HOME_NET any -> [47.99.162.137] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249485; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lionos.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"axz.lionos.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249472; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pda.lionos.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249473; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ml.lionos.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249474; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goweqmcsa.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249475; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wwea.goweqmcsa.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249476; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xza.goweqmcsa.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.virtue.ltd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"networkbn.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.work.gd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249480; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bot.layer4.bf"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249481; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hiyl7.hilariocolche.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249482; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metis-info.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"40.83.122.109"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1249467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"42.112.76.107"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1249468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"metis-black.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1249469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249470; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.201] 6996  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249464; rev:1;)
alert tcp $HOME_NET any -> [103.116.52.207] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249465; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.65] 6996  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.78.155.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"36.25.254.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"42.194.199.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.107.89.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sessionannoucemenwj.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cleartotalfisherwo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"worryfillvolcawoi.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"enthusiasimtitleow.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"dismissalcylinderhostw.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"affordcharmcropwo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"diskretainvigorousiw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"communicationgenerwo.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pillowbrocccolipe.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249456; rev:1;)
alert tcp $HOME_NET any -> [43.156.21.230] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.156.21.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249446; rev:1;)
alert tcp $HOME_NET any -> [43.136.59.13] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"154.221.17.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vogxhf/panel/five/fre.php"; depth:26; nocase; http.host; content:"www.dobiamfollollc.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.8design.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"prokeypc.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"madalynsklar.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hortonhighschool.ca"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"richardvanhooijdonk.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.adventurewallcoverings.co.za"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gundrymd.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"g8education.edu.au"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"makestories.io"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"abtenau-info.at"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"laptop.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"voluntariosenelmundo.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"greveclimaticaestudantil.pt"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"beginagaininstitute.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"leadershipmanagement.com.au"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"3axis.co"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"academieairespace.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bollywoodtadka.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ccspaintingllc.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.carlhansensolv.dk"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rondesantis.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sitesrip.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ambitiouswithcards.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"zarmes.ir"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"blackdiamondbjj.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cnsmaryland.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bearnutscomic.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"psychosfera.kz"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.assenmacher-koeln.de"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shiroutowiki.work"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gadgetstouse.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sim-unlock.blog"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dailyshepursues.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rg-adguard.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"peacerivervet.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kitchenofdebjani.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"xn--80ajgpcpbhkds4a4g.xn--p1ai"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"toptorials.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"xn--ngbeab6ar43f.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"discovermass.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"grundens.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.bienenzucht-villachland.at"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"openloadmovies.live"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"businessforfilipinos.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/list/xmlrpc.php"; depth:16; nocase; http.host; content:"www.doctorsacademy.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tiodonghua.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tobano.pl"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eastnaija.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"travelperi.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gribnik.info"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hentai-witch.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"paydo.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"irpp.org"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249388; rev:1;)
alert tcp $HOME_NET any -> [8.220.195.197] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249072; rev:1;)
alert tcp $HOME_NET any -> [46.30.191.245] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249068; rev:1;)
alert tcp $HOME_NET any -> [197.82.164.175] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249065; rev:1;)
alert tcp $HOME_NET any -> [54.39.29.90] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249067; rev:1;)
alert tcp $HOME_NET any -> [45.140.146.58] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249074; rev:1;)
alert tcp $HOME_NET any -> [82.153.138.25] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249075; rev:1;)
alert tcp $HOME_NET any -> [54.39.29.90] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249066; rev:1;)
alert tcp $HOME_NET any -> [82.153.138.222] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249076; rev:1;)
alert tcp $HOME_NET any -> [91.215.85.18] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249077; rev:1;)
alert tcp $HOME_NET any -> [104.225.238.192] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249078; rev:1;)
alert tcp $HOME_NET any -> [141.255.167.251] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249079; rev:1;)
alert tcp $HOME_NET any -> [168.100.8.112] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249080; rev:1;)
alert tcp $HOME_NET any -> [185.219.84.231] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249081; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2036  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249105; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249104; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249103; rev:1;)
alert tcp $HOME_NET any -> [105.98.12.207] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249101; rev:1;)
alert tcp $HOME_NET any -> [187.135.130.176] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249100; rev:1;)
alert tcp $HOME_NET any -> [191.233.252.23] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249083; rev:1;)
alert tcp $HOME_NET any -> [188.166.177.25] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249082; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2082  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249106; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249107; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249108; rev:1;)
alert tcp $HOME_NET any -> [187.135.117.144] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249109; rev:1;)
alert tcp $HOME_NET any -> [105.98.67.41] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249110; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.231] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249122/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249122; rev:1;)
alert tcp $HOME_NET any -> [45.63.31.37] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249130; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nonlinearcomms.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249131; rev:1;)
alert tcp $HOME_NET any -> [15.235.131.20] 39206  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249387; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 19282  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249372/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goingupdate.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249386; rev:1;)
alert tcp $HOME_NET any -> [80.209.238.116] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249385/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249385; rev:1;)
alert tcp $HOME_NET any -> [111.92.243.236] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249384/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249384; rev:1;)
alert tcp $HOME_NET any -> [124.70.143.234] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249383/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249383; rev:1;)
alert tcp $HOME_NET any -> [172.245.81.143] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249382/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249382; rev:1;)
alert tcp $HOME_NET any -> [47.116.192.169] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249381/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249381; rev:1;)
alert tcp $HOME_NET any -> [189.177.5.229] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249380/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249380; rev:1;)
alert tcp $HOME_NET any -> [41.99.6.82] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249379; rev:1;)
alert tcp $HOME_NET any -> [46.101.94.83] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249378; rev:1;)
alert tcp $HOME_NET any -> [20.79.165.186] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249377; rev:1;)
alert tcp $HOME_NET any -> [46.101.81.127] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249376; rev:1;)
alert tcp $HOME_NET any -> [103.40.161.185] 54321  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249375/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249375; rev:1;)
alert tcp $HOME_NET any -> [47.93.103.60] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249374; rev:1;)
alert tcp $HOME_NET any -> [47.93.103.60] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_26; classtype:trojan-activity; sid:91249373; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"froggysnow.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249116; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apiasyncpromise.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249113; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apieventemitter.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249115; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apifetchmethod.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249112; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"incachespace.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249111; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"lyddemper.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249098; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.131] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249099; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xjp.xinjiangworker.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249070/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249070; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.11] 35769  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249069/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249069; rev:1;)
alert tcp $HOME_NET any -> [194.87.107.145] 10480  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249371; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.38] 8088  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c13/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_26; classtype:trojan-activity; sid:91249369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c13/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249368/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_26; classtype:trojan-activity; sid:91249368; rev:1;)
alert tcp $HOME_NET any -> [178.236.46.118] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dist/css/bootstrap.min.css"; depth:27; nocase; http.host; content:"178.236.46.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.240.48.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249126; rev:1;)
alert tcp $HOME_NET any -> [154.216.54.199] 809  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249125; rev:1;)
alert tcp $HOME_NET any -> [124.71.75.199] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.71.75.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249123; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.109] 80  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_25; classtype:trojan-activity; sid:91249121; rev:1;)
alert tcp $HOME_NET any -> [129.159.131.26] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_25; classtype:trojan-activity; sid:91249120; rev:1;)
alert tcp $HOME_NET any -> [23.227.198.236] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_25; classtype:trojan-activity; sid:91249119; rev:1;)
alert tcp $HOME_NET any -> [4.227.54.178] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_25; classtype:trojan-activity; sid:91249118; rev:1;)
alert tcp $HOME_NET any -> [103.200.29.109] 1364  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c19/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249114; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.180] 1987  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249102; rev:1;)
alert tcp $HOME_NET any -> [188.120.239.6] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249097; rev:1;)
alert tcp $HOME_NET any -> [200.234.232.196] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249096; rev:1;)
alert tcp $HOME_NET any -> [217.196.98.138] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249095; rev:1;)
alert tcp $HOME_NET any -> [34.92.107.200] 8001  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249094; rev:1;)
alert tcp $HOME_NET any -> [103.209.129.94] 1145  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249093/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249093; rev:1;)
alert tcp $HOME_NET any -> [39.40.158.94] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249092/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249092; rev:1;)
alert tcp $HOME_NET any -> [154.246.154.178] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249091/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249091; rev:1;)
alert tcp $HOME_NET any -> [41.96.255.221] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249090/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249090; rev:1;)
alert tcp $HOME_NET any -> [92.38.176.164] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249089/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249089; rev:1;)
alert tcp $HOME_NET any -> [45.134.9.140] 41056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249088/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249088; rev:1;)
alert tcp $HOME_NET any -> [45.134.9.139] 41056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249087; rev:1;)
alert tcp $HOME_NET any -> [92.116.37.99] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249086; rev:1;)
alert tcp $HOME_NET any -> [96.9.225.129] 19701  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249085; rev:1;)
alert tcp $HOME_NET any -> [38.60.254.215] 2112  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/edf04ce5e57d0f66.php"; depth:21; nocase; http.host; content:"193.163.7.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249064; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.97] 2505  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249063/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91249063; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cdn.next2.cx"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249061; rev:1;)
alert tcp $HOME_NET any -> [107.150.18.202] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91249062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gsytvkb9"; depth:9; nocase; http.host; content:"eeatgoodx.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/257kcwfj"; depth:9; nocase; http.host; content:"searchgear.pro"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mxn9mb9h"; depth:9; nocase; http.host; content:"devqeury.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/min.main.js"; depth:15; nocase; http.host; content:"sarcoma.space"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hvclbyck"; depth:9; nocase; http.host; content:"backendjs.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ielts.com.au"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thetip.co.kr"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"panang.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"restaurant-riva.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sirfresh.co.za"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bilyonaryo.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"portalebambini.it"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ware2go.co"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"configurelaptop.eu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"alternative-tibetaine.org"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spml.exe"; depth:9; nocase; http.host; content:"twizt.net"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/"; depth:7; nocase; http.host; content:"cdn-serveq.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.128.207.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"welcome.visionaryyouth.org"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"162.33.177.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249042; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.109] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249044/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91249044; rev:1;)
alert tcp $HOME_NET any -> [62.234.90.4] 8000  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c17/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249038/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91249038; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.109] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249037; rev:1;)
alert tcp $HOME_NET any -> [147.78.47.83] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"116.62.242.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249035; rev:1;)
alert tcp $HOME_NET any -> [52.76.173.97] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"52.76.173.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249033; rev:1;)
alert tcp $HOME_NET any -> [101.36.126.189] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"185.130.46.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249030; rev:1;)
alert tcp $HOME_NET any -> [185.130.46.166] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.14.206.72"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.106.89.225"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"39.106.5.215"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fr.html"; depth:8; nocase; http.host; content:"101.32.37.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/20/zo2xy7a4bowu"; depth:25; nocase; http.host; content:"39.100.86.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249025; rev:1;)
alert tcp $HOME_NET any -> [152.32.131.118] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"205.185.118.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249023; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cf907cd9e8f94a93937a6360363420b2.apig.cn-east-3.huaweicloudapis.com"; depth:67; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249021; rev:1;)
alert tcp $HOME_NET any -> [101.36.121.188] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249022; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d69b6834b7eb46fcb7bbcaa60f9f0f2d.apig.cn-east-3.huaweicloudapis.com"; depth:67; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/askbob"; depth:14; nocase; http.host; content:"cf907cd9e8f94a93937a6360363420b2.apig.cn-east-3.huaweicloudapis.com"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/askbob"; depth:14; nocase; http.host; content:"d69b6834b7eb46fcb7bbcaa60f9f0f2d.apig.cn-east-3.huaweicloudapis.com"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/askbob"; depth:14; nocase; http.host; content:"f6d2b014a8664ddd8d859ce64f3741ad.apig.cn-east-3.huaweicloudapis.com"; depth:67; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249016; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f6d2b014a8664ddd8d859ce64f3741ad.apig.cn-east-3.huaweicloudapis.com"; depth:67; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1249017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249017; rev:1;)
alert tcp $HOME_NET any -> [74.249.43.255] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/v2.5/pisz5tos7v"; depth:20; nocase; http.host; content:"74.249.43.255"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"121.36.213.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"52.76.173.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"81.17.22.42"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249011; rev:1;)
alert tcp $HOME_NET any -> [195.181.245.38] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"195.181.245.38"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"119.91.209.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249008; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.90] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248999; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.130] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248996; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"billions.ooguy.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248992/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248992; rev:1;)
alert tcp $HOME_NET any -> [45.131.111.159] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248993/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248993; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.140] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248997; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.15] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248998; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.225] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1249000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.113.188.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.71.222.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.222.97.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etc.clientlibs/base.min.acshash29ccd0207f7ce847c.js"; depth:52; nocase; http.host; content:"119.3.12.54"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.130.48.46"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1249001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91249001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248994; rev:1;)
alert tcp $HOME_NET any -> [94.131.122.80] 5009  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248991; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.155] 3778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temp/spp/rf/installer.zip"; depth:26; nocase; http.host; content:"www.efesmarble.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248986; rev:1;)
alert tcp $HOME_NET any -> [92.249.48.114] 1337  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipe2/0javascript2private/vmgameapi/pythonprocessor/providerpollprocesslinuxuploads.php"; depth:88; nocase; http.host; content:"212.109.198.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c6/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248985/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpythonpollhttpgamepubliccdncentral.php"; depth:46; nocase; http.host; content:"878497cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248984; rev:1;)
alert tcp $HOME_NET any -> [107.175.245.109] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"www.10086cn.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248982; rev:1;)
alert tcp $HOME_NET any -> [107.175.245.109] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"www.10086cn.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.149.95"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.141.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.236"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248977; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"135.181.97.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.125.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248975; rev:1;)
alert tcp $HOME_NET any -> [5.75.212.236] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248972; rev:1;)
alert tcp $HOME_NET any -> [78.47.141.20] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248973; rev:1;)
alert tcp $HOME_NET any -> [49.13.149.95] 9001  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248974; rev:1;)
alert tcp $HOME_NET any -> [135.181.97.113] 8888  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248970; rev:1;)
alert tcp $HOME_NET any -> [128.140.125.116] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e1d1eda2.php"; depth:13; nocase; http.host; content:"a0881216.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248969; rev:1;)
alert tcp $HOME_NET any -> [109.107.182.168] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248968; rev:1;)
alert tcp $HOME_NET any -> [193.233.255.105] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248967; rev:1;)
alert tcp $HOME_NET any -> [64.176.81.234] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248966; rev:1;)
alert tcp $HOME_NET any -> [209.236.16.248] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248965; rev:1;)
alert tcp $HOME_NET any -> [64.23.230.161] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248964; rev:1;)
alert tcp $HOME_NET any -> [81.43.23.68] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248963; rev:1;)
alert tcp $HOME_NET any -> [104.200.72.22] 2373  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248962; rev:1;)
alert tcp $HOME_NET any -> [1.117.72.174] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248961; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.56] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_25; classtype:trojan-activity; sid:91248960; rev:1;)
alert tcp $HOME_NET any -> [64.23.206.87] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248864; rev:1;)
alert tcp $HOME_NET any -> [104.236.193.50] 2443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248865; rev:1;)
alert tcp $HOME_NET any -> [128.199.141.212] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248866; rev:1;)
alert tcp $HOME_NET any -> [143.198.210.118] 60060  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248867; rev:1;)
alert tcp $HOME_NET any -> [167.71.61.64] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248868; rev:1;)
alert tcp $HOME_NET any -> [167.71.141.159] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248869; rev:1;)
alert tcp $HOME_NET any -> [178.128.59.129] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248870; rev:1;)
alert tcp $HOME_NET any -> [106.38.201.196] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248871; rev:1;)
alert tcp $HOME_NET any -> [116.196.113.95] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248872; rev:1;)
alert tcp $HOME_NET any -> [117.50.47.141] 47346  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248873; rev:1;)
alert tcp $HOME_NET any -> [117.50.179.195] 7091  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248874; rev:1;)
alert tcp $HOME_NET any -> [45.63.120.203] 57383  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248875; rev:1;)
alert tcp $HOME_NET any -> [64.176.168.194] 62253  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248876; rev:1;)
alert tcp $HOME_NET any -> [70.34.221.86] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248877; rev:1;)
alert tcp $HOME_NET any -> [107.191.49.250] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248878; rev:1;)
alert tcp $HOME_NET any -> [108.160.137.199] 49933  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248879; rev:1;)
alert tcp $HOME_NET any -> [20.5.43.62] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248881; rev:1;)
alert tcp $HOME_NET any -> [167.179.84.218] 35567  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248880; rev:1;)
alert tcp $HOME_NET any -> [20.239.165.111] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248882; rev:1;)
alert tcp $HOME_NET any -> [104.46.214.150] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248883; rev:1;)
alert tcp $HOME_NET any -> [168.61.180.98] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248884; rev:1;)
alert tcp $HOME_NET any -> [168.61.180.98] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248885; rev:1;)
alert tcp $HOME_NET any -> [64.69.41.141] 12306  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248886; rev:1;)
alert tcp $HOME_NET any -> [148.135.67.47] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248887; rev:1;)
alert tcp $HOME_NET any -> [39.109.113.130] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248888; rev:1;)
alert tcp $HOME_NET any -> [154.221.16.176] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248889; rev:1;)
alert tcp $HOME_NET any -> [45.152.64.2] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248890; rev:1;)
alert tcp $HOME_NET any -> [45.144.136.14] 51150  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248891; rev:1;)
alert tcp $HOME_NET any -> [149.104.29.151] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248892; rev:1;)
alert tcp $HOME_NET any -> [38.207.178.141] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248893; rev:1;)
alert tcp $HOME_NET any -> [38.207.178.141] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248894; rev:1;)
alert tcp $HOME_NET any -> [149.104.30.191] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248895; rev:1;)
alert tcp $HOME_NET any -> [139.159.145.242] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248862; rev:1;)
alert tcp $HOME_NET any -> [124.70.180.22] 65089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248860; rev:1;)
alert tcp $HOME_NET any -> [124.71.75.199] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248861; rev:1;)
alert tcp $HOME_NET any -> [123.60.159.23] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248859; rev:1;)
alert tcp $HOME_NET any -> [121.36.255.43] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248856; rev:1;)
alert tcp $HOME_NET any -> [121.37.45.205] 6443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248857; rev:1;)
alert tcp $HOME_NET any -> [121.37.208.189] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248858; rev:1;)
alert tcp $HOME_NET any -> [121.36.203.14] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248855; rev:1;)
alert tcp $HOME_NET any -> [121.36.33.53] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248853; rev:1;)
alert tcp $HOME_NET any -> [121.36.67.21] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248854; rev:1;)
alert tcp $HOME_NET any -> [60.204.222.75] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248851; rev:1;)
alert tcp $HOME_NET any -> [60.204.222.75] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248852; rev:1;)
alert tcp $HOME_NET any -> [60.204.133.143] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248849; rev:1;)
alert tcp $HOME_NET any -> [60.204.208.32] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248850; rev:1;)
alert tcp $HOME_NET any -> [175.178.0.88] 33890  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248833; rev:1;)
alert tcp $HOME_NET any -> [175.178.103.238] 3389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248834; rev:1;)
alert tcp $HOME_NET any -> [192.144.234.75] 60050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248835; rev:1;)
alert tcp $HOME_NET any -> [175.27.137.15] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248831; rev:1;)
alert tcp $HOME_NET any -> [175.27.159.169] 55555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248832; rev:1;)
alert tcp $HOME_NET any -> [159.75.170.201] 42586  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248829; rev:1;)
alert tcp $HOME_NET any -> [175.27.137.15] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248830; rev:1;)
alert tcp $HOME_NET any -> [150.158.135.188] 49227  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248827; rev:1;)
alert tcp $HOME_NET any -> [152.136.174.196] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248828; rev:1;)
alert tcp $HOME_NET any -> [139.155.94.15] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248826; rev:1;)
alert tcp $HOME_NET any -> [124.223.180.89] 58808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248825; rev:1;)
alert tcp $HOME_NET any -> [124.222.220.126] 10086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248824; rev:1;)
alert tcp $HOME_NET any -> [124.221.184.239] 54321  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248821; rev:1;)
alert tcp $HOME_NET any -> [124.222.24.208] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248822; rev:1;)
alert tcp $HOME_NET any -> [124.222.186.209] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248823; rev:1;)
alert tcp $HOME_NET any -> [124.220.182.36] 38927  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248818; rev:1;)
alert tcp $HOME_NET any -> [124.221.15.74] 50520  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248819; rev:1;)
alert tcp $HOME_NET any -> [124.221.66.75] 6000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248820; rev:1;)
alert tcp $HOME_NET any -> [124.220.163.73] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248817; rev:1;)
alert tcp $HOME_NET any -> [121.5.66.186] 1082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248814; rev:1;)
alert tcp $HOME_NET any -> [122.51.133.143] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248815; rev:1;)
alert tcp $HOME_NET any -> [123.207.50.191] 43252  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248816; rev:1;)
alert tcp $HOME_NET any -> [121.5.66.186] 1083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248813; rev:1;)
alert tcp $HOME_NET any -> [119.45.216.34] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248811; rev:1;)
alert tcp $HOME_NET any -> [121.4.94.121] 65335  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248812; rev:1;)
alert tcp $HOME_NET any -> [119.45.187.65] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248810; rev:1;)
alert tcp $HOME_NET any -> [118.25.182.25] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248809; rev:1;)
alert tcp $HOME_NET any -> [115.159.102.112] 8933  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248808; rev:1;)
alert tcp $HOME_NET any -> [114.132.252.93] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248807; rev:1;)
alert tcp $HOME_NET any -> [111.230.111.186] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248806; rev:1;)
alert tcp $HOME_NET any -> [106.55.181.95] 4488  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248803; rev:1;)
alert tcp $HOME_NET any -> [111.230.30.197] 61234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248804; rev:1;)
alert tcp $HOME_NET any -> [106.54.227.54] 5566  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248802; rev:1;)
alert tcp $HOME_NET any -> [101.43.215.118] 65530  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248800; rev:1;)
alert tcp $HOME_NET any -> [106.52.94.23] 6001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248801; rev:1;)
alert tcp $HOME_NET any -> [101.43.211.190] 5003  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248798; rev:1;)
alert tcp $HOME_NET any -> [101.43.211.190] 60050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248799; rev:1;)
alert tcp $HOME_NET any -> [101.43.2.116] 10086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248796; rev:1;)
alert tcp $HOME_NET any -> [101.43.16.149] 10086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248797; rev:1;)
alert tcp $HOME_NET any -> [82.157.154.247] 54321  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248794; rev:1;)
alert tcp $HOME_NET any -> [101.35.108.141] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248795; rev:1;)
alert tcp $HOME_NET any -> [82.157.153.82] 7979  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248793; rev:1;)
alert tcp $HOME_NET any -> [82.157.17.183] 4418  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248792; rev:1;)
alert tcp $HOME_NET any -> [82.156.147.236] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248790; rev:1;)
alert tcp $HOME_NET any -> [82.156.174.51] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248791; rev:1;)
alert tcp $HOME_NET any -> [81.71.140.170] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248788; rev:1;)
alert tcp $HOME_NET any -> [82.156.29.211] 40089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248789; rev:1;)
alert tcp $HOME_NET any -> [43.143.103.235] 8989  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248785; rev:1;)
alert tcp $HOME_NET any -> [43.143.216.15] 4434  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248786; rev:1;)
alert tcp $HOME_NET any -> [81.68.198.185] 55555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248787; rev:1;)
alert tcp $HOME_NET any -> [43.138.150.136] 4488  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248783; rev:1;)
alert tcp $HOME_NET any -> [43.139.219.102] 65360  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248784; rev:1;)
alert tcp $HOME_NET any -> [43.138.77.115] 54666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248782; rev:1;)
alert tcp $HOME_NET any -> [43.136.71.208] 9856  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248780; rev:1;)
alert tcp $HOME_NET any -> [43.136.242.247] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248781; rev:1;)
alert tcp $HOME_NET any -> [42.193.178.194] 65530  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248778; rev:1;)
alert tcp $HOME_NET any -> [43.136.14.250] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248779; rev:1;)
alert tcp $HOME_NET any -> [42.193.141.172] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248775; rev:1;)
alert tcp $HOME_NET any -> [42.193.170.176] 37019  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248776; rev:1;)
alert tcp $HOME_NET any -> [42.193.175.123] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248777; rev:1;)
alert tcp $HOME_NET any -> [42.193.98.44] 4488  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248774; rev:1;)
alert tcp $HOME_NET any -> [1.15.248.225] 8084  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248772; rev:1;)
alert tcp $HOME_NET any -> [42.193.16.213] 65520  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248773; rev:1;)
alert tcp $HOME_NET any -> [1.14.204.208] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248770; rev:1;)
alert tcp $HOME_NET any -> [1.14.205.73] 10086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248771; rev:1;)
alert tcp $HOME_NET any -> [1.14.69.16] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248769; rev:1;)
alert tcp $HOME_NET any -> [1.14.46.128] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248768; rev:1;)
alert tcp $HOME_NET any -> [182.92.67.197] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248765; rev:1;)
alert tcp $HOME_NET any -> [120.79.225.52] 4567  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248762; rev:1;)
alert tcp $HOME_NET any -> [123.57.193.197] 50051  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248763; rev:1;)
alert tcp $HOME_NET any -> [139.224.188.165] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248764; rev:1;)
alert tcp $HOME_NET any -> [120.78.83.129] 51120  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248761; rev:1;)
alert tcp $HOME_NET any -> [120.55.64.157] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248759; rev:1;)
alert tcp $HOME_NET any -> [120.76.158.54] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248760; rev:1;)
alert tcp $HOME_NET any -> [120.55.64.157] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248758; rev:1;)
alert tcp $HOME_NET any -> [120.25.1.52] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248757; rev:1;)
alert tcp $HOME_NET any -> [114.55.234.67] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248755; rev:1;)
alert tcp $HOME_NET any -> [116.62.242.109] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248756; rev:1;)
alert tcp $HOME_NET any -> [101.201.155.239] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248753; rev:1;)
alert tcp $HOME_NET any -> [112.126.80.83] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248754; rev:1;)
alert tcp $HOME_NET any -> [47.123.7.206] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248752; rev:1;)
alert tcp $HOME_NET any -> [47.106.89.225] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248750; rev:1;)
alert tcp $HOME_NET any -> [47.119.19.34] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248751; rev:1;)
alert tcp $HOME_NET any -> [47.100.229.207] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248749; rev:1;)
alert tcp $HOME_NET any -> [47.94.196.29] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248747; rev:1;)
alert tcp $HOME_NET any -> [47.100.182.88] 1266  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248748; rev:1;)
alert tcp $HOME_NET any -> [39.106.5.215] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248744; rev:1;)
alert tcp $HOME_NET any -> [39.106.74.90] 8899  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248745; rev:1;)
alert tcp $HOME_NET any -> [47.92.75.135] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248746; rev:1;)
alert tcp $HOME_NET any -> [8.147.132.135] 2087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248741; rev:1;)
alert tcp $HOME_NET any -> [39.101.198.2] 8446  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248743; rev:1;)
alert tcp $HOME_NET any -> [8.147.132.135] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248742; rev:1;)
alert tcp $HOME_NET any -> [8.130.101.106] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248739; rev:1;)
alert tcp $HOME_NET any -> [8.130.122.185] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248740; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.111] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248733; rev:1;)
alert tcp $HOME_NET any -> [8.130.43.95] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248737; rev:1;)
alert tcp $HOME_NET any -> [8.130.81.128] 8786  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pneh2sxqk0/index.php"; depth:21; nocase; http.host; content:"193.233.132.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248844; rev:1;)
alert tcp $HOME_NET any -> [149.104.30.191] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248896; rev:1;)
alert tcp $HOME_NET any -> [118.193.62.169] 16379  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248897; rev:1;)
alert tcp $HOME_NET any -> [114.115.203.114] 46123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248898; rev:1;)
alert tcp $HOME_NET any -> [111.67.195.152] 3333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248899; rev:1;)
alert tcp $HOME_NET any -> [172.233.84.174] 3306  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248900; rev:1;)
alert tcp $HOME_NET any -> [139.144.96.187] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248901; rev:1;)
alert tcp $HOME_NET any -> [5.199.168.141] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248902; rev:1;)
alert tcp $HOME_NET any -> [52.28.247.255] 12377  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248907/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248907; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 12377  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248908; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 12377  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248909; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 11326  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248910/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248910; rev:1;)
alert tcp $HOME_NET any -> [35.158.159.254] 18001  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248911/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248911; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 64479  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248912/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248912; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"share-introduced.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248913/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248913; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 14622  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248914; rev:1;)
alert tcp $HOME_NET any -> [52.28.247.255] 14622  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248915; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 14622  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248916; rev:1;)
alert tcp $HOME_NET any -> [24.42.98.153] 195  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248917; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"h2cker.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248918; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 9626  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248919; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"low-feeding.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248920; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.16] 52522  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248921; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"limited-architect.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_25; classtype:trojan-activity; sid:91248922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"profaj.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"aphcareerconnect.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"passikuvasuomi.fi"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"stamyn.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"freeupscmaterials.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dermcollective.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"samsebeastrolog.online"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"prestigiousmassage.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wakafmu.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wildaid.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ozanisguvenligi.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.celinabostic.de"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.annehemgard.se"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nematinuts.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mega-mkv.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"somersetpizzamd.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wislah.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"diabetesstrong.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cartoongayporn.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"toivolanpiha.fi"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.anordestdiche.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"egylgs.info"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"phoenixair.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gustancho.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248943; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ancestralfindings.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"arduino-projects4u.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"equinox-hotels.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"bilgisebili.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"egvisaservices.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.atlantabarbellgym.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"good2bsocial.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nokohome.se"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eddie-hernandez.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"recetascocinaperuana.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.appleluxurycar.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"swemed.se"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eclipseofmasters.zip"; depth:21; nocase; http.host; content:"eclipseofmasters.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248846; rev:1;)
alert tcp $HOME_NET any -> [1.94.101.65] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248848; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eclipseofmasters.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1131608743935758472/1221211365121855640/mariyeltherapyinstaller.rar"; depth:80; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_25; classtype:trojan-activity; sid:91248766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cpudlemulti/downloadsjs8/update7/cpuwp/dump48/2_public/pythondefaultdbbasetestcdn.php"; depth:86; nocase; http.host; content:"213.171.8.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248906; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.67] 5000  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248905; rev:1;)
alert tcp $HOME_NET any -> [8.130.9.110] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"8.130.9.110"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248903; rev:1;)
alert tcp $HOME_NET any -> [193.233.133.152] 35515  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248863; rev:1;)
alert tcp $HOME_NET any -> [91.240.85.51] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248843; rev:1;)
alert tcp $HOME_NET any -> [77.221.148.13] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248842; rev:1;)
alert tcp $HOME_NET any -> [94.156.10.121] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248841; rev:1;)
alert tcp $HOME_NET any -> [120.26.224.87] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248840; rev:1;)
alert tcp $HOME_NET any -> [34.92.107.200] 8002  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248839; rev:1;)
alert tcp $HOME_NET any -> [154.247.80.100] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248838; rev:1;)
alert tcp $HOME_NET any -> [104.237.233.103] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248837; rev:1;)
alert tcp $HOME_NET any -> [193.169.245.94] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248836; rev:1;)
alert tcp $HOME_NET any -> [134.122.129.173] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4223af25.php"; depth:13; nocase; http.host; content:"a0933702.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/externaljavascriptsecurepacketcpugameprotectdefaultdbpublic.php"; depth:70; nocase; http.host; content:"176.124.220.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248732; rev:1;)
alert tcp $HOME_NET any -> [5.161.242.2] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248727; rev:1;)
alert tcp $HOME_NET any -> [110.34.30.9] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248728; rev:1;)
alert tcp $HOME_NET any -> [206.217.139.231] 8083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248729; rev:1;)
alert tcp $HOME_NET any -> [47.92.173.240] 8787  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248730; rev:1;)
alert tcp $HOME_NET any -> [81.70.232.50] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248731; rev:1;)
alert tcp $HOME_NET any -> [123.56.251.159] 18099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248717; rev:1;)
alert tcp $HOME_NET any -> [74.48.183.150] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248718; rev:1;)
alert tcp $HOME_NET any -> [1.14.206.72] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248719; rev:1;)
alert tcp $HOME_NET any -> [119.91.192.220] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248720; rev:1;)
alert tcp $HOME_NET any -> [120.46.130.73] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248721; rev:1;)
alert tcp $HOME_NET any -> [47.113.219.193] 11333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248722; rev:1;)
alert tcp $HOME_NET any -> [47.109.148.62] 1003  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248723; rev:1;)
alert tcp $HOME_NET any -> [47.96.229.84] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248724; rev:1;)
alert tcp $HOME_NET any -> [47.113.179.177] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248725; rev:1;)
alert tcp $HOME_NET any -> [167.71.205.181] 44133  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248726; rev:1;)
alert tcp $HOME_NET any -> [52.76.173.97] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248696; rev:1;)
alert tcp $HOME_NET any -> [43.142.183.159] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248697; rev:1;)
alert tcp $HOME_NET any -> [172.111.218.218] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248698; rev:1;)
alert tcp $HOME_NET any -> [38.47.226.69] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248700; rev:1;)
alert tcp $HOME_NET any -> [124.222.173.69] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248699; rev:1;)
alert tcp $HOME_NET any -> [123.56.215.15] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248701; rev:1;)
alert tcp $HOME_NET any -> [150.158.51.99] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248704/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248705/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248708/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248708; rev:1;)
alert tcp $HOME_NET any -> [115.159.195.80] 8161  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248709; rev:1;)
alert tcp $HOME_NET any -> [67.230.163.18] 3389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248711; rev:1;)
alert tcp $HOME_NET any -> [114.55.74.79] 8975  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248712; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"himalware.cn"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248713; rev:1;)
alert tcp $HOME_NET any -> [64.23.174.92] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248714; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sketchcolor.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248715; rev:1;)
alert tcp $HOME_NET any -> [91.194.160.156] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bb0afc50.php"; depth:13; nocase; http.host; content:"a0917913.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248702; rev:1;)
alert tcp $HOME_NET any -> [8.140.251.152] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248694; rev:1;)
alert tcp $HOME_NET any -> [154.12.29.59] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248693; rev:1;)
alert tcp $HOME_NET any -> [8.140.251.152] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248695; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nblcc.co"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248544; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thpataa.chat"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248545; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aane.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248546; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azmmhh.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248547; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eyedr.art"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248548; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fboadbns.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248549; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hygxq.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248550; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"us17.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248551; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js-min.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248552; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stickloader.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248553; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.localadswidget.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248554; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assets.watchasync.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248555; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.jsdevlvr.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248556; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.wt-api.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248557; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.abc-cdn.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248558; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.opttracker.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248559; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.schema-forms.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248560; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l.js-assets.cloud"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248561; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"load.365analytics.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248562; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"page.24supportkit.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248563; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spf.js-min.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248564; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stat.counter247.live"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248565; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"streaming.jsonmediapacks.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248566; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stylesheet.webstaticcdn.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248567; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tags.stickloader.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248568; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"helpoton.quest"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248569; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"looptic.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248570; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"shtelpenstec.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248573; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"picktoc.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248571; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"sandton.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248572; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"starlanded.click"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248574; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.helpoton.quest"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248575; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.looptic.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248576; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.picktoc.online"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248577; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.sandton.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248578; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.shtelpenstec.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248579; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.starlanded.click"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248580; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flonea.live"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pvcfencingwarehouse.com.au"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"systemtranslation.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"atalyadis.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wordpress.itrip.ro"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"seva-ese.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hethooghuis.nl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"wheelz.me"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kbjporn.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"onlinemoneyspy.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248692; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grasping.oss-me-east-1.aliyuncs.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248543; rev:1;)
alert tcp $HOME_NET any -> [172.86.75.208] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248586; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"360sec.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248587/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248587; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.122] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248588; rev:1;)
alert tcp $HOME_NET any -> [185.73.124.238] 30956  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248589; rev:1;)
alert tcp $HOME_NET any -> [128.90.122.92] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248590; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.239] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248591; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.123] 8714  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248592; rev:1;)
alert tcp $HOME_NET any -> [45.83.31.113] 2004  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248598; rev:1;)
alert tcp $HOME_NET any -> [45.83.31.113] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248599; rev:1;)
alert tcp $HOME_NET any -> [45.83.31.113] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248600; rev:1;)
alert tcp $HOME_NET any -> [207.32.217.101] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248601; rev:1;)
alert tcp $HOME_NET any -> [186.168.67.211] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248603; rev:1;)
alert tcp $HOME_NET any -> [38.180.91.75] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248602; rev:1;)
alert tcp $HOME_NET any -> [186.168.67.211] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248604; rev:1;)
alert tcp $HOME_NET any -> [89.163.221.170] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248605; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.122] 8712  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248606; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.42] 100  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248607; rev:1;)
alert tcp $HOME_NET any -> [104.243.34.3] 2003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248608; rev:1;)
alert tcp $HOME_NET any -> [104.243.34.3] 2004  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248609; rev:1;)
alert tcp $HOME_NET any -> [104.243.34.3] 4016  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248610; rev:1;)
alert tcp $HOME_NET any -> [66.135.22.80] 6000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248611; rev:1;)
alert tcp $HOME_NET any -> [66.135.22.80] 8000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248612; rev:1;)
alert tcp $HOME_NET any -> [66.135.22.80] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248613; rev:1;)
alert tcp $HOME_NET any -> [207.32.218.138] 2002  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248614; rev:1;)
alert tcp $HOME_NET any -> [207.32.218.138] 2003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248615; rev:1;)
alert tcp $HOME_NET any -> [47.76.218.123] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248683; rev:1;)
alert tcp $HOME_NET any -> [207.32.218.138] 2004  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248616; rev:1;)
alert tcp $HOME_NET any -> [207.32.218.138] 2005  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248617; rev:1;)
alert tcp $HOME_NET any -> [107.148.49.57] 39632  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248618; rev:1;)
alert tcp $HOME_NET any -> [213.195.124.90] 4001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248619; rev:1;)
alert tcp $HOME_NET any -> [213.195.124.90] 4002  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248620; rev:1;)
alert tcp $HOME_NET any -> [213.195.124.90] 5001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248621; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.126] 8712  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248622; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.126] 8714  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248623; rev:1;)
alert tcp $HOME_NET any -> [147.124.212.80] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248624; rev:1;)
alert tcp $HOME_NET any -> [147.124.212.80] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248625; rev:1;)
alert tcp $HOME_NET any -> [147.124.212.80] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248626; rev:1;)
alert tcp $HOME_NET any -> [147.124.212.80] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248627; rev:1;)
alert tcp $HOME_NET any -> [147.124.212.80] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248628; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.5] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248630; rev:1;)
alert tcp $HOME_NET any -> [88.232.116.241] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248631; rev:1;)
alert tcp $HOME_NET any -> [88.232.116.241] 3007  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248632; rev:1;)
alert tcp $HOME_NET any -> [51.195.231.121] 6000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248633; rev:1;)
alert tcp $HOME_NET any -> [51.195.231.121] 7000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248634; rev:1;)
alert tcp $HOME_NET any -> [51.195.231.121] 8000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248635; rev:1;)
alert tcp $HOME_NET any -> [115.79.233.243] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248636; rev:1;)
alert tcp $HOME_NET any -> [115.79.233.243] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248637; rev:1;)
alert tcp $HOME_NET any -> [172.86.66.57] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248638; rev:1;)
alert tcp $HOME_NET any -> [121.36.213.92] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248639; rev:1;)
alert tcp $HOME_NET any -> [139.159.253.121] 1544  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248640; rev:1;)
alert tcp $HOME_NET any -> [139.159.253.121] 1300  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248641; rev:1;)
alert tcp $HOME_NET any -> [123.60.222.67] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248642; rev:1;)
alert tcp $HOME_NET any -> [192.3.12.139] 1433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vviill.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248644; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mosc.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248645; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mos4.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248646; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mos2.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248647; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mos1.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248648; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mos5.vviill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248649; rev:1;)
alert tcp $HOME_NET any -> [60.204.242.181] 7015  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248650; rev:1;)
alert tcp $HOME_NET any -> [60.204.242.181] 7016  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248651; rev:1;)
alert tcp $HOME_NET any -> [106.38.201.39] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248652; rev:1;)
alert tcp $HOME_NET any -> [106.38.201.39] 8555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248653; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cristech.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248654; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jelint.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248655; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"olynoo.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248656; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"seletec.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248657; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"stelitech.site"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248658; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"teolydigi.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248659; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tolinfore.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248660; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tucton.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248661; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"veltefre.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248662; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yelubin.cfd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248663; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yostek.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248664; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.hopefor.space"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248665; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.jelint.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248666; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.treimob.cfd"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248667; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.tucton.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:bad-unknown; sid:91248668; rev:1;)
alert tcp $HOME_NET any -> [47.103.46.108] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248669; rev:1;)
alert tcp $HOME_NET any -> [144.168.61.188] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248670; rev:1;)
alert tcp $HOME_NET any -> [175.178.47.86] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248671; rev:1;)
alert tcp $HOME_NET any -> [43.159.58.81] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"connachttribune.ie"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"themodestwallet.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"xlights.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.0939it.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"promixacademy.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"aarch.dk"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"michiganumc.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"susanin.fun"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.ama-studio.it"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"themeatandwineco.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0869574.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248629; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"find-ball.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248596; rev:1;)
alert tcp $HOME_NET any -> [45.149.172.87] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ch"; depth:3; nocase; http.host; content:"find-ball.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/sendmsg"; depth:12; nocase; http.host; content:"service-lidgmacv-1317471912.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248593; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lidgmacv-1317471912.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"185.130.46.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248581; rev:1;)
alert tcp $HOME_NET any -> [195.62.32.227] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248539; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-75oa09db-1317471892.cd.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/sendmsg"; depth:12; nocase; http.host; content:"service-75oa09db-1317471892.cd.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apwpnhwkyh.php"; depth:15; nocase; http.host; content:"mars.mhsorteio.app.br"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248540; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 18335  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248508/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"zahiraccounting.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"parentingisnteasy.co"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shemshad.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gochat247.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"travel2next.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m/xmlrpc.php"; depth:13; nocase; http.host; content:"www.atemberaubende-akzente.de"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248512; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 13241  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248506/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248506; rev:1;)
alert tcp $HOME_NET any -> [160.177.59.183] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248505/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248505; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 18335  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248507/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_24; classtype:trojan-activity; sid:91248507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"eshraghbook.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.elbepokal.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pointerclicker.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"swingandbeyond.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248518; rev:1;)
alert tcp $HOME_NET any -> [35.198.215.67] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/supershell/login"; depth:17; nocase; http.host; content:"35.198.215.67"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248523; rev:1;)
alert tcp $HOME_NET any -> [34.65.140.140] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248538; rev:1;)
alert tcp $HOME_NET any -> [35.221.12.2] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248537; rev:1;)
alert tcp $HOME_NET any -> [34.73.147.86] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248536; rev:1;)
alert tcp $HOME_NET any -> [35.228.143.142] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248535; rev:1;)
alert tcp $HOME_NET any -> [103.25.61.30] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248534/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248534; rev:1;)
alert tcp $HOME_NET any -> [103.25.61.30] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248533/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248533; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.101] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248532/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248532; rev:1;)
alert tcp $HOME_NET any -> [185.203.117.32] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248531; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.103] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248530/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248530; rev:1;)
alert tcp $HOME_NET any -> [92.116.36.5] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248529/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248529; rev:1;)
alert tcp $HOME_NET any -> [45.134.9.138] 41056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248528/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248528; rev:1;)
alert tcp $HOME_NET any -> [124.106.197.167] 4242  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248527/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248527; rev:1;)
alert tcp $HOME_NET any -> [84.246.85.147] 443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248526/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248526; rev:1;)
alert tcp $HOME_NET any -> [88.119.174.117] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248525/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"27.106.156.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248524; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.117] 65012  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.90.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248520; rev:1;)
alert tcp $HOME_NET any -> [175.42.16.2] 4784  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_24; classtype:trojan-activity; sid:91248519; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"www.guerrilladefense.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248504/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_24; classtype:trojan-activity; sid:91248504; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.67] 48396  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248503; rev:1;)
alert tcp $HOME_NET any -> [105.158.47.40] 10000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248502; rev:1;)
alert tcp $HOME_NET any -> [23.95.6.204] 1604  (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"paulrdp02.duckdns.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248499; rev:1;)
alert tcp $HOME_NET any -> [51.75.74.92] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248498; rev:1;)
alert tcp $HOME_NET any -> [104.131.185.229] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248497; rev:1;)
alert tcp $HOME_NET any -> [4.175.178.149] 443  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248496; rev:1;)
alert tcp $HOME_NET any -> [45.148.244.175] 9191  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248495; rev:1;)
alert tcp $HOME_NET any -> [119.29.249.217] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248494; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.15] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248493; rev:1;)
alert tcp $HOME_NET any -> [189.177.47.82] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248492; rev:1;)
alert tcp $HOME_NET any -> [190.134.48.89] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248491; rev:1;)
alert tcp $HOME_NET any -> [187.170.224.77] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248490; rev:1;)
alert tcp $HOME_NET any -> [52.39.217.122] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248489; rev:1;)
alert tcp $HOME_NET any -> [172.178.112.227] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248488; rev:1;)
alert tcp $HOME_NET any -> [159.65.212.61] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248487; rev:1;)
alert tcp $HOME_NET any -> [193.239.86.163] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248486; rev:1;)
alert tcp $HOME_NET any -> [92.116.39.103] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248485; rev:1;)
alert tcp $HOME_NET any -> [104.234.254.98] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpcpu.php"; depth:12; nocase; http.host; content:"a0583448.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248483; rev:1;)
alert tcp $HOME_NET any -> [45.11.183.78] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248480; rev:1;)
alert tcp $HOME_NET any -> [80.77.23.52] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248481/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248481; rev:1;)
alert tcp $HOME_NET any -> [185.158.251.76] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248482/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248482; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mariyeltherapy.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1220454717306572985/1220735355087486986/mariyelstherapy.rar"; depth:72; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linnisgood.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.cliniquecomputer.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248475; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newiasc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248469; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tesgdtgugdugd.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248470; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"designerskinclinic.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"applegrowersnc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248468; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.securecloudmanage.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248464; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"geotechprotect.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248465; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"legionenterprises.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248466; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecoplantssales.uk"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248462; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goldensoftware.co.uk"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248463; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"giaker.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248461; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.oneblackwood.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248459; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.shopmoneyweb.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248460; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"albarakahhalalfood.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orderhalalfoodsonline.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248472; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"talesfromthedoghouse.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248473; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"citadelsecurityservices.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248474; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bb.markerbio.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248457; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bb.myserv012.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248458; rev:1;)
alert tcp $HOME_NET any -> [103.254.75.120] 13307  (msg:"ThreatFox XOR DDoS botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248456; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.30] 2025  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248455; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"big-walls.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248450; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.wiurezende.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248451; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"storage.wiurezende.site"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248453; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chat.wiurezende.site"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248452; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meyer-when.dpvnzorwtl.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpsqlwordpressdlepublic.php"; depth:30; nocase; http.host; content:"926388cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.36.33.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248448; rev:1;)
alert tcp $HOME_NET any -> [35.226.178.85] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.138.72.70"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"1.14.46.128"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248444; rev:1;)
alert tcp $HOME_NET any -> [3.125.52.194] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"office365.press"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248441; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"office365.press"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248442; rev:1;)
alert tcp $HOME_NET any -> [207.148.99.69] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"207.148.99.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"81.71.140.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248438; rev:1;)
alert tcp $HOME_NET any -> [43.198.84.164] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"203.86.255.47"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248435; rev:1;)
alert tcp $HOME_NET any -> [203.86.255.47] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"23.94.87.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248433; rev:1;)
alert tcp $HOME_NET any -> [23.94.87.135] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"121.40.119.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.190.147.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.139.101.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248430; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"search.zfly.fun"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248428; rev:1;)
alert tcp $HOME_NET any -> [8.137.117.105] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.6.0.min.js"; depth:20; nocase; http.host; content:"search.zfly.fun"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248427; rev:1;)
alert tcp $HOME_NET any -> [109.104.152.24] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tab_home.js"; depth:12; nocase; http.host; content:"shehasgone.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248424; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shehasgone.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/feedapi/v1/newsserver/api/getusername"; depth:38; nocase; http.host; content:"119.45.45.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248422; rev:1;)
alert tcp $HOME_NET any -> [119.45.45.138] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/systemrecordscreen/autodata/phprulemobilerule/preflocal/_secureprocesstraffic.php"; depth:82; nocase; http.host; content:"212.109.193.246"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248421; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panelweb.equi-hosting.fr"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248417; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whoevenareyou.equi-hosting.fr"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248418; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"plesk.equi-hosting.fr"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248419; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"equi-hosting.fr"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/javascriptprocessorlongpolldbtempcentraltemporary.php"; depth:54; nocase; http.host; content:"585196cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248416; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gamerforyou.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248411; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.gamerforyou.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"172.67.138.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"104.21.56.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248407; rev:1;)
alert tcp $HOME_NET any -> [148.135.103.71] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"148.135.103.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248405; rev:1;)
alert tcp $HOME_NET any -> [37.120.235.114] 2269  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248404/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248404; rev:1;)
alert tcp $HOME_NET any -> [94.156.10.254] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248348; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.111] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248349; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.41] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248350; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sharkagency.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"91.92.250.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"webipal.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"helpsarkari.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cittadifondazione.it"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"irannihon.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shywolfsanctuary.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"cathedrale-nantes.fr"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dgtread.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"kresy.pl"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.emeliew.se"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248362; rev:1;)
alert tcp $HOME_NET any -> [192.121.102.205] 8888  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smartai.com.au"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.djurskyddetvastervik.se"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"thechutneylife.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248373; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apiframeworknode.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"healthcares.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apistoragecache.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"faneuilhallmarketplace.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mycashtree.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"gradecam.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"sheffi-tours.co.il"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lascebrassalen.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.drzewkonaprezent.pl"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248381; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.57] 8989  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248388; rev:1;)
alert tcp $HOME_NET any -> [128.254.207.82] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248403; rev:1;)
alert tcp $HOME_NET any -> [128.254.207.82] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248402; rev:1;)
alert tcp $HOME_NET any -> [62.109.21.73] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248401; rev:1;)
alert tcp $HOME_NET any -> [77.105.167.115] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248400; rev:1;)
alert tcp $HOME_NET any -> [89.23.101.233] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248399; rev:1;)
alert tcp $HOME_NET any -> [109.120.184.203] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248398; rev:1;)
alert tcp $HOME_NET any -> [137.184.41.246] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248397; rev:1;)
alert tcp $HOME_NET any -> [34.81.83.87] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248396; rev:1;)
alert tcp $HOME_NET any -> [120.48.99.76] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248395; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.3] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248394; rev:1;)
alert tcp $HOME_NET any -> [187.132.244.4] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248393; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.53] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248392; rev:1;)
alert tcp $HOME_NET any -> [92.116.39.245] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248391; rev:1;)
alert tcp $HOME_NET any -> [194.87.71.43] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_23; classtype:trojan-activity; sid:91248390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g9jjjbnadshz/index.php"; depth:23; nocase; http.host; content:"194.87.71.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248389; rev:1;)
alert tcp $HOME_NET any -> [185.164.163.66] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248387/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_23; classtype:trojan-activity; sid:91248387; rev:1;)
alert tcp $HOME_NET any -> [216.83.40.187] 7777  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updateeternallongpoll/javascript6updateuniversal/linedatalife/uploadsapiauth/processphpwindows1/videodlebase/protectpublic/0/public8defaultexternal/pipedownloads/2voiddbdle/toapigenerator.php"; depth:192; nocase; http.host; content:"195.20.16.119"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248385; rev:1;)
alert tcp $HOME_NET any -> [45.142.214.240] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c68ae6a6.php"; depth:13; nocase; http.host; content:"cf31000.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmjavascriptcpuprocessorbigloadserverwindowstestlocaldownloads.php"; depth:67; nocase; http.host; content:"181571cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_23; classtype:trojan-activity; sid:91248382; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.74] 14982  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.143.110.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"niceburlat.me"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"ganstaeraop.shop"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"grunzalom.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"titnovacrion.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248363; rev:1;)
alert tcp $HOME_NET any -> [45.86.86.29] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248338/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_22; classtype:trojan-activity; sid:91248338; rev:1;)
alert tcp $HOME_NET any -> [5.255.115.172] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248339/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_22; classtype:trojan-activity; sid:91248339; rev:1;)
alert tcp $HOME_NET any -> [104.129.20.71] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248340/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_22; classtype:trojan-activity; sid:91248340; rev:1;)
alert tcp $HOME_NET any -> [104.237.252.28] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248345/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248345; rev:1;)
alert tcp $HOME_NET any -> [83.166.150.213] 4443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248347/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248347; rev:1;)
alert tcp $HOME_NET any -> [144.91.93.153] 4444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248346; rev:1;)
alert tcp $HOME_NET any -> [5.75.221.51] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248343; rev:1;)
alert tcp $HOME_NET any -> [65.109.241.165] 8888  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.165"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.221.51"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248341; rev:1;)
alert tcp $HOME_NET any -> [23.92.208.54] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248337; rev:1;)
alert tcp $HOME_NET any -> [23.92.208.54] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248336; rev:1;)
alert tcp $HOME_NET any -> [37.128.207.92] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248335; rev:1;)
alert tcp $HOME_NET any -> [37.128.207.92] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248334; rev:1;)
alert tcp $HOME_NET any -> [185.158.251.240] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248333; rev:1;)
alert tcp $HOME_NET any -> [89.208.107.232] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248332; rev:1;)
alert tcp $HOME_NET any -> [104.161.32.84] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248331/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248331; rev:1;)
alert tcp $HOME_NET any -> [104.161.32.84] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248330/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248330; rev:1;)
alert tcp $HOME_NET any -> [217.195.153.158] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248329/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248329; rev:1;)
alert tcp $HOME_NET any -> [217.195.153.158] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248328/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248328; rev:1;)
alert tcp $HOME_NET any -> [147.45.68.67] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248326/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248326; rev:1;)
alert tcp $HOME_NET any -> [147.45.68.67] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248327/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248327; rev:1;)
alert tcp $HOME_NET any -> [146.19.254.43] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248325/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248325; rev:1;)
alert tcp $HOME_NET any -> [146.19.254.43] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248324/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248324; rev:1;)
alert tcp $HOME_NET any -> [213.252.232.161] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248322/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248322; rev:1;)
alert tcp $HOME_NET any -> [213.252.232.161] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248323/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248323; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.80] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248321/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248321; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.80] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248320/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248320; rev:1;)
alert tcp $HOME_NET any -> [54.145.152.164] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248319/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248319; rev:1;)
alert tcp $HOME_NET any -> [54.145.152.164] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248318/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248318; rev:1;)
alert tcp $HOME_NET any -> [185.217.197.52] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248317/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248317; rev:1;)
alert tcp $HOME_NET any -> [166.1.173.27] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248316/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248316; rev:1;)
alert tcp $HOME_NET any -> [43.128.5.46] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248315/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248315; rev:1;)
alert tcp $HOME_NET any -> [108.61.202.34] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248314/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248314; rev:1;)
alert tcp $HOME_NET any -> [5.42.106.164] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248313/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248313; rev:1;)
alert tcp $HOME_NET any -> [107.172.209.239] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248312/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248312; rev:1;)
alert tcp $HOME_NET any -> [72.27.170.148] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248311; rev:1;)
alert tcp $HOME_NET any -> [39.40.180.234] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248310; rev:1;)
alert tcp $HOME_NET any -> [191.112.21.160] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248309; rev:1;)
alert tcp $HOME_NET any -> [64.23.181.57] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248308; rev:1;)
alert tcp $HOME_NET any -> [114.130.36.121] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248307; rev:1;)
alert tcp $HOME_NET any -> [4.153.122.111] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248306; rev:1;)
alert tcp $HOME_NET any -> [64.23.185.215] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248305; rev:1;)
alert tcp $HOME_NET any -> [185.225.70.160] 10810  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248304; rev:1;)
alert tcp $HOME_NET any -> [192.169.7.83] 64499  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248303; rev:1;)
alert tcp $HOME_NET any -> [97.154.97.29] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248302; rev:1;)
alert tcp $HOME_NET any -> [198.252.107.164] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248301; rev:1;)
alert tcp $HOME_NET any -> [198.252.107.164] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"outsidespace.co.nz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smwroclaw.pl"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"jt.my"; depth:5; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rahatupu.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"typhoontv.in"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"nitrobilisim.com.tr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.balanceanddizzinessphysicaltherapy.com"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"divipeople.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"articuly.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248299; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"consulheartinc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248290; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.227] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248289; rev:1;)
alert tcp $HOME_NET any -> [91.210.106.47] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248288; rev:1;)
alert tcp $HOME_NET any -> [52.160.82.19] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248279; rev:1;)
alert tcp $HOME_NET any -> [31.129.99.52] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248280; rev:1;)
alert tcp $HOME_NET any -> [172.208.59.226] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248281; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.74] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248282; rev:1;)
alert tcp $HOME_NET any -> [166.88.61.219] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248283; rev:1;)
alert tcp $HOME_NET any -> [207.180.202.241] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248284; rev:1;)
alert tcp $HOME_NET any -> [87.120.84.22] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248285; rev:1;)
alert tcp $HOME_NET any -> [172.214.139.124] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game6/6videoprocess5/track/5generator/test/asynclongpolldownloadspublic/jswindows/generatorcentralcdn/wordpressvmserverto/cpuprotectbigloadwp/1external7/js00/83cpulongpoll/async0vm/pollcdn/5eternalhttphttp/towp/trafficupdate/secure6/imagejavascriptdefaultasync.php"; depth:265; nocase; http.host; content:"80.78.243.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248286; rev:1;)
alert tcp $HOME_NET any -> [104.168.33.31] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248278; rev:1;)
alert tcp $HOME_NET any -> [143.198.30.16] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248277; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.zodo.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248276; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"view.msedge.live"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248274; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.winget-east.us"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248275; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aka.akadns.us"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248273; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abc.anti-ddos.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248261; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fw.anti-ddos.io.vn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248262; rev:1;)
alert tcp $HOME_NET any -> [87.98.228.243] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shop.amazon-aws.fr"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248264; rev:1;)
alert tcp $HOME_NET any -> [94.23.121.241] 63420  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248265; rev:1;)
alert tcp $HOME_NET any -> [40.83.122.109] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248269; rev:1;)
alert tcp $HOME_NET any -> [89.44.9.238] 3790  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248266; rev:1;)
alert tcp $HOME_NET any -> [89.44.9.238] 11112  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248267; rev:1;)
alert tcp $HOME_NET any -> [113.22.74.126] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248270; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.188] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248271; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newssssssssssssss.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248272; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akamaicute.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248214; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pboc.online"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248216; rev:1;)
alert tcp $HOME_NET any -> [115.134.90.74] 9876  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248217; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.175] 1475  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248218; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.201] 1451  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248222; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.39] 1463  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248219; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.65] 1760  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248220; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.35] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248221; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.20] 1581  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248223; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.42] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248224; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.srryontop.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248259; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srryontop.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248260; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdfsdfhhps.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248212; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hailnet.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248213; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dgsf.cat"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248215; rev:1;)
alert tcp $HOME_NET any -> [185.150.26.253] 123  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248210; rev:1;)
alert tcp $HOME_NET any -> [187.35.7.19] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248211; rev:1;)
alert tcp $HOME_NET any -> [194.68.32.11] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248209; rev:1;)
alert tcp $HOME_NET any -> [172.94.54.167] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"165.22.225.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248256; rev:1;)
alert tcp $HOME_NET any -> [154.81.35.71] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"admin.usaid2.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248253; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admin.usaid2.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"119.45.187.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248251; rev:1;)
alert tcp $HOME_NET any -> [119.45.187.65] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248252; rev:1;)
alert tcp $HOME_NET any -> [119.45.187.65] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"119.45.187.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.40.40.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248247; rev:1;)
alert tcp $HOME_NET any -> [121.40.40.101] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248248; rev:1;)
alert tcp $HOME_NET any -> [8.134.89.221] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/users/123/1"; depth:12; nocase; http.host; content:"8.134.89.221"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248245; rev:1;)
alert tcp $HOME_NET any -> [121.40.40.101] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.40.40.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"152.136.174.196"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.143.103.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248241; rev:1;)
alert tcp $HOME_NET any -> [117.50.192.107] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"117.50.192.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248239; rev:1;)
alert tcp $HOME_NET any -> [43.198.84.164] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248238; rev:1;)
alert tcp $HOME_NET any -> [103.146.179.119] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index"; depth:6; nocase; http.host; content:"49.233.94.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ur"; depth:3; nocase; http.host; content:"49.233.94.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248235; rev:1;)
alert tcp $HOME_NET any -> [156.232.7.236] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"156.232.7.236"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"45.14.245.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.109.148.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.87.142"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.87.142"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.3.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248228; rev:1;)
alert tcp $HOME_NET any -> [116.202.3.93] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248225; rev:1;)
alert tcp $HOME_NET any -> [49.13.87.142] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248226; rev:1;)
alert tcp $HOME_NET any -> [49.13.87.142] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248227; rev:1;)
alert tcp $HOME_NET any -> [143.110.191.139] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248207; rev:1;)
alert tcp $HOME_NET any -> [111.90.143.125] 8921  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248208; rev:1;)
alert tcp $HOME_NET any -> [181.162.133.144] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248202; rev:1;)
alert tcp $HOME_NET any -> [8.218.71.187] 8443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248205; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.127] 3090  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248203; rev:1;)
alert tcp $HOME_NET any -> [91.150.120.14] 25565  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248204; rev:1;)
alert tcp $HOME_NET any -> [190.205.241.70] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248206; rev:1;)
alert tcp $HOME_NET any -> [187.59.70.10] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248199; rev:1;)
alert tcp $HOME_NET any -> [47.243.49.209] 8443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248200; rev:1;)
alert tcp $HOME_NET any -> [172.111.148.93] 19933  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248201; rev:1;)
alert tcp $HOME_NET any -> [139.28.36.39] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248198; rev:1;)
alert tcp $HOME_NET any -> [95.216.117.153] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248183; rev:1;)
alert tcp $HOME_NET any -> [141.105.130.87] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248184; rev:1;)
alert tcp $HOME_NET any -> [141.105.130.87] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248185; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"delabfactory.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"delabfactory.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.139.219.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248195; rev:1;)
alert tcp $HOME_NET any -> [2.58.15.44] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"2.58.15.44"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248193; rev:1;)
alert tcp $HOME_NET any -> [43.143.110.110] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.143.110.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mht_image/"; depth:11; nocase; http.host; content:"8.141.95.164"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248190; rev:1;)
alert tcp $HOME_NET any -> [84.38.183.148] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"10.127.254.209"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248188; rev:1;)
alert tcp $HOME_NET any -> [82.65.203.196] 7474  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"nocomp.freeboxos.fr"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"som.edu.vn"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"testiran.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"brainsoulsuccess.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"lasik2020.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.artisebio.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"charltonbrown.edu.au"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"weissenbach-pr.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"fuzionproscooter.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"shtourval.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"allfridaystudio.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248181; rev:1;)
alert tcp $HOME_NET any -> [37.197.57.116] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248182; rev:1;)
alert tcp $HOME_NET any -> [193.36.119.77] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248171; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.234] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248160; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.234] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248161; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.224] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248163; rev:1;)
alert tcp $HOME_NET any -> [81.17.22.42] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248164; rev:1;)
alert tcp $HOME_NET any -> [185.229.237.51] 2000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248169; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.63] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248170; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 13241  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248168; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 13241  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248167; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 13241  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248166; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 13241  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248165; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.133] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248162/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248162; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my.nimade.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248158; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ck.aj05.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"breckenridge-vacation-homes.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.cultus.dk"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"darolvakil.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ansoffs.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"moaetscandg.org.ng"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/xmlrpc.php"; depth:21; nocase; http.host; content:"www.cheapandbestshopforlife.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"charchiinet.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mcws.org"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"goodklei.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"tamilcinetalk.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dansport.is"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"schematherapyinstitute.com.au"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"geekville.ru"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.back-zeit.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"smokersplanet.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.belvederebenidorm.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ragmcloud.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"52poke.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"dme.gr"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"saint-augustin.ch"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"specialeventservices.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.calzaturificioliberty.it"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"games-up.fr"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"snyk.io"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"auxiliaryenergy.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/xmlrpc.php"; depth:21; nocase; http.host; content:"www.abako.se"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"playgroundbaron.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"amida.se"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"mundoalbiceleste.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"prokirpich76.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"rushradar.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"barn2.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"yekdoa.ir"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"geekhacker.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"luxurylaunches.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"hkcapsule.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"natbooks.com.au"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/xmlrpc.php"; depth:16; nocase; http.host; content:"www.boxhaus.de"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248121; rev:1;)
alert tcp $HOME_NET any -> [45.76.125.214] 50131  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.brandweeravenhorn.nl"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248118; rev:1;)
alert tcp $HOME_NET any -> [172.94.105.163] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248116; rev:1;)
alert tcp $HOME_NET any -> [192.210.201.57] 62289  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248115/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248115; rev:1;)
alert tcp $HOME_NET any -> [176.31.196.206] 2024  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248114/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248114; rev:1;)
alert tcp $HOME_NET any -> [41.216.182.215] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248113/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248113; rev:1;)
alert tcp $HOME_NET any -> [86.104.194.182] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248112/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248112; rev:1;)
alert tcp $HOME_NET any -> [194.169.175.20] 35342  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248111/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248111; rev:1;)
alert tcp $HOME_NET any -> [212.57.118.90] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248110; rev:1;)
alert tcp $HOME_NET any -> [77.238.251.130] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248109; rev:1;)
alert tcp $HOME_NET any -> [45.32.62.242] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248108; rev:1;)
alert tcp $HOME_NET any -> [147.45.71.249] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248107; rev:1;)
alert tcp $HOME_NET any -> [103.161.224.131] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248106; rev:1;)
alert tcp $HOME_NET any -> [38.6.190.16] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248105; rev:1;)
alert tcp $HOME_NET any -> [222.112.93.163] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248104/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248104; rev:1;)
alert tcp $HOME_NET any -> [43.129.190.150] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248103; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.5] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248102/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248102; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.21] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248101/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248101; rev:1;)
alert tcp $HOME_NET any -> [38.166.64.167] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248100/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248100; rev:1;)
alert tcp $HOME_NET any -> [187.213.241.182] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248099/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248099; rev:1;)
alert tcp $HOME_NET any -> [41.129.178.57] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248098/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248098; rev:1;)
alert tcp $HOME_NET any -> [162.33.177.165] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248097; rev:1;)
alert tcp $HOME_NET any -> [92.116.37.169] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248096; rev:1;)
alert tcp $HOME_NET any -> [45.140.188.133] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248095/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248095; rev:1;)
alert tcp $HOME_NET any -> [89.116.32.177] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_22; classtype:trojan-activity; sid:91248094; rev:1;)
alert tcp $HOME_NET any -> [95.164.45.31] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248093/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/imagepythonmulti/uploadsmultisql/packet/1authprovider4/downloadstracklowtest/api/processjavascriptproviderbetter/imageprovider/sqlcentral/processorbasehttptraffic/0_bettertraffic/game/pythonasynccentral2/eternal6async5/pipemultitest.php"; depth:244; nocase; http.host; content:"185.173.36.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248092; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.192] 60195  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247782/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91247782; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sjdkghsdughpowieugh8932.griefcube.cc"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247783/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91247783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonsecuredefaultcentral.php"; depth:31; nocase; http.host; content:"839860cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248091; rev:1;)
alert tcp $HOME_NET any -> [107.173.30.114] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247548; rev:1;)
alert tcp $HOME_NET any -> [23.224.196.53] 16271  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247550; rev:1;)
alert tcp $HOME_NET any -> [47.113.227.139] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247546; rev:1;)
alert tcp $HOME_NET any -> [198.46.226.224] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247547; rev:1;)
alert tcp $HOME_NET any -> [8.134.249.167] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247543; rev:1;)
alert tcp $HOME_NET any -> [120.55.65.99] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247544; rev:1;)
alert tcp $HOME_NET any -> [172.245.110.171] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247545; rev:1;)
alert tcp $HOME_NET any -> [79.132.135.149] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247542; rev:1;)
alert tcp $HOME_NET any -> [94.172.154.134] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247538; rev:1;)
alert tcp $HOME_NET any -> [94.172.154.134] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247541; rev:1;)
alert tcp $HOME_NET any -> [94.172.154.134] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247539; rev:1;)
alert tcp $HOME_NET any -> [94.172.154.134] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247540; rev:1;)
alert tcp $HOME_NET any -> [20.212.232.53] 30500  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247536; rev:1;)
alert tcp $HOME_NET any -> [36.69.72.106] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247537; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.110] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247533; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.111] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247534; rev:1;)
alert tcp $HOME_NET any -> [89.148.44.245] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247535; rev:1;)
alert tcp $HOME_NET any -> [192.227.249.230] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247549; rev:1;)
alert tcp $HOME_NET any -> [117.50.199.153] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247551; rev:1;)
alert tcp $HOME_NET any -> [104.234.254.98] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247552; rev:1;)
alert tcp $HOME_NET any -> [154.40.45.37] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247553; rev:1;)
alert tcp $HOME_NET any -> [23.95.90.77] 11451  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247554; rev:1;)
alert tcp $HOME_NET any -> [111.231.71.122] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247555; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.100] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247556/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91247556; rev:1;)
alert tcp $HOME_NET any -> [87.251.79.15] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c18/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248090/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_22; classtype:trojan-activity; sid:91248090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c18/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248089; rev:1;)
alert tcp $HOME_NET any -> [173.254.204.77] 8123  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248088; rev:1;)
alert tcp $HOME_NET any -> [45.76.232.247] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248087; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cm3thejmzhlxpvowsv2dk4ybpovmoaqal7o7gqirhgvj24l4ww7w7zid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248080; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bkc56e3jgy5zlfq7ialxyppztuh4dgranlyauupid4uc2ze5hg2cshqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248081; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nwgj3ux4huyfgbrwj5i2uwbxdu2ddd33eqrpq44dwooaoqo4ntmpc6qd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248082; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obqdy2u226qjiavs42z4z6zgcf6tefsoxaqzjvohmoy7kafdwgqgjkqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248083; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lvyowbbwycqoqwjmpmnpfyhzdcvxthuuabmcsocjamvzfgwzdat5wwid.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248084; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vbd3hiruwgcquiwrhpvaxann2ieo3tw3iznqlrp2z6mqyaonh4rswjqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248085; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7sbl4dpbubwjjghdquwg47fyq7rookd4bgm2ypm2kjzkivd7tomvczqd.onion"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248086; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jocker02.linkpc.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248073; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"best.supportredirect.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248074; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gotti.ddnsgeek.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248075; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elevenpaths.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248076; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitrat.nsupdate.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248077; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hureseyd.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248078; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"amazonservices.onthewifi.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248079; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vslt.info"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"postal-23.ioomoo.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248066; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dopeonlineforwarding.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248067; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serverclient.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248068; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firewall.publicvm.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248069; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mfocuz.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248070; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns16-microsoft-health.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248071; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onlyforbit.blogdns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248072; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pvstub.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248056; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atdf.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248057; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"godcheatfn.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248058; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitratfanboy2-45086.portmap.io"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248059; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nig.jalenscoonwog.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248060; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hopyboss.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248061; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitrtdollars.itsaol.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248062; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mianoffice221.kozow.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248063; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs50.publicvm.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248064; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0b1.duckdns.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248052; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omeno.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248053; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hailisbetter.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248054; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"felixgodis.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248055; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dreamz.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248048; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"encrypted-channel.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248049; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"888myrat.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248050; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paintedkitty.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248051; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imen.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248044; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eewe.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248045; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"19008198.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248046; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yatzufn.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248047; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serviceop091.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1248043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httptemp.php"; depth:13; nocase; http.host; content:"onedrivepack.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1248042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248042; rev:1;)
alert tcp $HOME_NET any -> [94.237.49.140] 2222  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248039; rev:1;)
alert tcp $HOME_NET any -> [139.28.219.45] 443  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248040; rev:1;)
alert tcp $HOME_NET any -> [178.20.40.235] 5555  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248041; rev:1;)
alert tcp $HOME_NET any -> [111.90.158.139] 1234  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248034; rev:1;)
alert tcp $HOME_NET any -> [51.89.205.208] 5506  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248035; rev:1;)
alert tcp $HOME_NET any -> [194.33.45.3] 4898  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248036; rev:1;)
alert tcp $HOME_NET any -> [139.28.219.47] 64576  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248037; rev:1;)
alert tcp $HOME_NET any -> [185.140.53.55] 5506  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248038; rev:1;)
alert tcp $HOME_NET any -> [95.252.122.216] 1900  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248027; rev:1;)
alert tcp $HOME_NET any -> [27.124.20.145] 8082  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248028; rev:1;)
alert tcp $HOME_NET any -> [103.153.182.89] 1234  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248029; rev:1;)
alert tcp $HOME_NET any -> [204.77.8.221] 5506  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248030; rev:1;)
alert tcp $HOME_NET any -> [185.244.36.230] 1240  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248031; rev:1;)
alert tcp $HOME_NET any -> [162.33.178.83] 6969  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248032; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.237] 1734  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248033; rev:1;)
alert tcp $HOME_NET any -> [173.44.50.140] 4550  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248023; rev:1;)
alert tcp $HOME_NET any -> [202.182.106.243] 12341  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248024; rev:1;)
alert tcp $HOME_NET any -> [47.75.99.242] 1234  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248025; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.73] 19099  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248026; rev:1;)
alert tcp $HOME_NET any -> [103.153.182.247] 6161  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248019; rev:1;)
alert tcp $HOME_NET any -> [194.5.98.46] 1180  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248020; rev:1;)
alert tcp $HOME_NET any -> [109.70.236.80] 53166  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248021; rev:1;)
alert tcp $HOME_NET any -> [65.21.3.192] 1234  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1248022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"joscramp.top"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rewe-coupouns.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1248017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"arthurmaes.top"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1248018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"46.29.234.95"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"larsvanderwal.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1248013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.160"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.108.240.151"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1248015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.143.1.226"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.159.248.242"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1248009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mariles.top"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1248010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.232.223"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.210"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1248005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.8.100"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"79.137.206.15"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.254.245"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.27.52.220"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.109.226.91"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1248000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"147.45.47.72"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1248001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.132.208"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1248002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91248002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.145"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1247997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"normanhoffman.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1247998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.27.52.241"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.161.248.78"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1247993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"89.105.201.132"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1247994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.240.249"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.86.77.102"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.28.157.3"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1247991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247991; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.246.192"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"147.45.47.71"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.129"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.20"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"michaeljohnson.top"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1247985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"publisherget.top"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1247986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"23.227.202.68"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"jeffmorales.top"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1247982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.65.61"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.64.6"; depth:9; nocase; reference:url, threatfox.abuse.ch/ioc/1247984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"216.98.13.202"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247979; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"216.98.9.109"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1247980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.42.32.206"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1247981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247981; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ser.nrovn.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247976; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyesterbill.chickenkiller.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247977; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hassan.webhop.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247978; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sosob9ta.line.pm"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247975; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mydogis.onthewifi.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247972; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newhost.dyndns.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247973; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"volam2.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247974; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"interstellar.onthewifi.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247970; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.worldxw.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247971; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allay.x3322.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247967; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bofa.su"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247968; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trbe.mentality.cloud"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247969; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asegurarasyncrat.4cloud.click"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247965; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"popo.office-on-the.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247966; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mytestdns123.mooo.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247963; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1hitler.accesscam.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247964; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stormx.dynu.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247960; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hitler55.dyndns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247961; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yy.webhop.me"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247962; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nso1.nsolau.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247956; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"milan.giize.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247957; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hitler55.dvrdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247958; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sis.is-a-blogger.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247959; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asdofugugja883.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247953; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webjava.mywire.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247954; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nasser.is-found.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247955; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"podejrzanylink.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247950; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shailputrimt1.publicvm.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247951; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testdns.ydns.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247952; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"28febnde.dynv6.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247949; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wandering-field-84417.pktriot.net"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247945; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asdugvua37vhax.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247946; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibrant-frost-53467.pktriot.net"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247947; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aoputer.crabdance.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247948; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sis.4cloud.click"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247943; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spiffy-balloon.auto.playit.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247944; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"azurecloud-bridge.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247942; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alerts.linkpc.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247939; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat2024.e3.luyouxia.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247940; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"osso.camdvr.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247941; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scrubloader.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247935; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"koradon.giize.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247936; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webtool.publicvm.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247937; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drax2023.run.place"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247938; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"999triana999.1cooldns.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247932; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"470krlio.shenzhuo.vip"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247933; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxy-shady.cloud"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247934; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lemback.dns.navy"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247930; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aliveafterguard.icu"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247931; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bg1.heztak.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247927; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usaugen.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247928; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"torenta2.vpndns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247929; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cn-wh-plc-1.openfrp.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247924; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adad3.casacam.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247925; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5ra.webredirect.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kapobiko1.mooo.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247923; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat.loseyourip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247921; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rawy.ooguy.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247922; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jksdghfsd.loseyourip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247918; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reyfelipeborbon.loseyourip.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247919; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"love1.loseyourip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247920; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vx2sw7soh8ds5.hopto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247916; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roolingstone.sytes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247917; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cartel.theworkpc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247913; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ekuroak.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247914; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggghmn8766vg.hopto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247915; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tanta.theworkpc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247909; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"icant.theworkpc.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247910; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hsm.theworkpc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247911; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ech0.theworkpc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247912; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buike.kozow.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247904; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"win0090.theworkpc.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247905; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"non.theworkpc.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247906; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boty.theworkpc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247907; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utorrent.theworkpc.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247908; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ancy2024.kozow.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247902; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quepasa2024.kozow.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247903; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hoes-truth.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247897; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sunday-survivors.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247898; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"italy-completed.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247899; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"com-bg.gl.at.ply.gg"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247900; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mono2024.kozow.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247901; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"budget-whose.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247892; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loan-mode.gl.at.ply.gg"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247893; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fl-survivor.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247894; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"copyright-sofa.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247895; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"richard-foods.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247896; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"movie-responses.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247888; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"six-fleece.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247889; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trying-shirts.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247890; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"patients-councils.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247891; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"danielballesterosdominper.con-ip.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247883; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"should-nutritional.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247884; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shoes-truth.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247885; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"government-program.gl.at.ply.gg"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247886; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"horse-undertake.gl.at.ply.gg"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247887; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contodapug.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247877; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reverseproxy.con-ip.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247878; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myryam.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247879; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cryptojoke.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247880; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rtx.con-ip.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247881; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"armandocastillodominio.con-ip.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247882; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aobertoferndomip.con-ip.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247873; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sebastianmindioladomini.con-ip.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247874; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"davidricardodom.con-ip.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247875; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sandraferreirodominiopersonal.con-ip.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247876; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vendjksld.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247869; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"littlenerd.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247870; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mkys.duckdns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247871; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jossmaybs.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247872; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"testdamahe.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247864; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momenttoday550.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247865; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dohavevictem2024.duckdns.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247866; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subdominiodesub.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247867; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rem-new-2.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247868; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"magarodriajhsdbajifuqwe12341safqdv.duckdns.org"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247859; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nagerproxysinintercavi8464perringuta.duckdns.org"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247860; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bebefiin.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247861; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"febvenom8.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247862; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"window10.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247863; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23preguntas.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247855; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestcoder.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247856; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cocomelondc.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247857; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"selldrugs.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247858; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mariarizazapata09.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247850; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"febrerososte.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247851; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tularz.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247852; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pooldiaz14.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247853; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chichichi01.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247854; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"markvenm2.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247845; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diciembre12.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247846; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smoney.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247847; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mrrxr.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247848; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finessebitcoin.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247849; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hmnms.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247840; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xfreddy2751.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247841; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helprxr.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247842; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vrnmmondays.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247843; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"martingonzalessoto09.duckdns.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247844; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"merthamurc.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247835; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"momentdhs.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247836; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krallarcarding.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247837; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jojomo.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247838; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ratdeniyoz7386.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247839; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wassgoodmane-46736.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247831; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swifty123-23089.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247832; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loliletnotnoobonf-28917.portmap.host"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247833; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wassgoodmane-45751.portmap.host"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247834; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fearme-45002.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247826; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"404nothere5-52195.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247827; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cutecat-46661.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247828; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"404nothere5-62048.portmap.host"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247829; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nezo123-21027.portmap.host"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247830; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"swifty123-48281.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247822; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolzpopbob-31243.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247823; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okaa0-60956.portmap.host"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247824; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meowpc-33643.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247825; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"404nothere5-63469.portmap.io"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247817; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcehonline-48303.portmap.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247818; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chingyen-23182.portmap.host"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247819; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e7team-54210.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247820; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fearme-55506.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247821; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fearme-62451.portmap.host"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nabeellasdfasdf-52048.portmap.host"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247813; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"torbrowser-39837.portmap.host"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247814; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"travisway-41408.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247815; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mankemane-47945.portmap.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247816; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tobacos.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247809; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mznhr.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waytovwmk40.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247811; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kreyze.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247808; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a0979283148.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247804; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fat7ola0077.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247805; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2hitler.ddnsgeek.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247806; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"talapain.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247807; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"h2mhost123ontop.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247798; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ndichinnenanna0110.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247799; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rqwonderworld.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247800; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spongethug.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247801; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spidermanbaba.ddns.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247802; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whiteshadows.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247803; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdd4514136100juciywrldl.ddns.net"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247794; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w3llsfarg0h0st.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247795; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cringelord6969.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247796; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"46tochristmas15dec.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247797; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rat34.ddns.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247790; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"g6666lrd10424346129.ddns.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247791; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eaxhost.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247792; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"roscript.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247793; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfclog.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247786; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1tapfinn.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247787; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t3fakpraf.ddns.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247788; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"powellfrank.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247789; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yubarats.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247784; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkstorm275991.ddns.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247785; rev:1;)
alert tcp $HOME_NET any -> [123.99.200.175] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247780; rev:1;)
alert tcp $HOME_NET any -> [123.99.200.184] 2140  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247781; rev:1;)
alert tcp $HOME_NET any -> [45.15.143.164] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247779; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.82] 3004  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247778; rev:1;)
alert tcp $HOME_NET any -> [113.207.105.200] 3201  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247776; rev:1;)
alert tcp $HOME_NET any -> [154.48.237.186] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247777; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.16] 4040  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247774; rev:1;)
alert tcp $HOME_NET any -> [154.91.65.153] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247775; rev:1;)
alert tcp $HOME_NET any -> [212.129.30.248] 6000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247772; rev:1;)
alert tcp $HOME_NET any -> [47.94.3.159] 4455  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247773; rev:1;)
alert tcp $HOME_NET any -> [47.94.3.159] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247770; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.35] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247771; rev:1;)
alert tcp $HOME_NET any -> [20.98.80.51] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247768; rev:1;)
alert tcp $HOME_NET any -> [39.103.129.63] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247769; rev:1;)
alert tcp $HOME_NET any -> [38.54.1.41] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247766; rev:1;)
alert tcp $HOME_NET any -> [20.69.96.235] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247767; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.49] 1984  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247765; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.52] 4789  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247763; rev:1;)
alert tcp $HOME_NET any -> [81.249.25.228] 1605  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247764; rev:1;)
alert tcp $HOME_NET any -> [13.36.174.17] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247762; rev:1;)
alert tcp $HOME_NET any -> [109.248.201.153] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247761; rev:1;)
alert tcp $HOME_NET any -> [159.146.14.122] 18068  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247759; rev:1;)
alert tcp $HOME_NET any -> [192.177.111.46] 18200  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247760; rev:1;)
alert tcp $HOME_NET any -> [192.161.193.99] 5228  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247758; rev:1;)
alert tcp $HOME_NET any -> [45.15.143.164] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247757; rev:1;)
alert tcp $HOME_NET any -> [45.94.31.248] 4447  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247756; rev:1;)
alert tcp $HOME_NET any -> [139.99.86.164] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247755; rev:1;)
alert tcp $HOME_NET any -> [192.161.193.99] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247754; rev:1;)
alert tcp $HOME_NET any -> [113.207.105.241] 9803  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247752; rev:1;)
alert tcp $HOME_NET any -> [154.221.22.54] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247753; rev:1;)
alert tcp $HOME_NET any -> [52.59.51.24] 1932  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247751; rev:1;)
alert tcp $HOME_NET any -> [103.74.172.94] 40288  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247750; rev:1;)
alert tcp $HOME_NET any -> [45.131.111.98] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247749; rev:1;)
alert tcp $HOME_NET any -> [185.234.247.30] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247747; rev:1;)
alert tcp $HOME_NET any -> [20.98.80.51] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247748; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 43941  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247745; rev:1;)
alert tcp $HOME_NET any -> [13.66.133.43] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247746; rev:1;)
alert tcp $HOME_NET any -> [93.190.10.16] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247744; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 64023  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247743; rev:1;)
alert tcp $HOME_NET any -> [43.240.221.130] 9833  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247742; rev:1;)
alert tcp $HOME_NET any -> [198.44.167.139] 57321  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247741; rev:1;)
alert tcp $HOME_NET any -> [113.207.105.229] 7302  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247740; rev:1;)
alert tcp $HOME_NET any -> [124.166.95.10] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247738; rev:1;)
alert tcp $HOME_NET any -> [61.14.233.111] 4404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247739; rev:1;)
alert tcp $HOME_NET any -> [185.157.162.206] 2191  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247737; rev:1;)
alert tcp $HOME_NET any -> [198.44.167.215] 38795  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247735; rev:1;)
alert tcp $HOME_NET any -> [113.207.105.195] 15806  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247736; rev:1;)
alert tcp $HOME_NET any -> [45.141.215.32] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247733; rev:1;)
alert tcp $HOME_NET any -> [157.90.112.255] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247734; rev:1;)
alert tcp $HOME_NET any -> [123.99.200.158] 7223  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247732; rev:1;)
alert tcp $HOME_NET any -> [24.50.117.82] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247730; rev:1;)
alert tcp $HOME_NET any -> [46.36.67.36] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247731; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.14] 58004  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247728; rev:1;)
alert tcp $HOME_NET any -> [45.76.155.94] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247729; rev:1;)
alert tcp $HOME_NET any -> [45.145.224.55] 7000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247727; rev:1;)
alert tcp $HOME_NET any -> [86.153.66.129] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247726; rev:1;)
alert tcp $HOME_NET any -> [124.248.66.160] 6422  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247725; rev:1;)
alert tcp $HOME_NET any -> [91.134.150.150] 3232  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247723; rev:1;)
alert tcp $HOME_NET any -> [78.186.152.249] 1938  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247724; rev:1;)
alert tcp $HOME_NET any -> [95.164.3.135] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247722; rev:1;)
alert tcp $HOME_NET any -> [13.66.221.58] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247720; rev:1;)
alert tcp $HOME_NET any -> [50.29.244.5] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247721; rev:1;)
alert tcp $HOME_NET any -> [13.66.133.43] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247719; rev:1;)
alert tcp $HOME_NET any -> [194.33.191.245] 2405  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247718; rev:1;)
alert tcp $HOME_NET any -> [159.146.14.122] 4040  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247717; rev:1;)
alert tcp $HOME_NET any -> [43.138.156.178] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247715; rev:1;)
alert tcp $HOME_NET any -> [8.140.33.34] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247716; rev:1;)
alert tcp $HOME_NET any -> [76.70.94.161] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247714; rev:1;)
alert tcp $HOME_NET any -> [45.138.99.2] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247713; rev:1;)
alert tcp $HOME_NET any -> [134.19.177.59] 5003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247712; rev:1;)
alert tcp $HOME_NET any -> [40.66.40.50] 4173  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247711; rev:1;)
alert tcp $HOME_NET any -> [8.140.33.34] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247710; rev:1;)
alert tcp $HOME_NET any -> [90.8.19.214] 7006  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247709; rev:1;)
alert tcp $HOME_NET any -> [39.103.129.63] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247708; rev:1;)
alert tcp $HOME_NET any -> [217.64.31.3] 4871  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247707; rev:1;)
alert tcp $HOME_NET any -> [192.177.111.46] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247706; rev:1;)
alert tcp $HOME_NET any -> [139.99.86.164] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247705; rev:1;)
alert tcp $HOME_NET any -> [8.140.33.34] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247704; rev:1;)
alert tcp $HOME_NET any -> [26.199.97.56] 13377  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247703; rev:1;)
alert tcp $HOME_NET any -> [5.9.194.71] 3232  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247702; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.35] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247701; rev:1;)
alert tcp $HOME_NET any -> [45.76.155.94] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247700; rev:1;)
alert tcp $HOME_NET any -> [123.99.200.157] 2802  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247699; rev:1;)
alert tcp $HOME_NET any -> [147.189.161.48] 4839  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247698; rev:1;)
alert tcp $HOME_NET any -> [109.248.201.153] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247696; rev:1;)
alert tcp $HOME_NET any -> [154.91.65.150] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247697; rev:1;)
alert tcp $HOME_NET any -> [149.127.237.203] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247693; rev:1;)
alert tcp $HOME_NET any -> [141.95.84.40] 4291  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247694; rev:1;)
alert tcp $HOME_NET any -> [144.208.127.116] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247695; rev:1;)
alert tcp $HOME_NET any -> [43.248.140.94] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247692; rev:1;)
alert tcp $HOME_NET any -> [46.36.67.36] 51566  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247690; rev:1;)
alert tcp $HOME_NET any -> [96.9.215.146] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247691; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.186] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247689; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 49207  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247687; rev:1;)
alert tcp $HOME_NET any -> [91.134.150.149] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247688; rev:1;)
alert tcp $HOME_NET any -> [45.145.229.150] 9605  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247686; rev:1;)
alert tcp $HOME_NET any -> [198.44.167.139] 38795  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247684; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.182] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247685; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.147] 5038  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247682; rev:1;)
alert tcp $HOME_NET any -> [147.189.161.48] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247683; rev:1;)
alert tcp $HOME_NET any -> [109.205.162.97] 4739  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247679; rev:1;)
alert tcp $HOME_NET any -> [213.32.243.233] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247680; rev:1;)
alert tcp $HOME_NET any -> [66.154.122.230] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247681; rev:1;)
alert tcp $HOME_NET any -> [31.210.20.231] 200  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247677; rev:1;)
alert tcp $HOME_NET any -> [217.64.31.3] 3819  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247678; rev:1;)
alert tcp $HOME_NET any -> [159.146.14.122] 18840  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247674; rev:1;)
alert tcp $HOME_NET any -> [45.15.143.164] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247675; rev:1;)
alert tcp $HOME_NET any -> [50.29.244.5] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247676; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.16] 63770  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247672; rev:1;)
alert tcp $HOME_NET any -> [2.58.56.152] 3232  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247673; rev:1;)
alert tcp $HOME_NET any -> [141.95.84.40] 6262  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247670; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.253] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247671; rev:1;)
alert tcp $HOME_NET any -> [153.36.240.58] 15095  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247668; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 50732  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247669; rev:1;)
alert tcp $HOME_NET any -> [76.70.94.161] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247665; rev:1;)
alert tcp $HOME_NET any -> [117.18.12.59] 8880  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247666; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.182] 4040  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247667; rev:1;)
alert tcp $HOME_NET any -> [38.165.8.185] 7771  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247663; rev:1;)
alert tcp $HOME_NET any -> [113.207.105.200] 8301  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247664; rev:1;)
alert tcp $HOME_NET any -> [192.161.193.99] 5058  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247661; rev:1;)
alert tcp $HOME_NET any -> [86.20.95.188] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247662; rev:1;)
alert tcp $HOME_NET any -> [113.207.105.224] 16804  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247659; rev:1;)
alert tcp $HOME_NET any -> [176.150.69.221] 42474  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247660; rev:1;)
alert tcp $HOME_NET any -> [80.48.119.72] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247657; rev:1;)
alert tcp $HOME_NET any -> [43.138.156.178] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247658; rev:1;)
alert tcp $HOME_NET any -> [120.46.33.65] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247655; rev:1;)
alert tcp $HOME_NET any -> [109.248.201.153] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247656; rev:1;)
alert tcp $HOME_NET any -> [182.254.221.150] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247653; rev:1;)
alert tcp $HOME_NET any -> [113.128.118.199] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247654; rev:1;)
alert tcp $HOME_NET any -> [178.20.230.68] 4784  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247652; rev:1;)
alert tcp $HOME_NET any -> [45.138.99.2] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247651; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247649; rev:1;)
alert tcp $HOME_NET any -> [149.127.237.203] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247650; rev:1;)
alert tcp $HOME_NET any -> [43.138.156.178] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247647; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 33732  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247648; rev:1;)
alert tcp $HOME_NET any -> [31.214.240.57] 3232  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247645; rev:1;)
alert tcp $HOME_NET any -> [45.138.99.2] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247646; rev:1;)
alert tcp $HOME_NET any -> [74.81.52.179] 33643  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247643; rev:1;)
alert tcp $HOME_NET any -> [47.104.236.243] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247644; rev:1;)
alert tcp $HOME_NET any -> [198.44.167.231] 41352  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247641; rev:1;)
alert tcp $HOME_NET any -> [50.29.244.5] 5753  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247642; rev:1;)
alert tcp $HOME_NET any -> [96.9.215.146] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247639; rev:1;)
alert tcp $HOME_NET any -> [146.70.129.19] 38371  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247640; rev:1;)
alert tcp $HOME_NET any -> [163.5.215.225] 1602  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247638; rev:1;)
alert tcp $HOME_NET any -> [39.103.129.63] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247637; rev:1;)
alert tcp $HOME_NET any -> [113.128.118.199] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247634; rev:1;)
alert tcp $HOME_NET any -> [43.248.140.96] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247635; rev:1;)
alert tcp $HOME_NET any -> [124.248.69.96] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247636; rev:1;)
alert tcp $HOME_NET any -> [45.76.155.94] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247633; rev:1;)
alert tcp $HOME_NET any -> [64.56.68.144] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247631; rev:1;)
alert tcp $HOME_NET any -> [198.44.165.35] 5602  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247632; rev:1;)
alert tcp $HOME_NET any -> [195.213.0.34] 2008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247629; rev:1;)
alert tcp $HOME_NET any -> [37.114.41.142] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247630; rev:1;)
alert tcp $HOME_NET any -> [154.204.60.74] 6610  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247627; rev:1;)
alert tcp $HOME_NET any -> [45.128.36.146] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247628; rev:1;)
alert tcp $HOME_NET any -> [159.146.14.122] 1604  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247625; rev:1;)
alert tcp $HOME_NET any -> [86.20.95.188] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247626; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 35708  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247622; rev:1;)
alert tcp $HOME_NET any -> [45.145.229.147] 9606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247623; rev:1;)
alert tcp $HOME_NET any -> [78.187.224.170] 1604  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247624; rev:1;)
alert tcp $HOME_NET any -> [136.244.89.250] 3131  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247620; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.182] 13997  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247621; rev:1;)
alert tcp $HOME_NET any -> [50.29.244.5] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247618; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 7771  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247619; rev:1;)
alert tcp $HOME_NET any -> [198.44.167.215] 41352  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247617; rev:1;)
alert tcp $HOME_NET any -> [61.14.233.111] 5505  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247615; rev:1;)
alert tcp $HOME_NET any -> [185.253.161.186] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247616; rev:1;)
alert tcp $HOME_NET any -> [13.66.133.43] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247612; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 48347  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247613; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.161] 5531  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247614; rev:1;)
alert tcp $HOME_NET any -> [146.56.230.174] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247610; rev:1;)
alert tcp $HOME_NET any -> [109.205.162.97] 8361  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247611; rev:1;)
alert tcp $HOME_NET any -> [198.44.167.215] 57321  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247607; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.123] 5531  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247608; rev:1;)
alert tcp $HOME_NET any -> [149.127.237.203] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247609; rev:1;)
alert tcp $HOME_NET any -> [198.44.167.139] 41352  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247606; rev:1;)
alert tcp $HOME_NET any -> [15.237.210.97] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247604; rev:1;)
alert tcp $HOME_NET any -> [43.251.17.199] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247605; rev:1;)
alert tcp $HOME_NET any -> [159.146.14.122] 4782  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247602; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.96] 5531  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247603; rev:1;)
alert tcp $HOME_NET any -> [45.145.229.148] 9604  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247600; rev:1;)
alert tcp $HOME_NET any -> [38.147.172.98] 6307  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247601; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.186] 4404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247598; rev:1;)
alert tcp $HOME_NET any -> [23.105.131.217] 83  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247599; rev:1;)
alert tcp $HOME_NET any -> [47.104.179.7] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247596; rev:1;)
alert tcp $HOME_NET any -> [141.94.223.150] 6677  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247597; rev:1;)
alert tcp $HOME_NET any -> [154.39.238.95] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247594; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.47] 4462  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247595; rev:1;)
alert tcp $HOME_NET any -> [153.36.240.58] 15092  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247592; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.47] 9471  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247593; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 56236  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247590; rev:1;)
alert tcp $HOME_NET any -> [79.134.225.21] 8646  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247591; rev:1;)
alert tcp $HOME_NET any -> [64.44.167.67] 6900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247589; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.182] 11800  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247588; rev:1;)
alert tcp $HOME_NET any -> [139.99.86.164] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247586; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 41437  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247587; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.186] 5505  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247585; rev:1;)
alert tcp $HOME_NET any -> [96.9.215.146] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247584; rev:1;)
alert tcp $HOME_NET any -> [13.36.174.17] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247581; rev:1;)
alert tcp $HOME_NET any -> [13.66.133.43] 6821  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247582; rev:1;)
alert tcp $HOME_NET any -> [64.176.178.205] 1989  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247583; rev:1;)
alert tcp $HOME_NET any -> [67.205.154.243] 4431  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247579; rev:1;)
alert tcp $HOME_NET any -> [45.80.158.48] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247580; rev:1;)
alert tcp $HOME_NET any -> [119.42.170.7] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247576; rev:1;)
alert tcp $HOME_NET any -> [103.48.85.6] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247577; rev:1;)
alert tcp $HOME_NET any -> [124.166.95.10] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247578; rev:1;)
alert tcp $HOME_NET any -> [146.56.230.174] 1720  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247574; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.182] 6080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247575; rev:1;)
alert tcp $HOME_NET any -> [20.98.80.51] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247572; rev:1;)
alert tcp $HOME_NET any -> [179.127.14.82] 29000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247573; rev:1;)
alert tcp $HOME_NET any -> [198.44.167.231] 38795  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247570; rev:1;)
alert tcp $HOME_NET any -> [113.128.118.199] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247571; rev:1;)
alert tcp $HOME_NET any -> [103.74.172.94] 4499  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247568; rev:1;)
alert tcp $HOME_NET any -> [144.208.127.116] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247569; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247566; rev:1;)
alert tcp $HOME_NET any -> [40.66.40.50] 6214  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247567; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.184] 41092  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247565; rev:1;)
alert tcp $HOME_NET any -> [176.150.69.221] 42475  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247563; rev:1;)
alert tcp $HOME_NET any -> [198.44.167.231] 57321  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247564; rev:1;)
alert tcp $HOME_NET any -> [121.62.63.238] 8848  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247561; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247562; rev:1;)
alert tcp $HOME_NET any -> [13.36.174.17] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247559; rev:1;)
alert tcp $HOME_NET any -> [176.150.69.221] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247560; rev:1;)
alert tcp $HOME_NET any -> [85.105.88.221] 6935  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247558; rev:1;)
alert tcp $HOME_NET any -> [142.202.242.170] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_22; classtype:trojan-activity; sid:91247557; rev:1;)
alert tcp $HOME_NET any -> [179.14.8.182] 2009  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247532; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.5] 80  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247530/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_21; classtype:trojan-activity; sid:91247530; rev:1;)
alert tcp $HOME_NET any -> [8.219.183.36] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_21; classtype:trojan-activity; sid:91247529; rev:1;)
alert tcp $HOME_NET any -> [120.78.4.99] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"120.78.4.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"104.156.140.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"pipingpotcurry.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"conoleforcongress.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/xmlrpc.php"; depth:16; nocase; http.host; content:"www.bourse-du-travail.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"atlanticyachtandship.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"ngajiyok.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"zarinbano.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"netmag.pk"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"www.diereisedeineslebens.de"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"palaiofaliro.gr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xmlrpc.php"; depth:11; nocase; http.host; content:"livingshorespa.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247524; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.71] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247525/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247525; rev:1;)
alert tcp $HOME_NET any -> [170.64.183.151] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247514; rev:1;)
alert tcp $HOME_NET any -> [20.163.75.108] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247513; rev:1;)
alert tcp $HOME_NET any -> [101.35.198.120] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247512; rev:1;)
alert tcp $HOME_NET any -> [202.161.85.51] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247511/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247511; rev:1;)
alert tcp $HOME_NET any -> [46.17.107.164] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247510/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247510; rev:1;)
alert tcp $HOME_NET any -> [38.47.101.176] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247509/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247509; rev:1;)
alert tcp $HOME_NET any -> [97.154.242.206] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247508/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247508; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"meridianresourcellc.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247506/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247506; rev:1;)
alert tcp $HOME_NET any -> [185.194.140.225] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247507/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247507; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 18335  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247504; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 18335  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247503; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 18335  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247502; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 18335  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storyernes.cur"; depth:15; nocase; http.host; content:"147.78.103.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmgbvtlwqy81.bin"; depth:17; nocase; http.host; content:"147.78.103.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"106.55.102.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"124.71.130.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.100.99.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247495; rev:1;)
alert tcp $HOME_NET any -> [94.158.247.72] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247494; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.kogyoung.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247493; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.kogyoung.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247492; rev:1;)
alert tcp $HOME_NET any -> [154.90.63.215] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247491; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns9.bpibank.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247490; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns8.bpibank.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247489; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lokolojazz.club"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"casiworksplcs.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"2.56.215.211"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"javiermar2.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"olssqh34.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247476; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knueoh22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kypersau25.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lysmer21.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247480; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morluw04.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jenb128hiuedfhajduihfa.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247487; rev:1;)
alert tcp $HOME_NET any -> [95.217.240.145] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247485; rev:1;)
alert tcp $HOME_NET any -> [49.13.33.8] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.33.8"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247483; rev:1;)
alert tcp $HOME_NET any -> [78.47.223.253] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.145"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.223.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ct39024.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"39.107.89.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.222.97.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247470; rev:1;)
alert tcp $HOME_NET any -> [103.47.82.210] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"103.47.82.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247468; rev:1;)
alert tcp $HOME_NET any -> [213.109.202.227] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"213.109.202.227"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"182.61.25.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"154.92.18.103"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247463; rev:1;)
alert tcp $HOME_NET any -> [154.92.18.103] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"120.46.130.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"94.156.67.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247461; rev:1;)
alert tcp $HOME_NET any -> [45.86.86.217] 4444  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247460; rev:1;)
alert tcp $HOME_NET any -> [159.253.120.118] 1111  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247459; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.175] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247354; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.175] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247355; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.185] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247352; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.185] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247353; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.162] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247350; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.162] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247351; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.187] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247347; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.176] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247348; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.176] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247349; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.177] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247344; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.177] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247345; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.169] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247343; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.187] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247346; rev:1;)
alert tcp $HOME_NET any -> [154.31.180.179] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247340; rev:1;)
alert tcp $HOME_NET any -> [154.31.180.179] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247341; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.169] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247342; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.172] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247333; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.175] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247338; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.175] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247339; rev:1;)
alert tcp $HOME_NET any -> [154.31.180.187] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247330; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.166] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247334; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.166] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247335; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.164] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247336; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.164] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247337; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.172] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247332; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.173] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247329; rev:1;)
alert tcp $HOME_NET any -> [154.31.180.187] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247331; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.173] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247328; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.186] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247356; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.186] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247357; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.165] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247358; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.163] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247359; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.163] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247360; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.181] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247361; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.181] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247362; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.177] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247363; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.177] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247364; rev:1;)
alert tcp $HOME_NET any -> [154.31.180.164] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247365; rev:1;)
alert tcp $HOME_NET any -> [154.31.180.164] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247366; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.162] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247367; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.162] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247368; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.175] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247369; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.175] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247370; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.176] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247372; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.167] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247373; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.176] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247371; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.168] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247375; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.167] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247374; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.179] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247376; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.179] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247377; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.169] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247378; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.169] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247379; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.181] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247380; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.183] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247381; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.173] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247382; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.173] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247383; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.167] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247384; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.167] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247385; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.167] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247386; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.167] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247387; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.186] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247388; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.186] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247389; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.176] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247390; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.176] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247391; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.163] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247392; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.163] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247393; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.163] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247394; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.163] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247395; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.170] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247396; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.170] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247397; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.176] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247398; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.176] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247399; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.163] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247400; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.163] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247401; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.163] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247402; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.163] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247403; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.189] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247404; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.189] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247405; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.183] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247407; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.172] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247408; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.185] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247327; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.165] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247325; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.185] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247326; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.177] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247322; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.177] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247323; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.165] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247324; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.179] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247318; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.179] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247317; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.176] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247314/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247314; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.189] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247315; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.189] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247316/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247316; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.178] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247311/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247311; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.184] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247312; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.176] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247313; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.178] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247310; rev:1;)
alert tcp $HOME_NET any -> [95.216.85.80] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247291; rev:1;)
alert tcp $HOME_NET any -> [149.104.26.184] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247309; rev:1;)
alert tcp $HOME_NET any -> [149.104.26.184] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247308; rev:1;)
alert tcp $HOME_NET any -> [54.39.29.90] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247290; rev:1;)
alert tcp $HOME_NET any -> [141.105.130.87] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247289; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.183] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247406; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.172] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247409; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.189] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247410; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.189] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247411; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.190] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247413; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.190] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247412; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.185] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247417; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.185] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247416; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.189] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247415; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.189] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247414; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.167] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247418; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.167] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247419; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.189] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247420; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.189] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247421; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.184] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247423; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.184] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247422; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.178] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247424; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.178] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247425; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.190] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247426; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.190] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247427; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.185] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247428; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.185] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247429; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.188] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247430; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.188] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247431; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.170] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247432; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.170] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247433; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.188] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247434; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.188] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247435; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.166] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247436; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.166] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247437; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.186] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247438; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.186] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247439; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.164] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247440; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.164] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247441; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.179] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247442; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.179] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247443; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.176] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247444; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.176] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247445; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.187] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247446; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.187] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247447; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.184] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247448; rev:1;)
alert tcp $HOME_NET any -> [154.31.176.184] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247449; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.182] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247450; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.182] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247451; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.180] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247452; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.180] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247453; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.184] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247454; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.184] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247455; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.171] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247456; rev:1;)
alert tcp $HOME_NET any -> [154.31.182.171] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247457; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"alltorq-net.oncallservices.ca"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247458; rev:1;)
alert tcp $HOME_NET any -> [124.222.97.236] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247321; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"service-cedqvyh7-1322145958.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"89.117.59.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"116.205.189.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"bb.makkgg.fyi"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"111.51.156.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"61.170.44.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"36.131.222.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"106.225.221.115"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"119.167.249.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.117.93.65"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"bb.makkgg.fyi"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"111.229.19.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247294; rev:1;)
alert tcp $HOME_NET any -> [103.78.0.39] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalimagevmlineprocessorservertrackdle.php"; depth:46; nocase; http.host; content:"042506cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0932103.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247288; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.110] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"91.92.247.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247287; rev:1;)
alert tcp $HOME_NET any -> [154.31.180.177] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247276; rev:1;)
alert tcp $HOME_NET any -> [154.31.180.177] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247277/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247277; rev:1;)
alert tcp $HOME_NET any -> [193.124.205.6] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247285; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.99] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247284; rev:1;)
alert tcp $HOME_NET any -> [170.64.183.64] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247283/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247283; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.24] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247282/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247282; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.20] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247281/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247281; rev:1;)
alert tcp $HOME_NET any -> [72.27.97.12] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247280/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247280; rev:1;)
alert tcp $HOME_NET any -> [45.78.32.214] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247279/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247279; rev:1;)
alert tcp $HOME_NET any -> [31.42.186.231] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247278/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_21; classtype:trojan-activity; sid:91247278; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.168] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247275/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247275; rev:1;)
alert tcp $HOME_NET any -> [154.31.178.168] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247274; rev:1;)
alert tcp $HOME_NET any -> [121.5.220.61] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247270; rev:1;)
alert tcp $HOME_NET any -> [47.109.148.62] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247272/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247272; rev:1;)
alert tcp $HOME_NET any -> [47.109.148.62] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247271; rev:1;)
alert tcp $HOME_NET any -> [159.89.168.138] 52293  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247273/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247273; rev:1;)
alert tcp $HOME_NET any -> [39.100.93.48] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247268; rev:1;)
alert tcp $HOME_NET any -> [39.100.93.48] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247269; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gtldgtld.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247162; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"softupdate.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247163; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tfirstdaily.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247164; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-dev.helpkaspersky.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247158; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data-dev.helpkaspersky.top"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247159; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"happy.gitweb.cloudns.nz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247160; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.helpkaspersky.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247161; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update.microsoft-setting.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247156/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247156; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update.windows.server-microsoft.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247157/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247157; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.security-microsoft.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247154/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247154; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"update.centos-yum.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247155/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247155; rev:1;)
alert tcp $HOME_NET any -> [186.112.193.255] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247132; rev:1;)
alert tcp $HOME_NET any -> [181.131.216.198] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247133; rev:1;)
alert tcp $HOME_NET any -> [186.112.203.192] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247134; rev:1;)
alert tcp $HOME_NET any -> [168.119.211.236] 115  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247135; rev:1;)
alert tcp $HOME_NET any -> [85.215.196.156] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247136; rev:1;)
alert tcp $HOME_NET any -> [152.70.163.213] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzlimme4mwuxnti0/"; depth:18; nocase; http.host; content:"213.109.202.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247144; rev:1;)
alert tcp $HOME_NET any -> [161.132.38.47] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247151; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.182] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247150; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.182] 4569  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247152/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247152; rev:1;)
alert tcp $HOME_NET any -> [66.42.54.125] 56250  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247153/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_21; classtype:trojan-activity; sid:91247153; rev:1;)
alert tcp $HOME_NET any -> [23.94.159.198] 8055  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/document/five/fre.php"; depth:22; nocase; http.host; content:"meridianresourcellc.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/project/five/fre.php"; depth:21; nocase; http.host; content:"saldanha.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247147; rev:1;)
alert tcp $HOME_NET any -> [91.238.181.248] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp.css"; depth:7; nocase; http.host; content:"91.238.181.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_21; classtype:trojan-activity; sid:91247145; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.117] 80  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247143/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247143; rev:1;)
alert tcp $HOME_NET any -> [5.42.92.73] 80  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247142/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247142; rev:1;)
alert tcp $HOME_NET any -> [101.99.92.169] 80  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247141/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247141; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.11] 80  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247140/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247140; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.59] 80  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247139/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247139; rev:1;)
alert tcp $HOME_NET any -> [37.110.19.55] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247138/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247138; rev:1;)
alert tcp $HOME_NET any -> [194.33.191.3] 7391  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247131; rev:1;)
alert tcp $HOME_NET any -> [128.199.71.62] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247121; rev:1;)
alert tcp $HOME_NET any -> [128.199.71.62] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247119; rev:1;)
alert tcp $HOME_NET any -> [128.199.71.62] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247120; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.121] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247105; rev:1;)
alert tcp $HOME_NET any -> [88.179.240.135] 49158  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247118; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.106] 445  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247103; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.68] 29093  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247104; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.86] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247102; rev:1;)
alert tcp $HOME_NET any -> [5.255.108.187] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247098/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_20; classtype:trojan-activity; sid:91247098; rev:1;)
alert tcp $HOME_NET any -> [176.123.1.221] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247100/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_20; classtype:trojan-activity; sid:91247100; rev:1;)
alert tcp $HOME_NET any -> [104.129.21.231] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247099/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_20; classtype:trojan-activity; sid:91247099; rev:1;)
alert tcp $HOME_NET any -> [193.168.141.153] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247101/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_20; classtype:trojan-activity; sid:91247101; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.190] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"ns.b1ing.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/c6ui18im6abq8-el0qhxmang5bfkq"; depth:47; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247125; rev:1;)
alert tcp $HOME_NET any -> [164.92.174.168] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"164.92.174.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247123; rev:1;)
alert tcp $HOME_NET any -> [65.21.119.55] 45110  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247122; rev:1;)
alert tcp $HOME_NET any -> [121.36.105.186] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247117/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247117; rev:1;)
alert tcp $HOME_NET any -> [38.59.124.61] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247116/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247116; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.4] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247115/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247115; rev:1;)
alert tcp $HOME_NET any -> [78.178.72.139] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247114/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247114; rev:1;)
alert tcp $HOME_NET any -> [5.163.180.48] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247113/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247113; rev:1;)
alert tcp $HOME_NET any -> [92.251.173.191] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247112/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247112; rev:1;)
alert tcp $HOME_NET any -> [91.254.253.44] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247111/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247111; rev:1;)
alert tcp $HOME_NET any -> [97.118.56.247] 993  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247110/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247110; rev:1;)
alert tcp $HOME_NET any -> [188.170.152.11] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247109/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247109; rev:1;)
alert tcp $HOME_NET any -> [103.81.38.242] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247108; rev:1;)
alert tcp $HOME_NET any -> [172.172.152.168] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247107; rev:1;)
alert tcp $HOME_NET any -> [95.183.54.20] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91247106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/pam8oa.php"; depth:45; nocase; http.host; content:"lurdyvanafernandesmkd.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/n2gd2t.php"; depth:45; nocase; http.host; content:"www.yukon.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyten/b9un4f.php"; depth:39; nocase; http.host; content:"www.amysinger.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c9wfar.php"; depth:46; nocase; http.host; content:"alternativetracks.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/t51kkf.php"; depth:47; nocase; http.host; content:"13300.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/34uo7s.php"; depth:46; nocase; http.host; content:"www.alabamacarhorns.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247092; rev:1;)
alert tcp $HOME_NET any -> [109.120.184.220] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/34uo7s.php"; depth:46; nocase; http.host; content:"www.alabamacarhorns.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c9wfar.php"; depth:46; nocase; http.host; content:"alternativetracks.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/t51kkf.php"; depth:47; nocase; http.host; content:"13300.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyten/b9un4f.php"; depth:39; nocase; http.host; content:"www.amysinger.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/pam8oa.php"; depth:45; nocase; http.host; content:"lurdyvanafernandesmkd.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/n2gd2t.php"; depth:45; nocase; http.host; content:"www.yukon.de"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247090; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.5] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247080; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.11] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247081; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.59] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247082; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.71] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247083; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.173] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247084; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.18] 3100  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247078/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247078; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"luisro2158.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247079; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 50%)"; dns_query; content:"treimob.cfd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247075/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:bad-unknown; sid:91247075; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 50%)"; dns_query; content:"hopefor.space"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247074/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:bad-unknown; sid:91247074; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"gamerforyou.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247065/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sky-beta.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247064/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247064; rev:1;)
alert tcp $HOME_NET any -> [103.172.79.74] 2023  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247062; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"net-killer.work.gd"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247063/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247063; rev:1;)
alert tcp $HOME_NET any -> [220.158.234.115] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247039; rev:1;)
alert tcp $HOME_NET any -> [216.73.159.58] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247040; rev:1;)
alert tcp $HOME_NET any -> [169.239.129.35] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247041; rev:1;)
alert tcp $HOME_NET any -> [103.208.86.69] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247042; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.239] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247043; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.240] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247044; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.241] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247045; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.242] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247046; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.243] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247047; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.244] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247048; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.245] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247049; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.246] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247050; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.247] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247051; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.249] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247052; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.100] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247053; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.101] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247054; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.105] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247055; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.113] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247056; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.117] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247057; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.150] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247058; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.152] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247059; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.153] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247060; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.124] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247061; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.88] 8088  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"94.156.67.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.14.46.128"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/explode/poll/ere9k18mnq"; depth:24; nocase; http.host; content:"210.79.134.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247034; rev:1;)
alert tcp $HOME_NET any -> [210.79.134.20] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.196.9.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.136.242.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247032; rev:1;)
alert tcp $HOME_NET any -> [142.171.229.46] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"21hjgt71f.sharedomain.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247029; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"21hjgt71f.sharedomain.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247030; rev:1;)
alert tcp $HOME_NET any -> [141.98.168.246] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kj"; depth:3; nocase; http.host; content:"141.98.168.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247027; rev:1;)
alert tcp $HOME_NET any -> [176.32.35.104] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247025; rev:1;)
alert tcp $HOME_NET any -> [185.161.208.123] 6655  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247024/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/panel/panel/index.php"; depth:22; nocase; http.host; content:"store4.ro"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247023; rev:1;)
alert tcp $HOME_NET any -> [43.129.31.231] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247022/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_20; classtype:trojan-activity; sid:91247022; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanomarch8100.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1247000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247000; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.154] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247013/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91247013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247018; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 12377  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247017; rev:1;)
alert tcp $HOME_NET any -> [3.68.171.119] 12377  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247016; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 12377  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cd2b41cbde8fc9c.php"; depth:21; nocase; http.host; content:"185.172.128.209"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247014; rev:1;)
alert tcp $HOME_NET any -> [123.249.30.101] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"123.249.30.101"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247011; rev:1;)
alert tcp $HOME_NET any -> [103.211.56.154] 14782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmuploadstemporary.php"; depth:23; nocase; http.host; content:"785654cm.n9shteam3.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.5.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.57.253"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.216.188"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1247005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247005; rev:1;)
alert tcp $HOME_NET any -> [116.202.5.172] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247004; rev:1;)
alert tcp $HOME_NET any -> [78.47.57.253] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247001; rev:1;)
alert tcp $HOME_NET any -> [5.75.216.188] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247002; rev:1;)
alert tcp $HOME_NET any -> [95.217.28.242] 8888  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1247003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91247003; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.141] 8100  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246999; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.238] 2023  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246998; rev:1;)
alert tcp $HOME_NET any -> [91.107.121.52] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246997; rev:1;)
alert tcp $HOME_NET any -> [84.32.214.66] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246996; rev:1;)
alert tcp $HOME_NET any -> [222.186.21.204] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246995; rev:1;)
alert tcp $HOME_NET any -> [81.161.238.163] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246994; rev:1;)
alert tcp $HOME_NET any -> [154.16.10.161] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246993; rev:1;)
alert tcp $HOME_NET any -> [45.76.189.78] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246992/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246992; rev:1;)
alert tcp $HOME_NET any -> [216.83.58.188] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246991/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246991; rev:1;)
alert tcp $HOME_NET any -> [123.253.108.131] 8886  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246990/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246990; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.14] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246989/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246989; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.15] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246988/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246988; rev:1;)
alert tcp $HOME_NET any -> [78.169.186.24] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246987/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246987; rev:1;)
alert tcp $HOME_NET any -> [175.13.35.49] 4432  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246986/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246986; rev:1;)
alert tcp $HOME_NET any -> [77.126.104.106] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246985/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246985; rev:1;)
alert tcp $HOME_NET any -> [72.27.209.148] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246984/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246984; rev:1;)
alert tcp $HOME_NET any -> [41.96.236.231] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246983/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246983; rev:1;)
alert tcp $HOME_NET any -> [23.227.193.238] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246982/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246982; rev:1;)
alert tcp $HOME_NET any -> [192.227.234.164] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246981; rev:1;)
alert tcp $HOME_NET any -> [155.138.229.25] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246980; rev:1;)
alert tcp $HOME_NET any -> [139.162.51.167] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246979; rev:1;)
alert tcp $HOME_NET any -> [95.179.171.52] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246978; rev:1;)
alert tcp $HOME_NET any -> [62.234.28.147] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246977; rev:1;)
alert tcp $HOME_NET any -> [96.9.225.129] 37826  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246976; rev:1;)
alert tcp $HOME_NET any -> [18.162.142.16] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246975; rev:1;)
alert tcp $HOME_NET any -> [43.198.208.125] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246974; rev:1;)
alert tcp $HOME_NET any -> [34.134.107.175] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246973; rev:1;)
alert tcp $HOME_NET any -> [78.47.48.88] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246972; rev:1;)
alert tcp $HOME_NET any -> [192.210.201.57] 52748  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246971; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ameerpplus.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246963/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91246963; rev:1;)
alert tcp $HOME_NET any -> [24.42.99.89] 191  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246962/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_20; classtype:trojan-activity; sid:91246962; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"badbutperfect.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246957; rev:1;)
alert tcp $HOME_NET any -> [165.22.16.55] 445  (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246958; rev:1;)
alert tcp $HOME_NET any -> [147.78.47.15] 61227  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246959; rev:1;)
alert tcp $HOME_NET any -> [52.157.196.2] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"147.78.47.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246961; rev:1;)
alert tcp $HOME_NET any -> [45.120.177.167] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_20; classtype:trojan-activity; sid:91246970; rev:1;)
alert tcp $HOME_NET any -> [18.157.68.73] 15449  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246969; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 15449  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246968; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.5] 15449  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246967; rev:1;)
alert tcp $HOME_NET any -> [18.156.13.209] 15449  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246966; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 15449  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_20; classtype:trojan-activity; sid:91246965; rev:1;)
alert tcp $HOME_NET any -> [46.183.222.88] 22288  (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246964; rev:1;)
alert tcp $HOME_NET any -> [47.99.65.183] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.99.65.183"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246955; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.190] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246954; rev:1;)
alert tcp $HOME_NET any -> [210.79.134.20] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/explode/poll/ere9k18mnq"; depth:24; nocase; http.host; content:"210.79.134.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246952; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.188] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"89.117.59.92"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246949; rev:1;)
alert tcp $HOME_NET any -> [89.117.59.92] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246950; rev:1;)
alert tcp $HOME_NET any -> [154.31.180.174] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246948; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"microsoftdell1.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246921; rev:1;)
alert tcp $HOME_NET any -> [206.233.132.215] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246944; rev:1;)
alert tcp $HOME_NET any -> [206.233.132.104] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246943/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246943; rev:1;)
alert tcp $HOME_NET any -> [206.233.132.162] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246942; rev:1;)
alert tcp $HOME_NET any -> [13.214.93.225] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246941; rev:1;)
alert tcp $HOME_NET any -> [216.83.58.191] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246940; rev:1;)
alert tcp $HOME_NET any -> [216.83.58.190] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246939/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246939; rev:1;)
alert tcp $HOME_NET any -> [16.162.87.219] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246938; rev:1;)
alert tcp $HOME_NET any -> [149.104.27.148] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246937; rev:1;)
alert tcp $HOME_NET any -> [101.34.211.170] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246936; rev:1;)
alert tcp $HOME_NET any -> [172.245.91.21] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246935; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.16] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246934; rev:1;)
alert tcp $HOME_NET any -> [159.0.41.140] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246933; rev:1;)
alert tcp $HOME_NET any -> [154.247.214.2] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246932; rev:1;)
alert tcp $HOME_NET any -> [189.177.83.188] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246931; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.174] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246930; rev:1;)
alert tcp $HOME_NET any -> [41.96.246.26] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246929; rev:1;)
alert tcp $HOME_NET any -> [91.108.105.80] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246928; rev:1;)
alert tcp $HOME_NET any -> [82.157.236.128] 6443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246927; rev:1;)
alert tcp $HOME_NET any -> [185.248.143.18] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246926; rev:1;)
alert tcp $HOME_NET any -> [176.120.75.169] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246925; rev:1;)
alert tcp $HOME_NET any -> [99.83.171.11] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246924; rev:1;)
alert tcp $HOME_NET any -> [130.61.212.165] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246923; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 80  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246922/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.120.63.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/check"; depth:26; nocase; http.host; content:"47.100.99.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246916; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.122] 7010  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar.css"; depth:17; nocase; http.host; content:"37.120.239.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246914; rev:1;)
alert tcp $HOME_NET any -> [45.32.196.110] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246913; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beacon.etallyall.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246912; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stealit.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246909; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blendy-game.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246910; rev:1;)
alert tcp $HOME_NET any -> [20.206.240.63] 1024  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246908; rev:1;)
alert tcp $HOME_NET any -> [14.225.208.190] 19990  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246907/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246907; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.60] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246887; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.189] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246889; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.61] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246888; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.59] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246886; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.111] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246885; rev:1;)
alert tcp $HOME_NET any -> [178.128.63.21] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246880; rev:1;)
alert tcp $HOME_NET any -> [178.128.86.45] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246881; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.155] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246884; rev:1;)
alert tcp $HOME_NET any -> [157.245.193.12] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246879; rev:1;)
alert tcp $HOME_NET any -> [152.42.163.36] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246877; rev:1;)
alert tcp $HOME_NET any -> [157.230.41.125] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246878; rev:1;)
alert tcp $HOME_NET any -> [146.190.81.220] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246875; rev:1;)
alert tcp $HOME_NET any -> [152.42.163.34] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246876; rev:1;)
alert tcp $HOME_NET any -> [128.199.168.231] 1433  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246874; rev:1;)
alert tcp $HOME_NET any -> [128.199.100.0] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246873; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.137] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246869; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.188] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246864; rev:1;)
alert tcp $HOME_NET any -> [185.198.57.73] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246857; rev:1;)
alert tcp $HOME_NET any -> [185.198.57.78] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246858; rev:1;)
alert tcp $HOME_NET any -> [185.141.27.17] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246854; rev:1;)
alert tcp $HOME_NET any -> [185.141.27.200] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246855; rev:1;)
alert tcp $HOME_NET any -> [185.183.96.15] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246856; rev:1;)
alert tcp $HOME_NET any -> [185.117.73.134] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246852; rev:1;)
alert tcp $HOME_NET any -> [185.117.73.187] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246853; rev:1;)
alert tcp $HOME_NET any -> [185.45.193.151] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246850; rev:1;)
alert tcp $HOME_NET any -> [185.82.202.236] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.171"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.96"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.212.96"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.171"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246903; rev:1;)
alert tcp $HOME_NET any -> [5.75.212.96] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246902; rev:1;)
alert tcp $HOME_NET any -> [5.75.214.171] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246899; rev:1;)
alert tcp $HOME_NET any -> [5.75.212.96] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246900; rev:1;)
alert tcp $HOME_NET any -> [5.75.214.171] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"149.104.27.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"154.3.8.55"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246897; rev:1;)
alert tcp $HOME_NET any -> [103.27.109.33] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246896; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-jby1ivts-1324864909.hk.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-jby1ivts-1324864909.hk.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246893; rev:1;)
alert tcp $HOME_NET any -> [101.34.58.211] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hp/api/v1/carousel"; depth:19; nocase; http.host; content:"101.34.58.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246891; rev:1;)
alert tcp $HOME_NET any -> [154.30.255.175] 8887  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.120.63.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sm.css"; depth:7; nocase; http.host; content:"apps.nbcnews.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"16.163.149.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"82.157.69.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.37.215.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"test.qqweixinzhuce.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"8.131.118.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.100.229.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"www.temt.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"104.156.140.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"150.158.37.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246848; rev:1;)
alert tcp $HOME_NET any -> [150.158.37.125] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246849; rev:1;)
alert tcp $HOME_NET any -> [154.31.180.186] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246847; rev:1;)
alert tcp $HOME_NET any -> [38.55.204.19] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.55.204.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246845; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.180] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246844; rev:1;)
alert tcp $HOME_NET any -> [154.31.180.168] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246843; rev:1;)
alert tcp $HOME_NET any -> [154.31.177.169] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246842; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.165] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246841; rev:1;)
alert tcp $HOME_NET any -> [123.60.135.22] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"123.60.135.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246839; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 12664  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246838/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lee.exe"; depth:8; nocase; http.host; content:"104.168.32.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xampp/bll/leeisagoodmanwholovedhertrulyfromtheheartsheismycutegirl____ilovehertrulyfromtheheartwithallmylovetokissyousuccess.doc"; depth:129; nocase; http.host; content:"94.156.69.17"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"185.81.68.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"185.81.68.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/c6ui18im6abq8-el0qhxmang5bfkq"; depth:47; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246833; rev:1;)
alert tcp $HOME_NET any -> [217.197.107.177] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246832; rev:1;)
alert tcp $HOME_NET any -> [20.73.14.86] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246822; rev:1;)
alert tcp $HOME_NET any -> [20.73.14.86] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246823; rev:1;)
alert tcp $HOME_NET any -> [80.82.76.79] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/files/amadey.exe"; depth:17; nocase; http.host; content:"91.92.250.47"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246826; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 12664  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246831; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 12664  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246830; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 12664  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246829; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 12664  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246828; rev:1;)
alert tcp $HOME_NET any -> [147.45.68.14] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246827; rev:1;)
alert tcp $HOME_NET any -> [185.255.114.127] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246824/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246824; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.116] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246821/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/18/gate.php"; depth:12; nocase; http.host; content:"couriercare.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246820; rev:1;)
alert tcp $HOME_NET any -> [105.98.140.166] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246765; rev:1;)
alert tcp $HOME_NET any -> [105.99.1.231] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246766; rev:1;)
alert tcp $HOME_NET any -> [105.98.156.131] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246767; rev:1;)
alert tcp $HOME_NET any -> [105.102.233.51] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246768; rev:1;)
alert tcp $HOME_NET any -> [72.167.134.164] 5055  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246771; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aireynvuw.homeunix.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246772; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.151] 39001  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghfhhminfudk.exe"; depth:17; nocase; http.host; content:"94.156.66.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hghghjhfhleviticus.exe"; depth:23; nocase; http.host; content:"94.156.66.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246776; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjhfhgdg.insane.wang"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/1591130eaa3b8a96895bff8d686e7ec2697f986974508c85f0b051191a853aa069fe7ce03179e1c20ec7"; depth:94; nocase; http.host; content:"api.filedoge.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gfgghdhwhatsup.exe"; depth:19; nocase; http.host; content:"94.156.66.151"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246784; rev:1;)
alert tcp $HOME_NET any -> [154.37.51.70] 3320  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246785; rev:1;)
alert tcp $HOME_NET any -> [154.37.51.70] 3321  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246786; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buassinnndm.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246792; rev:1;)
alert tcp $HOME_NET any -> [143.198.197.14] 445  (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246793; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.13] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246794; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 11256  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246818/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246818; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 11256  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246819/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246819; rev:1;)
alert tcp $HOME_NET any -> [45.131.108.174] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246773/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246773; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 57514  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246758/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246758; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"17.ip.gl.ply.gg"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246759/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246759; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 17008  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246760/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246760; rev:1;)
alert tcp $HOME_NET any -> [109.248.12.212] 5501  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246761/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246761; rev:1;)
alert tcp $HOME_NET any -> [89.245.33.102] 25565  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246762/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246762; rev:1;)
alert tcp $HOME_NET any -> [216.83.40.68] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246763/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/statistic/js/stat/js"; depth:21; nocase; http.host; content:"marvin-occentus.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"policy.donnafrey.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"policy.donnafrey.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246748; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cf-protected-l7.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"88.99.127.167"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1246743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.214.7"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1246744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"marvin-occentus.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"49.13.89.149"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1246741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"78.46.233.36"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1246742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246742; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmr.2miners.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246740; rev:1;)
alert tcp $HOME_NET any -> [162.19.139.184] 12222  (msg:"ThreatFox xmrig botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246739; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aptcorp.us"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246737; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.250] 6149  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246738/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_19; classtype:trojan-activity; sid:91246738; rev:1;)
alert tcp $HOME_NET any -> [14.224.174.212] 8889  (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246735; rev:1;)
alert tcp $HOME_NET any -> [14.224.174.212] 31705  (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246736; rev:1;)
alert tcp $HOME_NET any -> [14.224.174.212] 2014  (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246732; rev:1;)
alert tcp $HOME_NET any -> [14.224.174.212] 8080  (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246733; rev:1;)
alert tcp $HOME_NET any -> [14.224.174.212] 8888  (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246734; rev:1;)
alert tcp $HOME_NET any -> [212.113.116.216] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246728; rev:1;)
alert tcp $HOME_NET any -> [45.61.54.105] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246729; rev:1;)
alert tcp $HOME_NET any -> [14.224.174.212] 1433  (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246731; rev:1;)
alert tcp $HOME_NET any -> [14.224.174.212] 88  (msg:"ThreatFox WannaCryptor payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246730; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.221] 1337  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246695; rev:1;)
alert tcp $HOME_NET any -> [176.97.210.31] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246727; rev:1;)
alert tcp $HOME_NET any -> [212.109.194.186] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246817; rev:1;)
alert tcp $HOME_NET any -> [107.189.24.173] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246816; rev:1;)
alert tcp $HOME_NET any -> [65.20.71.37] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246815; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.17] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246814; rev:1;)
alert tcp $HOME_NET any -> [154.246.189.64] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246813; rev:1;)
alert tcp $HOME_NET any -> [193.149.189.103] 55006  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246812; rev:1;)
alert tcp $HOME_NET any -> [207.148.73.248] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246811; rev:1;)
alert tcp $HOME_NET any -> [65.108.19.239] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246810; rev:1;)
alert tcp $HOME_NET any -> [172.247.113.106] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246809; rev:1;)
alert tcp $HOME_NET any -> [185.22.155.92] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246808; rev:1;)
alert tcp $HOME_NET any -> [165.22.72.160] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246807/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246807; rev:1;)
alert tcp $HOME_NET any -> [168.76.172.126] 15023  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246806/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246806; rev:1;)
alert tcp $HOME_NET any -> [218.28.172.25] 80  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246805/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246805; rev:1;)
alert tcp $HOME_NET any -> [104.236.72.104] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246804/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246804; rev:1;)
alert tcp $HOME_NET any -> [8.220.135.161] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246803/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246803; rev:1;)
alert tcp $HOME_NET any -> [39.99.251.33] 63421  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_19; classtype:trojan-activity; sid:91246802; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 11326  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246801; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 11326  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246800; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 11326  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246799; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 11326  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246798; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 11326  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246797; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.147] 8088  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_19; classtype:trojan-activity; sid:91246796; rev:1;)
alert tcp $HOME_NET any -> [52.27.42.38] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246795/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_19; classtype:trojan-activity; sid:91246795; rev:1;)
alert tcp $HOME_NET any -> [154.31.180.183] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246791; rev:1;)
alert tcp $HOME_NET any -> [154.31.181.170] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246790; rev:1;)
alert tcp $HOME_NET any -> [154.31.179.163] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246789; rev:1;)
alert tcp $HOME_NET any -> [154.31.183.177] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"154.31.176.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246787; rev:1;)
alert tcp $HOME_NET any -> [31.129.98.219] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246783; rev:1;)
alert tcp $HOME_NET any -> [41.98.246.202] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246782; rev:1;)
alert tcp $HOME_NET any -> [94.237.43.116] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246781/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246781; rev:1;)
alert tcp $HOME_NET any -> [104.238.60.87] 3509  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246780/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246780; rev:1;)
alert tcp $HOME_NET any -> [13.113.189.83] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246779/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246779; rev:1;)
alert tcp $HOME_NET any -> [45.140.146.74] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"45.140.146.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246769; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.18] 8088  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.25.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.210.0"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199654112719"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/r2d0s"; depth:6; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246753; rev:1;)
alert tcp $HOME_NET any -> [5.75.210.0] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246751; rev:1;)
alert tcp $HOME_NET any -> [95.217.25.45] 8888  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246752; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.74] 58709  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246750; rev:1;)
alert tcp $HOME_NET any -> [175.42.18.7] 4784  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246749; rev:1;)
alert tcp $HOME_NET any -> [138.197.68.179] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/broadcast"; depth:10; nocase; http.host; content:"138.197.68.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp.css"; depth:7; nocase; http.host; content:"91.238.181.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"176.32.35.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246723; rev:1;)
alert tcp $HOME_NET any -> [82.157.69.161] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"82.157.69.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246721; rev:1;)
alert tcp $HOME_NET any -> [185.130.46.166] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"111.67.195.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246717; rev:1;)
alert tcp $HOME_NET any -> [118.31.118.253] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.27.109.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246716; rev:1;)
alert tcp $HOME_NET any -> [118.31.118.253] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/watch"; depth:6; nocase; http.host; content:"118.31.118.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.103.218.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246713; rev:1;)
alert tcp $HOME_NET any -> [13.55.236.179] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"13.55.236.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246711; rev:1;)
alert tcp $HOME_NET any -> [8.217.68.27] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"8.217.68.27"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"16.163.149.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246707; rev:1;)
alert tcp $HOME_NET any -> [16.163.149.10] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"118.25.173.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246705; rev:1;)
alert tcp $HOME_NET any -> [118.25.173.86] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246706; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tgsk.xyz"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246703; rev:1;)
alert tcp $HOME_NET any -> [49.232.191.68] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"tgsk.xyz"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"49.232.191.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"193.222.96.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246700; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 41985  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246699; rev:1;)
alert tcp $HOME_NET any -> [1.94.110.130] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246698; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.fwmtest.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246697; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.fwmtest.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test2/get.php"; depth:14; nocase; http.host; content:"sajdfue.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246693; rev:1;)
alert tcp $HOME_NET any -> [217.18.63.132] 707  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246692/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246692; rev:1;)
alert tcp $HOME_NET any -> [94.103.188.202] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246679/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246679; rev:1;)
alert tcp $HOME_NET any -> [81.136.59.207] 1339  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246690; rev:1;)
alert tcp $HOME_NET any -> [120.78.133.177] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246689; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-akqr4y12-1300243308.hk.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"service-akqr4y12-1300243308.hk.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246687; rev:1;)
alert tcp $HOME_NET any -> [139.9.46.164] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"175.178.161.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"service-d1ssjklq-1306655841.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246680; rev:1;)
alert tcp $HOME_NET any -> [141.98.10.128] 59666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246677/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246677; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"firmware.fucktheccp.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246678/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246678; rev:1;)
alert tcp $HOME_NET any -> [144.126.198.15] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246676; rev:1;)
alert tcp $HOME_NET any -> [87.120.84.73] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246675; rev:1;)
alert tcp $HOME_NET any -> [47.242.8.254] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246674/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246674; rev:1;)
alert tcp $HOME_NET any -> [45.152.66.151] 18888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246673; rev:1;)
alert tcp $HOME_NET any -> [103.165.81.207] 8888  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246672; rev:1;)
alert tcp $HOME_NET any -> [190.133.143.235] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246671; rev:1;)
alert tcp $HOME_NET any -> [79.174.95.201] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246670; rev:1;)
alert tcp $HOME_NET any -> [43.198.225.0] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_18; classtype:trojan-activity; sid:91246669; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246609; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qftwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246608; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qftwo2pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246607; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246606; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246603; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246604; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246605; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246602; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246601; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246600; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246599; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wall4k.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246598; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vstoea.wiki"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246597; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246610; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246611; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfourt14vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246612; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgleven11vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246613; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnein9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246614; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246615; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246616; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246617; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246619; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246620; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246621; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246622; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246623; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.qftwo2sr.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246624; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 41414  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246632; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"authority-amazon.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246633; rev:1;)
alert tcp $HOME_NET any -> [185.125.50.49] 7439  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246660; rev:1;)
alert tcp $HOME_NET any -> [4.185.137.132] 1632  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246661; rev:1;)
alert tcp $HOME_NET any -> [103.153.69.99] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246668/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246668; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bn.networkbn.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246656/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_18; classtype:trojan-activity; sid:91246656; rev:1;)
alert tcp $HOME_NET any -> [187.135.149.236] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246642; rev:1;)
alert tcp $HOME_NET any -> [187.135.170.92] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246643; rev:1;)
alert tcp $HOME_NET any -> [187.135.170.92] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246644; rev:1;)
alert tcp $HOME_NET any -> [187.135.170.92] 2281  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246645; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.227] 1949  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246646; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.227] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246648; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.227] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246649; rev:1;)
alert tcp $HOME_NET any -> [82.66.185.138] 4449  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246650; rev:1;)
alert tcp $HOME_NET any -> [187.135.139.227] 2050  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246647; rev:1;)
alert tcp $HOME_NET any -> [45.14.245.215] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246640; rev:1;)
alert tcp $HOME_NET any -> [89.23.100.222] 44528  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246641; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.14] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246639; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.20] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246638; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.96] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246637; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.95] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246636; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.41] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diveupdown.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246634; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"viopde.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246596; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"utlyter.cloud"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246595; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tkteew.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246594; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soudes.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246593; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sotepo.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246592; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paolio.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246590; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rknloco.tech"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246591; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pabox.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246589; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogcegd.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246588; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nowurl.me"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246587; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modpk.asia"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246586; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"melyre.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246585; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lxszgs.icu"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246584; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lpcwww.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246583; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lmmqgd.website"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246582; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dre4.vip"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246581; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"desesn.asia"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246580; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyskop.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246579; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpritn.city"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246578; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdrawhi.art"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246577; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"6lpc.online"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246576; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4url312.vip"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246575; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4url.vip"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.113.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246665; rev:1;)
alert tcp $HOME_NET any -> [5.75.208.102] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246663; rev:1;)
alert tcp $HOME_NET any -> [49.12.113.229] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246664; rev:1;)
alert tcp $HOME_NET any -> [5.75.208.102] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246662; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.146] 6609  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246659; rev:1;)
alert tcp $HOME_NET any -> [89.208.107.205] 7578  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246658; rev:1;)
alert tcp $HOME_NET any -> [172.245.208.13] 4445  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246657; rev:1;)
alert tcp $HOME_NET any -> [83.137.157.61] 9231  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_18; classtype:trojan-activity; sid:91246655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246654; rev:1;)
alert tcp $HOME_NET any -> [8.222.147.15] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.222.147.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246652; rev:1;)
alert tcp $HOME_NET any -> [194.233.79.198] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246631; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.167] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246630; rev:1;)
alert tcp $HOME_NET any -> [20.234.62.151] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246629; rev:1;)
alert tcp $HOME_NET any -> [139.180.199.124] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246628; rev:1;)
alert tcp $HOME_NET any -> [202.47.118.167] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246627; rev:1;)
alert tcp $HOME_NET any -> [184.66.10.104] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246626; rev:1;)
alert tcp $HOME_NET any -> [72.27.161.187] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.78.87"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.136.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"167.235.207.130"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.108.83.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246570; rev:1;)
alert tcp $HOME_NET any -> [78.47.136.81] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246568; rev:1;)
alert tcp $HOME_NET any -> [78.47.78.87] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246569; rev:1;)
alert tcp $HOME_NET any -> [65.108.83.243] 8081  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246566; rev:1;)
alert tcp $HOME_NET any -> [167.235.207.130] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246567; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 48079  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246556/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246556; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pidorgeio-48079.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246557/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"managevvb.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246558; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"managevvb.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246559; rev:1;)
alert tcp $HOME_NET any -> [89.245.35.152] 25565  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246560; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 12051  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246561/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246561; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 56522  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246563/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246563; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"having-jackson.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246564; rev:1;)
alert tcp $HOME_NET any -> [23.106.121.133] 3232  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246565; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.62] 58709  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246562; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beuces.cool"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ransomware.wannacry_plus.zip"; depth:29; nocase; http.host; content:"14.224.174.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246554; rev:1;)
alert tcp $HOME_NET any -> [172.245.72.19] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.3qweraa.beauty"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246550; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.3qweraa.beauty"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"146.70.44.156"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.120.63.211"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246547; rev:1;)
alert tcp $HOME_NET any -> [47.120.63.211] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246548; rev:1;)
alert tcp $HOME_NET any -> [13.68.195.153] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"redir-s49f828c.eastus.cloudapp.azure.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246544; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redir-s49f828c.eastus.cloudapp.azure.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.92.155.195"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246543; rev:1;)
alert tcp $HOME_NET any -> [107.175.245.109] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.10086cn.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.134.126.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246540; rev:1;)
alert tcp $HOME_NET any -> [49.232.191.68] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-d1ssjklq-1306655841.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246537; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-d1ssjklq-1306655841.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"124.222.147.8"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"80.87.206.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246534; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"planetstherapy.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246532; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.planetstherapy.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246533; rev:1;)
alert tcp $HOME_NET any -> [37.120.239.32] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/link.css"; depth:9; nocase; http.host; content:"37.120.239.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cq25511.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246526; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-89u0y7ij-1305550121.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246524; rev:1;)
alert tcp $HOME_NET any -> [1.116.103.114] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"service-89u0y7ij-1305550121.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246523; rev:1;)
alert tcp $HOME_NET any -> [107.175.245.109] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.10086cn.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246520; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.10086cn.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246521; rev:1;)
alert tcp $HOME_NET any -> [107.175.245.109] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"prod-ireland.arkoselabs.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246517; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prod-ireland.arkoselabs.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246518; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epic-games-api.arkoselabs.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"epic-games-api.arkoselabs.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"client-api.arkoselabs.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0929875.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246512; rev:1;)
alert tcp $HOME_NET any -> [23.94.104.16] 56789  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246505/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246505; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"4qvvg9ud51lxa5te.gta5.eu.org"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246506/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246506; rev:1;)
alert tcp $HOME_NET any -> [198.12.88.130] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246507/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"139.9.190.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.40.119.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246508; rev:1;)
alert tcp $HOME_NET any -> [205.185.126.140] 24124  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246504/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246504; rev:1;)
alert tcp $HOME_NET any -> [194.169.175.43] 35342  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246503/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246503; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirthltd.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246502; rev:1;)
alert tcp $HOME_NET any -> [78.40.117.218] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246501/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246501; rev:1;)
alert tcp $HOME_NET any -> [79.124.40.47] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246500/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzflzwiznmywzdi5/"; depth:18; nocase; http.host; content:"83.97.73.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246485; rev:1;)
alert tcp $HOME_NET any -> [89.245.33.186] 25565  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246470/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246470; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"huot.ltd"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246479; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 11599  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246480; rev:1;)
alert tcp $HOME_NET any -> [89.245.33.186] 3000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246469/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246469; rev:1;)
alert tcp $HOME_NET any -> [141.95.114.229] 2351  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246402; rev:1;)
alert tcp $HOME_NET any -> [141.95.114.229] 8080  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246403; rev:1;)
alert tcp $HOME_NET any -> [45.147.228.138] 8094  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246404; rev:1;)
alert tcp $HOME_NET any -> [51.195.192.51] 8094  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246405; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.75] 8094  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246406; rev:1;)
alert tcp $HOME_NET any -> [51.195.192.51] 7000  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246407; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.101] 3778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246408/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246408; rev:1;)
alert tcp $HOME_NET any -> [217.18.63.132] 12345  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246427/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_17; classtype:trojan-activity; sid:91246427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"managedkv.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_17; classtype:trojan-activity; sid:91246463; rev:1;)
alert tcp $HOME_NET any -> [188.120.250.67] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246499; rev:1;)
alert tcp $HOME_NET any -> [2.31.159.75] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246498; rev:1;)
alert tcp $HOME_NET any -> [124.171.143.147] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246497; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.101] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246496; rev:1;)
alert tcp $HOME_NET any -> [62.182.80.97] 56432  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246495/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246495; rev:1;)
alert tcp $HOME_NET any -> [37.1.210.247] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246494/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246494; rev:1;)
alert tcp $HOME_NET any -> [51.195.91.31] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246493; rev:1;)
alert tcp $HOME_NET any -> [89.116.22.214] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246492; rev:1;)
alert tcp $HOME_NET any -> [20.197.20.154] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246491; rev:1;)
alert tcp $HOME_NET any -> [3.35.14.154] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246490; rev:1;)
alert tcp $HOME_NET any -> [168.76.172.111] 15023  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246489; rev:1;)
alert tcp $HOME_NET any -> [89.223.121.240] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246488; rev:1;)
alert tcp $HOME_NET any -> [89.223.121.240] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246487; rev:1;)
alert tcp $HOME_NET any -> [185.194.140.225] 53  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_17; classtype:trojan-activity; sid:91246486; rev:1;)
alert tcp $HOME_NET any -> [193.124.205.80] 4608  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flowerpublicpacket/db8test5/wordpress02flower/processorlongpolllow/defaultprotect/_temp/bigloaddatalife7mariadb/_vmbetterimage/dumppipejavascriptpython/8default/1/trafficprovider/wp/wpapi/vmlongpoll1/6wordpresspacket/0multiupdateauth/4/pipeauthtest.php"; depth:253; nocase; http.host; content:"89.23.96.177"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246483; rev:1;)
alert tcp $HOME_NET any -> [103.253.73.222] 117  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flowerprocessorjavascriptvideo/eternalbigload/test/4/test/16datalife8/httpwpuploads/jssqlsqlline/uploadscpuproton/dbprotect/local/update/jstemp/videolinepythonsql/flower/apiwordpresstest_/javascriptuniversal/imageapitemp.php"; depth:225; nocase; http.host; content:"89.23.97.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246481; rev:1;)
alert tcp $HOME_NET any -> [46.226.164.150] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246478; rev:1;)
alert tcp $HOME_NET any -> [154.12.28.204] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246477/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246477; rev:1;)
alert tcp $HOME_NET any -> [151.64.220.95] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246476; rev:1;)
alert tcp $HOME_NET any -> [34.69.171.116] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246475; rev:1;)
alert tcp $HOME_NET any -> [51.195.91.31] 4443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246474; rev:1;)
alert tcp $HOME_NET any -> [146.70.100.113] 22222  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246473; rev:1;)
alert tcp $HOME_NET any -> [113.25.150.234] 10250  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246472; rev:1;)
alert tcp $HOME_NET any -> [178.17.170.180] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bad.bois.sh"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246467; rev:1;)
alert tcp $HOME_NET any -> [20.55.16.22] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246468; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scoring.bois.sh"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246466; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"good.bois.sh"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.96.229.84"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246462; rev:1;)
alert tcp $HOME_NET any -> [121.36.33.53] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.36.33.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246460; rev:1;)
alert tcp $HOME_NET any -> [54.220.110.175] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246459; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onlinetraveler.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"onlinetraveler.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246457; rev:1;)
alert tcp $HOME_NET any -> [121.36.198.85] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.36.198.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246455; rev:1;)
alert tcp $HOME_NET any -> [13.201.220.120] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"182.126.66.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246453; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.117] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"27925375.whiteproducts.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246451; rev:1;)
alert tcp $HOME_NET any -> [154.23.178.106] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246450/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_16; classtype:trojan-activity; sid:91246450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.35.19.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"175.178.47.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"111.51.156.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"61.170.44.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"36.131.222.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"106.225.221.115"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"119.167.249.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.141.11.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"www.baidu12366.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246437; rev:1;)
alert tcp $HOME_NET any -> [45.138.157.4] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246436; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.mozilia-tm.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"update.mozilia-tm.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246434; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z886888.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246432; rev:1;)
alert tcp $HOME_NET any -> [8.222.147.15] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"z886888.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246431; rev:1;)
alert tcp $HOME_NET any -> [5.188.86.215] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab.html"; depth:8; nocase; http.host; content:"86.106.20.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.253.146.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246428; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.117] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_16; classtype:trojan-activity; sid:91246426; rev:1;)
alert tcp $HOME_NET any -> [188.120.231.211] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246425/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246425; rev:1;)
alert tcp $HOME_NET any -> [64.23.228.21] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246424/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246424; rev:1;)
alert tcp $HOME_NET any -> [185.80.128.10] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246423/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246423; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.16] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246422/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246422; rev:1;)
alert tcp $HOME_NET any -> [27.124.34.10] 1145  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246421/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246421; rev:1;)
alert tcp $HOME_NET any -> [72.27.104.146] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246420/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246420; rev:1;)
alert tcp $HOME_NET any -> [189.222.127.29] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246419/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246419; rev:1;)
alert tcp $HOME_NET any -> [50.67.6.160] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246418/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246418; rev:1;)
alert tcp $HOME_NET any -> [39.105.194.87] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246417/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246417; rev:1;)
alert tcp $HOME_NET any -> [37.1.210.247] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246416/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246416; rev:1;)
alert tcp $HOME_NET any -> [45.134.9.138] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246415/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246415; rev:1;)
alert tcp $HOME_NET any -> [47.122.6.179] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246414/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246414; rev:1;)
alert tcp $HOME_NET any -> [20.127.96.164] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246413/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246413; rev:1;)
alert tcp $HOME_NET any -> [94.103.87.88] 4444  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246412/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246412; rev:1;)
alert tcp $HOME_NET any -> [140.82.20.246] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246411/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246411; rev:1;)
alert tcp $HOME_NET any -> [23.227.202.153] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246410; rev:1;)
alert tcp $HOME_NET any -> [34.231.255.33] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_16; classtype:trojan-activity; sid:91246409; rev:1;)
alert tcp $HOME_NET any -> [206.238.113.242] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246401; rev:1;)
alert tcp $HOME_NET any -> [104.233.187.229] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246400; rev:1;)
alert tcp $HOME_NET any -> [43.143.130.124] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246399; rev:1;)
alert tcp $HOME_NET any -> [121.41.168.126] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246398; rev:1;)
alert tcp $HOME_NET any -> [180.76.231.105] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246397; rev:1;)
alert tcp $HOME_NET any -> [39.51.186.81] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246396; rev:1;)
alert tcp $HOME_NET any -> [167.56.66.0] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246395; rev:1;)
alert tcp $HOME_NET any -> [46.41.139.162] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246394/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246394; rev:1;)
alert tcp $HOME_NET any -> [69.30.249.147] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246393/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246393; rev:1;)
alert tcp $HOME_NET any -> [45.138.157.4] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246392/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246392; rev:1;)
alert tcp $HOME_NET any -> [103.113.68.85] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246390; rev:1;)
alert tcp $HOME_NET any -> [103.113.68.85] 81  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246391/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246391; rev:1;)
alert tcp $HOME_NET any -> [69.30.249.148] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246388; rev:1;)
alert tcp $HOME_NET any -> [69.30.249.148] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246389; rev:1;)
alert tcp $HOME_NET any -> [69.30.249.148] 81  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246387; rev:1;)
alert tcp $HOME_NET any -> [20.244.47.98] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246386/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246386; rev:1;)
alert tcp $HOME_NET any -> [136.0.3.71] 49737  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246385/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246385; rev:1;)
alert tcp $HOME_NET any -> [172.105.58.129] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246384/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"120.46.207.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"dwai1l.papelhigienicoobjeto.ru.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"w8oafr.almofadaobjeto.ru.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"e3iu8c.carregadorobjeto.za.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"veea5y.gpsdecarroobjeto.sa.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"t2uehw.etiquetaadesivaobjeto.ru.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"0buue2.padelixoobjeto.sa.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wafu.gpsdecarroobjeto.sa.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"a5aoee.caixadeferramentasobjeto.za.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"wadn.maquinadecafeobjeto.ru.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"r6oacr.papelhigienicoobjeto.ru.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"reoer.canecaobjeto.ru.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eeu6r.etiquetaadesivaobjeto.ru.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"3ba7r.almofadaobjeto.ru.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"rgar0.padelixoobjeto.sa.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"freodr.kitdesocorrosobjeto.za.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jwafy.canecaobjeto.ru.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"9ja7t.maquinadecafeobjeto.ru.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"raipd.carregadorobjeto.za.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"hiui7e.kitdesocorrosobjeto.za.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lwajt.caixadeferramentasobjeto.za.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246364; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reoer.canecaobjeto.ru.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246356; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rgar0.padelixoobjeto.sa.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246357; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t2uehw.etiquetaadesivaobjeto.ru.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246358; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"veea5y.gpsdecarroobjeto.sa.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246359; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w8oafr.almofadaobjeto.ru.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246360; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wadn.maquinadecafeobjeto.ru.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246361; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wafu.gpsdecarroobjeto.sa.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246362; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0buue2.padelixoobjeto.sa.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246343; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3ba7r.almofadaobjeto.ru.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246344; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"9ja7t.maquinadecafeobjeto.ru.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246345; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a5aoee.caixadeferramentasobjeto.za.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246346; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dwai1l.papelhigienicoobjeto.ru.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246347; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e3iu8c.carregadorobjeto.za.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246348; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eeu6r.etiquetaadesivaobjeto.ru.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246349; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freodr.kitdesocorrosobjeto.za.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246350; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hiui7e.kitdesocorrosobjeto.za.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246351; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jwafy.canecaobjeto.ru.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246352; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lwajt.caixadeferramentasobjeto.za.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246353; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r6oacr.papelhigienicoobjeto.ru.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246354; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raipd.carregadorobjeto.za.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sqlcentraluploads.php"; depth:22; nocase; http.host; content:"951499cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246342; rev:1;)
alert tcp $HOME_NET any -> [103.119.1.73] 1111  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246341/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246341; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"parabmasale.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246340; rev:1;)
alert tcp $HOME_NET any -> [193.35.18.164] 59432  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246329; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"franco1.no-ip.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"worldofmantas.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"worldofmantas.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246332; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cheaterpro.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246337; rev:1;)
alert tcp $HOME_NET any -> [213.248.43.34] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246338; rev:1;)
alert tcp $HOME_NET any -> [95.179.190.134] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246334; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.ontexcare.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cdn-lnk-075.epsonupdate.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246328; rev:1;)
alert tcp $HOME_NET any -> [128.90.128.157] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246314; rev:1;)
alert tcp $HOME_NET any -> [193.47.46.10] 4433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246316; rev:1;)
alert tcp $HOME_NET any -> [105.99.46.173] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246317; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.22] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246318; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.22] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246319; rev:1;)
alert tcp $HOME_NET any -> [23.95.132.42] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246320; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.169] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246321; rev:1;)
alert tcp $HOME_NET any -> [51.79.87.4] 1482  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246322/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bm.css"; depth:7; nocase; http.host; content:"apps.nbcnews.site"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246326; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apps.nbcnews.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content"; depth:8; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/define/cookies/j7y8xv07bjq"; depth:27; nocase; http.host; content:"139.155.97.79"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246324; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.232] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"theatergenerationju.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"111.229.19.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"1.94.52.236"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"xunleicloud.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"192.227.155.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"120.222.152.234"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"120.222.152.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246303; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.jd-vip.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246302; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.jd-vip.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/boondle.txt"; depth:12; nocase; http.host; content:"tafrihafashion.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xjadlcqfulrmbgzmnncyaldkmqglyjbkix.txt"; depth:39; nocase; http.host; content:"fatttjapan.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246289; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otxcosmeticscare.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246295; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"otxcarecosmetics.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246296; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artstrailman.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246298; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ontexcare.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246297; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trackgroup.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246299; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"businessprofessionalllc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"156.251.162.29"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246294; rev:1;)
alert tcp $HOME_NET any -> [77.232.143.206] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"77.232.143.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246292; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-mx77zdhn-1303081427.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-mx77zdhn-1303081427.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246290; rev:1;)
alert tcp $HOME_NET any -> [192.151.244.144] 14782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c8/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246286; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.54] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246277; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.37] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246276; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.61] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246278; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.64] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246279; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.68] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246280; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.95] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246281; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.109] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246282; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.137] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246283; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.146] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246284; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.152] 1311  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246285; rev:1;)
alert tcp $HOME_NET any -> [88.198.109.225] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.109.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246274; rev:1;)
alert tcp $HOME_NET any -> [124.221.163.107] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246272; rev:1;)
alert tcp $HOME_NET any -> [141.98.10.52] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"muggierdragstemmio.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"zamesblack.fun"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"wisemassiveharmonious.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"medalappearancerackw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"modernizepledgeoi.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sofahuntingslidedine.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"reechoingkaolizationp.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"townsfolkhiwoeko.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"theoryapparatusjuko.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"premeritwallyoko.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"scandalbasketballoe.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mealroomrallpassiveer.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"favourlegislatureduei.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"asleepfulltytarrtw.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"vatleaflettrusteeooj.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"questbehavixoporpo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"greenbowelsustainny.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fishboatnurrybeauti.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mutterunlikelyoo.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bicyclesunhygenico.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"executivebrakeji.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"drilmoralwandreowpops.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"blastoporicwoff.fun"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"decorousnumerousieo.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246040; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pielumchalotpostwo.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246041; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"triangleseasonbenchwj.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246038; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fieldtrollyeowskwe.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246039; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lightsecretatylattew.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"executrixrangedcoew.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"forknegotationaow.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bremenessverdurewas.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"inviteaccessiblesaltw.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fossillandscapefewkew.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"relevantvoicelesskw.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"antiuncontemporary.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"peasanthovecapspll.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"likelysoarastonishiow.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"scshemevalleywelferw.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pioneerframeoakchew.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"herdbescuitinjurywu.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"smallrabbitcrossing.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"improvisersmissionjuw.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sustentatorcoagulat.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fikkeropendorwiw.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"telephoneverdictyow.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"explodesaildecksatt.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"donorwifeconfusionstronko.site"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"stamprollabbeymemberw.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mazumaponyanthus.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cattilecodereowop.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sermonundressolcow.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"scrapedirtyieoqk.shop"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"presencewineonnyui.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"thinrecordsunrjisow.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246013; rev:1;)
alert tcp $HOME_NET any -> [34.125.56.40] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246009; rev:1;)
alert tcp $HOME_NET any -> [138.68.78.110] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246010; rev:1;)
alert tcp $HOME_NET any -> [35.237.192.132] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"audiencegafferokkow.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"prescriptionstorageag.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"snuggleapplicationswo.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"steadfastvaluabelywomo.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"breakdecisiveexpandw.fun"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"unexaminablespectrall.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"unhappytidydryypwto.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"diamondarrivallyowju.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"regardvelvettynerverf.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"isotrimorphicnongrasse.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ironshottallinko.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"woodfeetumhblefepoj.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"additionmarriagefoewsv.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"baresoakopiniocowe.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"auctiondecadecontaii.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"syncarpiajanapiom.fun"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"modestessayevenmilwek.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"colorfulequalugliess.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"superiorhardwaerw.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"princeaccessiblepo.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"noduscheatscake.fun"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"knonkcdalfyhitt.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"culturesketchfinanciall.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"televisionstudiowmmj.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"assumptionflattyou.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"legatorypluralishrtw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"clientgirlfrienddyjw.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"onebiogopwdsa.site"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"samplepoisonbarryntj.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"villagemagneticcsa.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246094; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"avatar.ps"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246239/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246239; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kgj112233.codns.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246241; rev:1;)
alert tcp $HOME_NET any -> [67.213.108.79] 4782  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246242; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.fwfy.club"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246243; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"njtrial.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246244/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246244; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 38122  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246245/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246245; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"links-annually.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246246/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246246; rev:1;)
alert tcp $HOME_NET any -> [52.14.81.142] 22206  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246247/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246247; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"7.tcp.ngrok.io"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246248/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246248; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 13040  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246249; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 12607  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246250; rev:1;)
alert tcp $HOME_NET any -> [204.93.201.142] 80  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246230; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nextroundst.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246229; rev:1;)
alert tcp $HOME_NET any -> [170.130.165.132] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246104; rev:1;)
alert tcp $HOME_NET any -> [206.217.139.231] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246105; rev:1;)
alert tcp $HOME_NET any -> [206.217.139.231] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246106; rev:1;)
alert tcp $HOME_NET any -> [1.13.17.185] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246107; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adfhjadfbjadbfjkhad44jka.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywzimzrmnza4nzk0/"; depth:18; nocase; http.host; content:"valeriamygirlinstripcalloc.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246120; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.16] 137  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246140; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mauricioclopatofsky.tel"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246142/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246142; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.188] 4781  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246154; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"voshu.art"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246170; rev:1;)
alert tcp $HOME_NET any -> [51.144.73.229] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246197; rev:1;)
alert tcp $HOME_NET any -> [5.255.123.240] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246198/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246198; rev:1;)
alert tcp $HOME_NET any -> [5.255.116.222] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246199/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246199; rev:1;)
alert tcp $HOME_NET any -> [87.251.67.74] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246200/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246200; rev:1;)
alert tcp $HOME_NET any -> [213.139.205.137] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246202/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246202; rev:1;)
alert tcp $HOME_NET any -> [91.235.234.149] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246201/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91246201; rev:1;)
alert tcp $HOME_NET any -> [185.141.24.10] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245971; rev:1;)
alert tcp $HOME_NET any -> [194.36.188.66] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245972; rev:1;)
alert tcp $HOME_NET any -> [185.82.200.181] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245973; rev:1;)
alert tcp $HOME_NET any -> [194.36.188.56] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245974; rev:1;)
alert tcp $HOME_NET any -> [194.36.188.62] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245975; rev:1;)
alert tcp $HOME_NET any -> [164.90.202.142] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245978; rev:1;)
alert tcp $HOME_NET any -> [178.128.94.83] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245979; rev:1;)
alert tcp $HOME_NET any -> [152.42.185.24] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245980; rev:1;)
alert tcp $HOME_NET any -> [152.42.169.205] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245981; rev:1;)
alert tcp $HOME_NET any -> [128.199.198.141] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245982; rev:1;)
alert tcp $HOME_NET any -> [152.42.169.247] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245987; rev:1;)
alert tcp $HOME_NET any -> [24.199.125.76] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245986; rev:1;)
alert tcp $HOME_NET any -> [152.42.185.16] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245988; rev:1;)
alert tcp $HOME_NET any -> [152.42.185.20] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245989; rev:1;)
alert tcp $HOME_NET any -> [170.64.211.86] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245990; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1b.cx"; depth:5; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245992; rev:1;)
alert tcp $HOME_NET any -> [194.36.188.83] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245970; rev:1;)
alert tcp $HOME_NET any -> [188.116.36.109] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245969; rev:1;)
alert tcp $HOME_NET any -> [18.144.30.84] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245976; rev:1;)
alert tcp $HOME_NET any -> [34.216.132.82] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245977; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"1v.nz"; depth:5; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245991; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"t6m.pics"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245993; rev:1;)
alert tcp $HOME_NET any -> [103.174.73.85] 1500  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246005; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.nhankimcuong.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246006/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91246006; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.187] 7678  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245959; rev:1;)
alert tcp $HOME_NET any -> [80.87.206.160] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245960; rev:1;)
alert tcp $HOME_NET any -> [45.94.31.49] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245961; rev:1;)
alert tcp $HOME_NET any -> [85.239.33.54] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245962/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245962; rev:1;)
alert tcp $HOME_NET any -> [91.235.234.121] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245963/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245963; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.173] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245964/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245964; rev:1;)
alert tcp $HOME_NET any -> [91.235.234.195] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245965/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245965; rev:1;)
alert tcp $HOME_NET any -> [5.255.108.56] 443  (msg:"ThreatFox Unidentified 111 (Latrodectus) botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245966/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_15; classtype:trojan-activity; sid:91245966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windowsflowerlongpoll/datalifemariadb0/9/requestapi/videojavascriptbigloaddefaultflowerdlecdn.php"; depth:98; nocase; http.host; content:"gaming7core.info"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245967; rev:1;)
alert tcp $HOME_NET any -> [185.209.160.19] 54439  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"45.9.74.60"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245913/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91245913; rev:1;)
alert tcp $HOME_NET any -> [185.209.160.19] 54438  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"45.9.74.136"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245914/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91245914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"acizac12141.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245915/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91245915; rev:1;)
alert tcp $HOME_NET any -> [51.79.87.4] 34241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_15; classtype:trojan-activity; sid:91245922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mdq4yzc4ntjkytg4/"; depth:18; nocase; http.host; content:"45.9.74.166"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245912/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91245912; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.149] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245890; rev:1;)
alert tcp $HOME_NET any -> [128.90.61.78] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ledger-live.exe"; depth:16; nocase; http.host; content:"185.172.128.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245859; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.145] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245860; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.90] 80  (msg:"ThreatFox Stealc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245861; rev:1;)
alert tcp $HOME_NET any -> [149.50.213.215] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245889; rev:1;)
alert tcp $HOME_NET any -> [45.94.31.49] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245849; rev:1;)
alert tcp $HOME_NET any -> [2.58.56.142] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245848; rev:1;)
alert tcp $HOME_NET any -> [186.169.60.250] 1987  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ex.zip"; depth:7; nocase; http.host; content:"206.188.196.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245854; rev:1;)
alert tcp $HOME_NET any -> [45.15.157.139] 11070  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245855; rev:1;)
alert tcp $HOME_NET any -> [45.15.157.139] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91245856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0885058.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246271; rev:1;)
alert tcp $HOME_NET any -> [124.70.78.129] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246270; rev:1;)
alert tcp $HOME_NET any -> [97.74.95.68] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246269; rev:1;)
alert tcp $HOME_NET any -> [140.143.125.127] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246268/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246268; rev:1;)
alert tcp $HOME_NET any -> [172.245.34.171] 58888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246267; rev:1;)
alert tcp $HOME_NET any -> [123.253.108.131] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246266; rev:1;)
alert tcp $HOME_NET any -> [179.14.9.152] 4433  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246265; rev:1;)
alert tcp $HOME_NET any -> [27.124.34.16] 1145  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246264; rev:1;)
alert tcp $HOME_NET any -> [41.96.85.67] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246263; rev:1;)
alert tcp $HOME_NET any -> [137.103.187.32] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246262/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246262; rev:1;)
alert tcp $HOME_NET any -> [72.27.11.159] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246261/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246261; rev:1;)
alert tcp $HOME_NET any -> [172.232.14.44] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246260/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246260; rev:1;)
alert tcp $HOME_NET any -> [23.227.198.236] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246259/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246259; rev:1;)
alert tcp $HOME_NET any -> [46.37.96.110] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246258/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246258; rev:1;)
alert tcp $HOME_NET any -> [54.209.66.233] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246257/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246257; rev:1;)
alert tcp $HOME_NET any -> [139.162.180.174] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246256/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246256; rev:1;)
alert tcp $HOME_NET any -> [23.95.48.151] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246255/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246255; rev:1;)
alert tcp $HOME_NET any -> [23.227.194.177] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246254/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246254; rev:1;)
alert tcp $HOME_NET any -> [194.246.114.147] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246253/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246253; rev:1;)
alert tcp $HOME_NET any -> [8.130.10.159] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246252/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246252; rev:1;)
alert tcp $HOME_NET any -> [143.244.132.162] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246251/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_15; classtype:trojan-activity; sid:91246251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"392065cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"107.174.228.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246236; rev:1;)
alert tcp $HOME_NET any -> [222.114.183.144] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_15; classtype:trojan-activity; sid:91246235; rev:1;)
alert tcp $HOME_NET any -> [54.156.182.111] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246234/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91246234; rev:1;)
alert tcp $HOME_NET any -> [139.180.144.32] 9001  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246233/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_15; classtype:trojan-activity; sid:91246233; rev:1;)
alert tcp $HOME_NET any -> [85.239.238.79] 1235  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalgeocentral.php"; depth:22; nocase; http.host; content:"91.220.109.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kj.html"; depth:8; nocase; http.host; content:"86.106.20.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246227; rev:1;)
alert tcp $HOME_NET any -> [5.188.86.215] 3389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246228; rev:1;)
alert tcp $HOME_NET any -> [107.174.228.79] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"107.174.228.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246225; rev:1;)
alert tcp $HOME_NET any -> [82.146.59.110] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246224; rev:1;)
alert tcp $HOME_NET any -> [206.238.42.236] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246223; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.233] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246222; rev:1;)
alert tcp $HOME_NET any -> [45.67.230.185] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246221; rev:1;)
alert tcp $HOME_NET any -> [167.179.105.44] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246220; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.11] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246219/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246219; rev:1;)
alert tcp $HOME_NET any -> [20.107.243.137] 3000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246218/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246218; rev:1;)
alert tcp $HOME_NET any -> [50.35.133.42] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246217/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246217; rev:1;)
alert tcp $HOME_NET any -> [54.37.138.65] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246216/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246216; rev:1;)
alert tcp $HOME_NET any -> [54.245.19.64] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246215/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246215; rev:1;)
alert tcp $HOME_NET any -> [23.95.48.151] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246214; rev:1;)
alert tcp $HOME_NET any -> [45.144.31.57] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246212; rev:1;)
alert tcp $HOME_NET any -> [45.144.31.57] 40000  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246213/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246213; rev:1;)
alert tcp $HOME_NET any -> [103.152.254.139] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246211; rev:1;)
alert tcp $HOME_NET any -> [45.8.146.116] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246210; rev:1;)
alert tcp $HOME_NET any -> [3.0.250.71] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246209; rev:1;)
alert tcp $HOME_NET any -> [116.203.117.12] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246208; rev:1;)
alert tcp $HOME_NET any -> [45.144.28.165] 49119  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246206; rev:1;)
alert tcp $HOME_NET any -> [103.35.188.34] 39119  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.117.12"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"103.35.188.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.144.28.165"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246203; rev:1;)
alert tcp $HOME_NET any -> [168.100.11.227] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246196; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.otxcarecosmetics.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246195; rev:1;)
alert tcp $HOME_NET any -> [134.209.87.204] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246194; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.otxcosmeticscare.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246193; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kumbaraan.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246191; rev:1;)
alert tcp $HOME_NET any -> [103.253.146.79] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"kumbaraan.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"154.92.19.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246189; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.234] 7443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"cdn-1488.winstate.cc"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246186; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-1488.winstate.cc"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"37.1.197.252"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246184; rev:1;)
alert tcp $HOME_NET any -> [37.1.197.252] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246185; rev:1;)
alert tcp $HOME_NET any -> [172.210.42.227] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ocsp/"; depth:6; nocase; http.host; content:"172.210.42.227"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"35.153.33.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"42.186.17.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246180; rev:1;)
alert tcp $HOME_NET any -> [74.48.19.146] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"jspassport.ssl.qhimg.com.dsa.dnsv1.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246177; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jspassport.ssl.qhimg.com.dsa.dnsv1.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246178; rev:1;)
alert tcp $HOME_NET any -> [3.213.37.39] 80  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246176/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_14; classtype:trojan-activity; sid:91246176; rev:1;)
alert tcp $HOME_NET any -> [3.219.159.186] 80  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246175/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_14; classtype:trojan-activity; sid:91246175; rev:1;)
alert tcp $HOME_NET any -> [107.172.31.178] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246174/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_14; classtype:trojan-activity; sid:91246174; rev:1;)
alert tcp $HOME_NET any -> [47.92.158.101] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"res.mall.10010.cn"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"112.124.65.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.97.222.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"119.91.26.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"103.146.140.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"119.91.26.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.94.52.236"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"xunleicloud.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"120.46.207.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/content/hot/y/liveupdate/"; depth:26; nocase; http.host; content:"docloudstorage.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246159; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"docloudstorage.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"36.131.222.214"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"59.80.47.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"106.225.221.115"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"43.141.11.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.103.100"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.43"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.15.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246150; rev:1;)
alert tcp $HOME_NET any -> [116.203.15.173] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246146; rev:1;)
alert tcp $HOME_NET any -> [5.75.215.43] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246147; rev:1;)
alert tcp $HOME_NET any -> [159.69.103.100] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246148; rev:1;)
alert tcp $HOME_NET any -> [65.109.240.54] 8081  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246143; rev:1;)
alert tcp $HOME_NET any -> [5.75.208.156] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246144; rev:1;)
alert tcp $HOME_NET any -> [5.75.208.156] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user/five/fre.php"; depth:18; nocase; http.host; content:"mauricioclopatofsky.tel"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246139/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_14; classtype:trojan-activity; sid:91246139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/user/five/fre.php"; depth:18; nocase; http.host; content:"mauricioclopatofsky.tel"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246138; rev:1;)
alert tcp $HOME_NET any -> [124.70.19.189] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246137; rev:1;)
alert tcp $HOME_NET any -> [123.1.189.241] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246136; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.13] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246135/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246135; rev:1;)
alert tcp $HOME_NET any -> [78.46.191.105] 6666  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246134; rev:1;)
alert tcp $HOME_NET any -> [27.124.34.14] 1145  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246133; rev:1;)
alert tcp $HOME_NET any -> [41.96.78.253] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246132; rev:1;)
alert tcp $HOME_NET any -> [82.7.3.113] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246131; rev:1;)
alert tcp $HOME_NET any -> [74.138.4.64] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246130; rev:1;)
alert tcp $HOME_NET any -> [37.1.208.95] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246129; rev:1;)
alert tcp $HOME_NET any -> [85.111.0.39] 10250  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246128/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246128; rev:1;)
alert tcp $HOME_NET any -> [138.197.116.57] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246127/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_14; classtype:trojan-activity; sid:91246127; rev:1;)
alert tcp $HOME_NET any -> [51.195.231.121] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246126/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_14; classtype:trojan-activity; sid:91246126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0929508.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246125; rev:1;)
alert tcp $HOME_NET any -> [49.13.200.170] 7878  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"rosalihi.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image1/linuxhttp/_/53secure/phplocal/externalrequestlow6/cdn/multi3auth/vmmultiflower.php"; depth:90; nocase; http.host; content:"185.104.113.237"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_14; classtype:trojan-activity; sid:91246122; rev:1;)
alert tcp $HOME_NET any -> [154.23.178.70] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_14; classtype:trojan-activity; sid:91246121; rev:1;)
alert tcp $HOME_NET any -> [141.255.167.251] 4760  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246119; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.13] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246118; rev:1;)
alert tcp $HOME_NET any -> [124.106.197.167] 4343  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246117; rev:1;)
alert tcp $HOME_NET any -> [34.162.156.94] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246116; rev:1;)
alert tcp $HOME_NET any -> [3.88.102.160] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246115; rev:1;)
alert tcp $HOME_NET any -> [3.94.102.197] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246114; rev:1;)
alert tcp $HOME_NET any -> [38.242.236.116] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246113; rev:1;)
alert tcp $HOME_NET any -> [81.94.150.166] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246112; rev:1;)
alert tcp $HOME_NET any -> [142.93.97.142] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246110; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newcleos.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1246109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/appdata.aspx"; depth:13; nocase; http.host; content:"newcleos.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246108; rev:1;)
alert tcp $HOME_NET any -> [81.70.71.30] 62233  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246103/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246103; rev:1;)
alert tcp $HOME_NET any -> [57.151.120.22] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246102; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.22] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246101; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.22] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246100; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.22] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246099; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.22] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246098; rev:1;)
alert tcp $HOME_NET any -> [129.204.201.114] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246097; rev:1;)
alert tcp $HOME_NET any -> [193.42.63.146] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246096/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91246096; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 56901  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive.php"; depth:12; nocase; http.host; content:"dbhg.duckdns.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1246007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91246007; rev:1;)
alert tcp $HOME_NET any -> [194.87.74.14] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246004/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246004; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.5] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246003/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246003; rev:1;)
alert tcp $HOME_NET any -> [167.56.207.201] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246002/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246002; rev:1;)
alert tcp $HOME_NET any -> [188.49.94.176] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246001; rev:1;)
alert tcp $HOME_NET any -> [185.51.171.169] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1246000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91246000; rev:1;)
alert tcp $HOME_NET any -> [92.177.126.152] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245999; rev:1;)
alert tcp $HOME_NET any -> [157.230.175.190] 4891  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245998; rev:1;)
alert tcp $HOME_NET any -> [103.216.51.35] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245997; rev:1;)
alert tcp $HOME_NET any -> [49.232.214.141] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245996/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245996; rev:1;)
alert tcp $HOME_NET any -> [45.89.54.206] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245995/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245995; rev:1;)
alert tcp $HOME_NET any -> [45.157.69.156] 443  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245994/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245994; rev:1;)
alert tcp $HOME_NET any -> [146.70.44.156] 50051  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245985/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245985; rev:1;)
alert tcp $HOME_NET any -> [14.239.3.253] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245984/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245984; rev:1;)
alert tcp $HOME_NET any -> [69.30.232.226] 1433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245983/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245983; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.97.222.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245968; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.57] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245956/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245956; rev:1;)
alert tcp $HOME_NET any -> [144.91.109.161] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245955/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245955; rev:1;)
alert tcp $HOME_NET any -> [45.154.3.56] 56789  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245954/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245954; rev:1;)
alert tcp $HOME_NET any -> [185.11.61.124] 55779  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245953/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245953; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245952/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245952; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245951/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245951; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 2082  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245950/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245950; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245949/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245949; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245948/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245948; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 1761  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245947/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245947; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245946/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245946; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245945/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245945; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245944/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245944; rev:1;)
alert tcp $HOME_NET any -> [2.45.75.48] 88  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245943/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245943; rev:1;)
alert tcp $HOME_NET any -> [74.48.151.50] 11212  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245942/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245942; rev:1;)
alert tcp $HOME_NET any -> [20.19.35.117] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245941/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245941; rev:1;)
alert tcp $HOME_NET any -> [39.104.200.45] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245940/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245940; rev:1;)
alert tcp $HOME_NET any -> [101.99.92.169] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245939/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245939; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.38] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245938/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245938; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.147] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245937/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245937; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.180] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245936/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245936; rev:1;)
alert tcp $HOME_NET any -> [88.198.107.0] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245935/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245935; rev:1;)
alert tcp $HOME_NET any -> [116.202.4.240] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245934/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245934; rev:1;)
alert tcp $HOME_NET any -> [77.105.162.176] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245933/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_13; classtype:trojan-activity; sid:91245933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dolul/five/fre.php"; depth:19; nocase; http.host; content:"94.156.66.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245932; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.57] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245931; rev:1;)
alert tcp $HOME_NET any -> [121.43.55.149] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245930; rev:1;)
alert tcp $HOME_NET any -> [185.106.96.225] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"uama.com.ua"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"talesofpirates.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"sodez.ru"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"nidoe.org"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"175.178.47.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.236.111.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245923; rev:1;)
alert tcp $HOME_NET any -> [205.189.160.217] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245921; rev:1;)
alert tcp $HOME_NET any -> [39.105.4.90] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"39.105.4.90"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"175.27.162.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"175.27.162.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245916; rev:1;)
alert tcp $HOME_NET any -> [175.27.162.205] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245917; rev:1;)
alert tcp $HOME_NET any -> [192.3.109.132] 4445  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245911/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245911; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bachlong-sro.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245910; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.146] 443  (msg:"ThreatFox Tsunami botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sys/index.php"; depth:14; nocase; http.host; content:"185.172.128.146"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245908; rev:1;)
alert tcp $HOME_NET any -> [192.210.201.57] 52499  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245907; rev:1;)
alert tcp $HOME_NET any -> [154.90.63.253] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"154.90.63.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245905; rev:1;)
alert tcp $HOME_NET any -> [39.107.89.22] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"39.107.89.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245903; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-lhtzt3wh-1319979259.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-lhtzt3wh-1319979259.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"139.224.188.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.107.242.125"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"120.48.5.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eb6f29c6a60b3865.php"; depth:21; nocase; http.host; content:"147.45.47.71"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.221.28"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245886; rev:1;)
alert tcp $HOME_NET any -> [5.75.213.121] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245884; rev:1;)
alert tcp $HOME_NET any -> [5.75.221.28] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245885; rev:1;)
alert tcp $HOME_NET any -> [5.75.213.121] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"82.146.45.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_13; classtype:trojan-activity; sid:91245882; rev:1;)
alert tcp $HOME_NET any -> [66.63.162.155] 1608  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245881/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_13; classtype:trojan-activity; sid:91245881; rev:1;)
alert tcp $HOME_NET any -> [83.220.169.98] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245880; rev:1;)
alert tcp $HOME_NET any -> [213.189.201.252] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245879/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245879; rev:1;)
alert tcp $HOME_NET any -> [37.1.205.231] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245878/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245878; rev:1;)
alert tcp $HOME_NET any -> [178.73.192.11] 5000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245877/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245877; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.4] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245876; rev:1;)
alert tcp $HOME_NET any -> [58.84.90.93] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245875; rev:1;)
alert tcp $HOME_NET any -> [72.27.137.129] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245874; rev:1;)
alert tcp $HOME_NET any -> [2.50.45.215] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245873; rev:1;)
alert tcp $HOME_NET any -> [39.40.175.239] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245872; rev:1;)
alert tcp $HOME_NET any -> [24.148.11.98] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245871; rev:1;)
alert tcp $HOME_NET any -> [45.137.10.34] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245870; rev:1;)
alert tcp $HOME_NET any -> [37.1.212.112] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245869; rev:1;)
alert tcp $HOME_NET any -> [23.227.193.87] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245868; rev:1;)
alert tcp $HOME_NET any -> [37.1.208.95] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245867; rev:1;)
alert tcp $HOME_NET any -> [87.122.8.35] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245866; rev:1;)
alert tcp $HOME_NET any -> [139.84.137.24] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_13; classtype:trojan-activity; sid:91245865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"193.143.1.226"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/release_notes.js"; depth:17; nocase; http.host; content:"74.48.57.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/69pipe4/2temp/betterpipetrackpipe/62test/geoprocessauth.php"; depth:60; nocase; http.host; content:"188.120.241.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245862; rev:1;)
alert tcp $HOME_NET any -> [43.248.129.152] 8000  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processorbase.php"; depth:18; nocase; http.host; content:"737165cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245857; rev:1;)
alert tcp $HOME_NET any -> [124.248.69.29] 14363  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245853; rev:1;)
alert tcp $HOME_NET any -> [115.231.218.42] 14363  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245852; rev:1;)
alert tcp $HOME_NET any -> [110.42.102.82] 6688  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245850; rev:1;)
alert tcp $HOME_NET any -> [114.130.36.120] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245847/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245847; rev:1;)
alert tcp $HOME_NET any -> [137.184.177.175] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245846/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245846; rev:1;)
alert tcp $HOME_NET any -> [34.81.83.87] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245845/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245845; rev:1;)
alert tcp $HOME_NET any -> [27.156.108.198] 6079  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245844/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245844; rev:1;)
alert tcp $HOME_NET any -> [191.88.250.232] 4433  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245843; rev:1;)
alert tcp $HOME_NET any -> [41.96.29.46] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245842; rev:1;)
alert tcp $HOME_NET any -> [51.211.208.112] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245841; rev:1;)
alert tcp $HOME_NET any -> [210.2.169.247] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245840; rev:1;)
alert tcp $HOME_NET any -> [124.106.197.167] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245839; rev:1;)
alert tcp $HOME_NET any -> [20.191.195.105] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245838; rev:1;)
alert tcp $HOME_NET any -> [95.164.19.54] 8085  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245836; rev:1;)
alert tcp $HOME_NET any -> [37.120.239.146] 23250  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245837; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.159] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245835; rev:1;)
alert tcp $HOME_NET any -> [69.30.232.230] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"69.30.232.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"69.30.232.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"69.30.232.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"69.30.232.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245830; rev:1;)
alert tcp $HOME_NET any -> [134.122.129.173] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245824; rev:1;)
alert tcp $HOME_NET any -> [5.75.208.68] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245825; rev:1;)
alert tcp $HOME_NET any -> [5.75.208.68] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245826; rev:1;)
alert tcp $HOME_NET any -> [95.217.28.198] 8081  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.68"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.208.68"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245822; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"7t.nz"; depth:5; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/read/timer.php"; depth:15; nocase; http.host; content:"dasmake.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"69.30.232.230"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"69.30.232.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"69.30.232.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"69.30.232.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"69.30.232.226"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245801; rev:1;)
alert tcp $HOME_NET any -> [95.179.177.99] 9999  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245800/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_12; classtype:trojan-activity; sid:91245800; rev:1;)
alert tcp $HOME_NET any -> [134.122.129.173] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245799; rev:1;)
alert tcp $HOME_NET any -> [3.141.100.233] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245798; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.tecbanis.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245797; rev:1;)
alert tcp $HOME_NET any -> [23.95.208.14] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245796; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oob.microsoft360.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245795; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bbo.microsoft360.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245794; rev:1;)
alert tcp $HOME_NET any -> [5.34.179.101] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/message/amd"; depth:17; nocase; http.host; content:"5.34.179.101"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.60.253.150"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245791; rev:1;)
alert tcp $HOME_NET any -> [5.34.179.101] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/message/amd"; depth:17; nocase; http.host; content:"5.34.179.101"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.136.241.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"82.157.169.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"164.92.116.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"88.214.27.74"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.222.213.61"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245781; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nekololis.ovh"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245775; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.100] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245776; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"catgirls.network"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245774; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rx.neko.ltd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245773; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neko.ltd"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245772; rev:1;)
alert tcp $HOME_NET any -> [15.204.211.32] 888  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245769; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.7] 2  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245770; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.226] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245771; rev:1;)
alert tcp $HOME_NET any -> [51.89.157.32] 4200  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245768; rev:1;)
alert tcp $HOME_NET any -> [194.169.175.33] 2323  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245767; rev:1;)
alert tcp $HOME_NET any -> [194.169.175.31] 2323  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"221.150.72.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/limitgameruleboot/systemcore/war/basewordpressdatalife.php"; depth:59; nocase; http.host; content:"185.246.67.26"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245764; rev:1;)
alert tcp $HOME_NET any -> [49.13.32.231] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245761; rev:1;)
alert tcp $HOME_NET any -> [116.202.4.240] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245762; rev:1;)
alert tcp $HOME_NET any -> [88.198.107.0] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.107.0"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.231"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.4.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245758; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.66] 1906  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245757; rev:1;)
alert tcp $HOME_NET any -> [194.33.191.105] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245756; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.210] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245755; rev:1;)
alert tcp $HOME_NET any -> [143.110.180.125] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245754; rev:1;)
alert tcp $HOME_NET any -> [66.103.202.31] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245753; rev:1;)
alert tcp $HOME_NET any -> [66.103.202.47] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245752; rev:1;)
alert tcp $HOME_NET any -> [64.23.194.166] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245751; rev:1;)
alert tcp $HOME_NET any -> [23.93.94.187] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245750; rev:1;)
alert tcp $HOME_NET any -> [70.31.127.214] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245749; rev:1;)
alert tcp $HOME_NET any -> [72.27.34.29] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245748; rev:1;)
alert tcp $HOME_NET any -> [175.10.220.200] 4432  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245747; rev:1;)
alert tcp $HOME_NET any -> [104.248.92.16] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245746; rev:1;)
alert tcp $HOME_NET any -> [122.114.225.100] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245745; rev:1;)
alert tcp $HOME_NET any -> [122.114.192.32] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245744; rev:1;)
alert tcp $HOME_NET any -> [122.114.156.47] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245743; rev:1;)
alert tcp $HOME_NET any -> [122.114.197.147] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245742; rev:1;)
alert tcp $HOME_NET any -> [122.114.10.11] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245741; rev:1;)
alert tcp $HOME_NET any -> [122.114.192.234] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245740; rev:1;)
alert tcp $HOME_NET any -> [37.1.212.112] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245739; rev:1;)
alert tcp $HOME_NET any -> [154.90.49.110] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_12; classtype:trojan-activity; sid:91245737; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asyncawaitapi.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245734; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.162] 45162  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245723; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"apifunctioncall.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245733; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.59] 59666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"xcelonline.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245736; rev:1;)
alert tcp $HOME_NET any -> [204.95.99.109] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_12; classtype:trojan-activity; sid:91245735; rev:1;)
alert tcp $HOME_NET any -> [194.165.16.59] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"194.165.16.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"blm-wiki.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"jango-pulse.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245729; rev:1;)
alert tcp $HOME_NET any -> [45.74.36.210] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"170.130.55.104"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.132.237.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"154.92.19.29"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245725; rev:1;)
alert tcp $HOME_NET any -> [142.202.242.172] 30098  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245724; rev:1;)
alert tcp $HOME_NET any -> [146.56.238.25] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245722; rev:1;)
alert tcp $HOME_NET any -> [167.88.160.158] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245721; rev:1;)
alert tcp $HOME_NET any -> [79.114.226.14] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245720; rev:1;)
alert tcp $HOME_NET any -> [45.87.246.76] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245719; rev:1;)
alert tcp $HOME_NET any -> [94.198.50.195] 10000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245718; rev:1;)
alert tcp $HOME_NET any -> [94.198.50.195] 9800  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245717; rev:1;)
alert tcp $HOME_NET any -> [154.223.20.108] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245716; rev:1;)
alert tcp $HOME_NET any -> [38.54.63.253] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v0/b/maga-414515.appspot.com/o/l4djx6iv5c%2fdoc_h37_93i800248-18015745p1346-4493y8.js"; depth:86; nocase; http.host; content:"firebasestorage.googleapis.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"durete.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qbijgho"; depth:8; nocase; http.host; content:"qyjifia.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245711; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wcjwcj.cn"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245710; rev:1;)
alert tcp $HOME_NET any -> [154.9.29.154] 55650  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245709/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"drifajizo.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"scifimond.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"minndarespo.icu"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"ginzbargatey.tech"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"popfealt.one"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245704; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.61] 60124  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245702; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.7] 1  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/"; depth:8; nocase; http.host; content:"bellebobas.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245701; rev:1;)
alert tcp $HOME_NET any -> [217.67.178.79] 51177  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245700/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245700; rev:1;)
alert tcp $HOME_NET any -> [85.175.101.203] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245699/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245699; rev:1;)
alert tcp $HOME_NET any -> [193.143.1.195] 30293  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245698/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245698; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.162] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245697; rev:1;)
alert tcp $HOME_NET any -> [45.156.21.39] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245696/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245696; rev:1;)
alert tcp $HOME_NET any -> [188.27.166.233] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245695/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245695; rev:1;)
alert tcp $HOME_NET any -> [193.233.161.246] 443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245694; rev:1;)
alert tcp $HOME_NET any -> [95.216.117.33] 8088  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245693; rev:1;)
alert tcp $HOME_NET any -> [77.91.124.37] 3001  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245692; rev:1;)
alert tcp $HOME_NET any -> [45.15.157.90] 3000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245691/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_11; classtype:trojan-activity; sid:91245691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199651834633"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.116.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/raf6ik"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245687; rev:1;)
alert tcp $HOME_NET any -> [49.12.116.63] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245685; rev:1;)
alert tcp $HOME_NET any -> [95.217.240.152] 8081  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dumpdlepipe/pipeprovider0python/3dumpdump/dumpsecure/db6locallow/async9/pipetosql.php"; depth:86; nocase; http.host; content:"195.2.84.94"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"bestopgoespink.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"bestopgoespink.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"digestlivepro.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245671; rev:1;)
alert tcp $HOME_NET any -> [78.40.117.110] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245673; rev:1;)
alert tcp $HOME_NET any -> [78.40.117.169] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245674; rev:1;)
alert tcp $HOME_NET any -> [78.40.117.174] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245675; rev:1;)
alert tcp $HOME_NET any -> [78.40.117.251] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245676; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.126] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245678; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.143] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245679; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hex.lumosora.us"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245681; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.144] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245680; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.121] 5555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245682; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.25] 38242  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245683; rev:1;)
alert tcp $HOME_NET any -> [54.94.118.7] 333  (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c7/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245672/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c9/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245667/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245667; rev:1;)
alert tcp $HOME_NET any -> [52.28.247.255] 13672  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245666/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"46.183.223.73"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245665; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 13672  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245663; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 13672  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245664; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 17485  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245655/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245655; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 19607  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245656/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245656; rev:1;)
alert tcp $HOME_NET any -> [62.113.112.234] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245657; rev:1;)
alert tcp $HOME_NET any -> [94.103.85.34] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245658; rev:1;)
alert tcp $HOME_NET any -> [95.142.45.151] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245659; rev:1;)
alert tcp $HOME_NET any -> [193.178.170.114] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245661; rev:1;)
alert tcp $HOME_NET any -> [178.20.40.225] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245660; rev:1;)
alert tcp $HOME_NET any -> [194.48.250.133] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245662; rev:1;)
alert tcp $HOME_NET any -> [147.45.77.28] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245644/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245644; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 17485  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245654; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 17485  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245653; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 17485  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245652; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 17485  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245651; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 17485  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245650; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 19607  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245649; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 19607  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245648; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 19607  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245647; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 19607  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245646; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 19607  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245645; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.75] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mall_100_100.html"; depth:18; nocase; http.host; content:"47.92.158.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245643; rev:1;)
alert tcp $HOME_NET any -> [194.165.16.59] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245642; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"194.165.16.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245641; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jango-pulse.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"jango-pulse.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245639; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blm-wiki.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v8.18/84le6psohs"; depth:26; nocase; http.host; content:"blm-wiki.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245637; rev:1;)
alert tcp $HOME_NET any -> [38.181.70.201] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245636; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.dice1018.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.dice1018.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245634; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.62] 44556  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.99.177.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.222.173.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"www.test9977.tk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"www.test9977.tk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245627; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 16779  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245626/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245626; rev:1;)
alert tcp $HOME_NET any -> [192.3.216.140] 52498  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245625/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245625; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.12] 1985  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245613; rev:1;)
alert tcp $HOME_NET any -> [51.81.0.241] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245612; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.89] 5958  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245614; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.129] 37215  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245615; rev:1;)
alert tcp $HOME_NET any -> [103.173.255.143] 42516  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245616; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.30] 9506  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245617; rev:1;)
alert tcp $HOME_NET any -> [103.172.79.74] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245618; rev:1;)
alert tcp $HOME_NET any -> [103.67.197.185] 2023  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245619; rev:1;)
alert tcp $HOME_NET any -> [45.13.227.12] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245620; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.17] 49760  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245621; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 16779  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245624; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 16779  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245623; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 16779  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245622; rev:1;)
alert tcp $HOME_NET any -> [49.12.116.63] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.116.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245610; rev:1;)
alert tcp $HOME_NET any -> [82.156.211.202] 1145  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245609; rev:1;)
alert tcp $HOME_NET any -> [3.127.253.86] 14314  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245607; rev:1;)
alert tcp $HOME_NET any -> [3.127.59.75] 14314  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245608; rev:1;)
alert tcp $HOME_NET any -> [52.28.112.211] 14314  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245606; rev:1;)
alert tcp $HOME_NET any -> [62.109.20.47] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245605; rev:1;)
alert tcp $HOME_NET any -> [101.34.222.185] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245604; rev:1;)
alert tcp $HOME_NET any -> [120.26.243.135] 4545  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245603; rev:1;)
alert tcp $HOME_NET any -> [190.134.52.14] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245602; rev:1;)
alert tcp $HOME_NET any -> [75.173.32.149] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245601; rev:1;)
alert tcp $HOME_NET any -> [41.98.180.188] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245600; rev:1;)
alert tcp $HOME_NET any -> [161.97.141.230] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_11; classtype:trojan-activity; sid:91245599; rev:1;)
alert tcp $HOME_NET any -> [103.173.255.143] 839  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245576/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245576; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.116] 1024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245548/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245548; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.204] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245581/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzuymgi3mtixowfk/"; depth:18; nocase; http.host; content:"aliatabakastabumerangs.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245586; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mexico2020.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245588/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245588; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 11258  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245595/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245595; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.12] 2054  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245587/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"1callalert.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"choiceonesupport.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/default.php"; depth:12; nocase; http.host; content:"criminallawdc.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245596; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 11258  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245594; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 11258  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245592; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 11258  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245593; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 11258  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245591; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.39] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245590; rev:1;)
alert tcp $HOME_NET any -> [192.3.216.131] 1808  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_11; classtype:trojan-activity; sid:91245589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/64yz"; depth:5; nocase; http.host; content:"175.178.103.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245585/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_11; classtype:trojan-activity; sid:91245585; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"umfi.live"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245583; rev:1;)
alert tcp $HOME_NET any -> [34.216.132.82] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"umfi.live"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245582; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.138] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aerotable_generate_ai"; depth:22; nocase; http.host; content:"150.107.201.170"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245579; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 49626  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.204"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245577; rev:1;)
alert tcp $HOME_NET any -> [123.99.198.201] 20064  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245575; rev:1;)
alert tcp $HOME_NET any -> [82.197.93.210] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245574/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245574; rev:1;)
alert tcp $HOME_NET any -> [142.171.8.253] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.155"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.4.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.233.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.89.149"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.234.153"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245568; rev:1;)
alert tcp $HOME_NET any -> [95.217.234.153] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245565; rev:1;)
alert tcp $HOME_NET any -> [49.13.89.149] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245566; rev:1;)
alert tcp $HOME_NET any -> [78.46.233.36] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245567; rev:1;)
alert tcp $HOME_NET any -> [103.163.208.187] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245564; rev:1;)
alert tcp $HOME_NET any -> [94.198.54.154] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245563; rev:1;)
alert tcp $HOME_NET any -> [72.27.110.218] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245562; rev:1;)
alert tcp $HOME_NET any -> [45.245.103.58] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245561; rev:1;)
alert tcp $HOME_NET any -> [80.75.212.148] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245560/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245560; rev:1;)
alert tcp $HOME_NET any -> [179.60.149.241] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245559; rev:1;)
alert tcp $HOME_NET any -> [66.85.27.144] 24513  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245558/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245558; rev:1;)
alert tcp $HOME_NET any -> [151.236.16.232] 8226  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245557/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245557; rev:1;)
alert tcp $HOME_NET any -> [163.177.79.82] 7443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245556/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245556; rev:1;)
alert tcp $HOME_NET any -> [34.126.126.52] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245555/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245555; rev:1;)
alert tcp $HOME_NET any -> [88.151.192.114] 443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245554; rev:1;)
alert tcp $HOME_NET any -> [167.71.184.214] 8081  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245553; rev:1;)
alert tcp $HOME_NET any -> [167.71.184.214] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"113.26.81.251"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245551; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.224] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245550; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.224] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245549; rev:1;)
alert tcp $HOME_NET any -> [142.93.140.199] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245547/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245547; rev:1;)
alert tcp $HOME_NET any -> [91.201.40.221] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245546/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245546; rev:1;)
alert tcp $HOME_NET any -> [45.132.237.13] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245545/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245545; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.159] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245544/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245544; rev:1;)
alert tcp $HOME_NET any -> [138.201.82.227] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245543/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245543; rev:1;)
alert tcp $HOME_NET any -> [142.202.240.134] 5555  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245542/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_10; classtype:trojan-activity; sid:91245542; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"octopanel.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245541; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma1bmx.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245534; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma2ford.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245535; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma3apple.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245536; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma4samsung.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245537; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma5merc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245538; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma7class.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245539; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipolastationplasma8pla.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245540; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.123] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245525; rev:1;)
alert tcp $HOME_NET any -> [34.243.217.50] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/search/"; depth:12; nocase; http.host; content:"69uiu06es5.execute-api.us-east-1.amazonaws.com"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245531; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"69uiu06es5.execute-api.us-east-1.amazonaws.com"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"59.110.6.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245529; rev:1;)
alert tcp $HOME_NET any -> [59.110.6.123] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"43.136.40.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245528; rev:1;)
alert tcp $HOME_NET any -> [47.76.150.79] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.76.150.79"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245526; rev:1;)
alert tcp $HOME_NET any -> [146.19.233.250] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"146.19.233.250"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245523; rev:1;)
alert tcp $HOME_NET any -> [120.46.207.190] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.46.207.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/12/29136388_"; depth:45; nocase; http.host; content:"142.171.227.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245519; rev:1;)
alert tcp $HOME_NET any -> [142.171.227.68] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245520; rev:1;)
alert tcp $HOME_NET any -> [142.171.227.68] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/12/29136388_"; depth:45; nocase; http.host; content:"142.171.227.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.76.150.79"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245515; rev:1;)
alert tcp $HOME_NET any -> [47.76.150.79] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/83/process8/windowspipe3/trackjs2/2downloads2php/linesecure/serverrequestgeo/better1processor/pipedownloads5/uploadscdn/polllowapiprotectsqlwpdlecentraldownloads.php"; depth:166; nocase; http.host; content:"62.109.7.175"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"119.3.123.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"arpa.indiadreamdestinations.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245510; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arpa.indiadreamdestinations.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245511; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"arpa.giodnews.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"arpa.giodnews.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/0ab7ztvql7n68tmodjmicd"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0927657.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245504; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 47077  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtrj"; depth:5; nocase; http.host; content:"23.95.90.77"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245502/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_10; classtype:trojan-activity; sid:91245502; rev:1;)
alert tcp $HOME_NET any -> [23.95.90.77] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245501; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"zakifail.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245469/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_10; classtype:trojan-activity; sid:91245469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5bae"; depth:5; nocase; http.host; content:"43.153.173.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245477; rev:1;)
alert tcp $HOME_NET any -> [43.248.188.181] 9003  (msg:"ThreatFox KrBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"usdtzshlavsmoked.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245488; rev:1;)
alert tcp $HOME_NET any -> [94.250.255.6] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245500/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245500; rev:1;)
alert tcp $HOME_NET any -> [184.63.241.238] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245499/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245499; rev:1;)
alert tcp $HOME_NET any -> [149.109.123.217] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245498/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245498; rev:1;)
alert tcp $HOME_NET any -> [185.130.46.164] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245497; rev:1;)
alert tcp $HOME_NET any -> [45.134.9.140] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245496/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_10; classtype:trojan-activity; sid:91245496; rev:1;)
alert tcp $HOME_NET any -> [213.109.192.46] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245494/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_10; classtype:trojan-activity; sid:91245494; rev:1;)
alert tcp $HOME_NET any -> [5.252.178.5] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245495/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_10; classtype:trojan-activity; sid:91245495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/stats/save.php"; depth:15; nocase; http.host; content:"ppp-gl.biz"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245493; rev:1;)
alert tcp $HOME_NET any -> [135.181.10.212] 27222  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245492; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 12353  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245491; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 12353  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245490; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 12353  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_10; classtype:trojan-activity; sid:91245489; rev:1;)
alert tcp $HOME_NET any -> [15.235.130.29] 60237  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245487/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dle4/javascriptrequestsecurecpuserversqlbaseflowerasynccdn.php"; depth:63; nocase; http.host; content:"62.109.11.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsjs/gate.php"; depth:14; nocase; http.host; content:"www.techlift.com.my"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245485; rev:1;)
alert tcp $HOME_NET any -> [107.172.31.19] 8823  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245484; rev:1;)
alert tcp $HOME_NET any -> [147.45.40.66] 50555  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245483/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245483; rev:1;)
alert tcp $HOME_NET any -> [5.42.92.73] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245482/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245482; rev:1;)
alert tcp $HOME_NET any -> [5.75.213.155] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245481/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245481; rev:1;)
alert tcp $HOME_NET any -> [5.75.213.155] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245480/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245480; rev:1;)
alert tcp $HOME_NET any -> [45.137.22.252] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245479; rev:1;)
alert tcp $HOME_NET any -> [47.100.87.177] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.100.87.177"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245475; rev:1;)
alert tcp $HOME_NET any -> [95.181.161.144] 443  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245474/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245474; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.17] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245473; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.16] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245472; rev:1;)
alert tcp $HOME_NET any -> [173.249.59.173] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245471; rev:1;)
alert tcp $HOME_NET any -> [172.233.174.11] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245470; rev:1;)
alert tcp $HOME_NET any -> [217.195.197.48] 80  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245468/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.109.106.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245467; rev:1;)
alert tcp $HOME_NET any -> [213.152.162.15] 53525  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagegeoapimultibaselinuxtracktempuploads.php"; depth:46; nocase; http.host; content:"739668cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245465; rev:1;)
alert tcp $HOME_NET any -> [41.103.44.20] 999  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245464; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hi.vani.ovh"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245463; rev:1;)
alert tcp $HOME_NET any -> [14.225.213.142] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245462/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245462; rev:1;)
alert tcp $HOME_NET any -> [124.71.130.71] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245461/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245461; rev:1;)
alert tcp $HOME_NET any -> [61.63.127.56] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245460/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245460; rev:1;)
alert tcp $HOME_NET any -> [195.133.45.131] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245459/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245459; rev:1;)
alert tcp $HOME_NET any -> [180.140.153.148] 30010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245458/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.131.106.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245457; rev:1;)
alert tcp $HOME_NET any -> [103.82.24.193] 443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245456/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245456; rev:1;)
alert tcp $HOME_NET any -> [124.221.98.94] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245455/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245455; rev:1;)
alert tcp $HOME_NET any -> [31.192.236.82] 48126  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245454/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245454; rev:1;)
alert tcp $HOME_NET any -> [167.99.250.80] 60060  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245453/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245453; rev:1;)
alert tcp $HOME_NET any -> [172.104.242.152] 59088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245452/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245452; rev:1;)
alert tcp $HOME_NET any -> [159.203.25.245] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245451/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245451; rev:1;)
alert tcp $HOME_NET any -> [188.119.67.185] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245450/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245450; rev:1;)
alert tcp $HOME_NET any -> [120.26.222.182] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245449/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245449; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.73] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245448/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245448; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.73] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245447/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245447; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.73] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245446; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.73] 1919  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245445/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245445; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.73] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245444/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245444; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.73] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245443/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245443; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.73] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245442/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245442; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.73] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245441/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245441; rev:1;)
alert tcp $HOME_NET any -> [45.133.36.114] 8888  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245440/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245440; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245439/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245439; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245438; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245437/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245437; rev:1;)
alert tcp $HOME_NET any -> [187.135.82.30] 2281  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245436; rev:1;)
alert tcp $HOME_NET any -> [105.100.63.223] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245435; rev:1;)
alert tcp $HOME_NET any -> [69.30.232.229] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245434; rev:1;)
alert tcp $HOME_NET any -> [69.30.232.226] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245433/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245433; rev:1;)
alert tcp $HOME_NET any -> [103.5.210.28] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245432/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245432; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.80] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245431/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245431; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.148] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245430/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245430; rev:1;)
alert tcp $HOME_NET any -> [95.216.41.236] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245429/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245429; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.127] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245428/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245428; rev:1;)
alert tcp $HOME_NET any -> [89.23.99.219] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245427/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245427; rev:1;)
alert tcp $HOME_NET any -> [154.243.121.19] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245426/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245426; rev:1;)
alert tcp $HOME_NET any -> [103.155.214.203] 443  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245425/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245425; rev:1;)
alert tcp $HOME_NET any -> [146.0.79.19] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245424/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245424; rev:1;)
alert tcp $HOME_NET any -> [116.202.4.168] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245423/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245423; rev:1;)
alert tcp $HOME_NET any -> [116.202.4.168] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245422/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245422; rev:1;)
alert tcp $HOME_NET any -> [195.201.131.130] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245421/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245421; rev:1;)
alert tcp $HOME_NET any -> [115.74.30.127] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245420/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245420; rev:1;)
alert tcp $HOME_NET any -> [202.134.56.2] 443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245419/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245419; rev:1;)
alert tcp $HOME_NET any -> [37.114.37.177] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245418/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245418; rev:1;)
alert tcp $HOME_NET any -> [147.124.223.16] 5903  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245417/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245417; rev:1;)
alert tcp $HOME_NET any -> [171.41.198.240] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245416/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245416; rev:1;)
alert tcp $HOME_NET any -> [95.165.99.74] 8443  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245415/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245415; rev:1;)
alert tcp $HOME_NET any -> [179.14.8.182] 6606  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245414/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245414; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.18] 2121  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245413; rev:1;)
alert tcp $HOME_NET any -> [65.1.107.60] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_09; classtype:trojan-activity; sid:91245412; rev:1;)
alert tcp $HOME_NET any -> [178.63.148.180] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245411/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"117.50.185.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"120.48.5.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"139.180.192.219"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.94.241.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.109.106.162"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"45.74.36.78"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"154.3.1.95"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"45.74.36.78"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245402; rev:1;)
alert tcp $HOME_NET any -> [45.74.36.78] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"107.174.241.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"139.180.192.219"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.71.140.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.101.181.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"www.87-119-220-245.cprapid.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"87.119.220.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"fzmovies.space"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"fzmovies.space"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"www.87-119-220-245.cprapid.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"www.fzmovies.space"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"www.fzmovies.space"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flash_light-aligned.apk"; depth:24; nocase; http.host; content:"mail.87-119-220-245.cprapid.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"mail.87-119-220-245.cprapid.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245381; rev:1;)
alert tcp $HOME_NET any -> [87.119.220.245] 4456  (msg:"ThreatFox AhMyth botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/flashlight.apk"; depth:15; nocase; http.host; content:"87.119.220.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.87-119-220-245.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245394; rev:1;)
alert tcp $HOME_NET any -> [87.119.220.245] 443  (msg:"ThreatFox AhMyth payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245393; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"www.fzmovies.space"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245395; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fzmovies.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245396; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mail.87-119-220-245.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245397; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.bestresulttostart.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245374; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"find.bestresulttostart.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245375; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"follow.bestresulttostart.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245376; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"point.bestresulttostart.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245377; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"right.bestresulttostart.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245378; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"host.cloudsonicwave.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245370; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ttincoming.traveltraffic.cc"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245371; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestresulttostart.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scripts.bestresulttostart.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245373; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qtwo2ht.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245341; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shop.klnein9ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245342; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"store.klone1vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245343; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 13672  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245349; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 13672  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245350; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.26] 313  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245358; rev:1;)
alert tcp $HOME_NET any -> [3.121.139.82] 14314  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245359/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245359; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 14314  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245360; rev:1;)
alert tcp $HOME_NET any -> [35.158.159.254] 14314  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245361/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245361; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.44] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245035; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.106] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245037; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.100] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245038; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.100] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245039; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.100] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245040; rev:1;)
alert tcp $HOME_NET any -> [193.149.129.251] 4443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245042; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"scambaiter11.ddns.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245047; rev:1;)
alert tcp $HOME_NET any -> [37.120.141.139] 1113  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/trs_async.exe"; depth:14; nocase; http.host; content:"91.92.254.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245049; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trscentral.duckdns.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245050; rev:1;)
alert tcp $HOME_NET any -> [194.9.172.135] 7730  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245033; rev:1;)
alert tcp $HOME_NET any -> [103.153.69.114] 43046  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245034; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"advanceddataenterprise.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"advanceddataenterprise.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245031; rev:1;)
alert tcp $HOME_NET any -> [45.9.74.12] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"advanceddataenterprise.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/server.php"; depth:11; nocase; http.host; content:"45.9.74.12"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245028; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.220] 59962  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245026/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245026; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.pr333.ggm.kr"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245027; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"start.apistatexperience.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245011; rev:1;)
alert tcp $HOME_NET any -> [18.229.248.167] 19606  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245008/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245008; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.startservicefounds.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245009; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.startservicefounds.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245010; rev:1;)
alert tcp $HOME_NET any -> [18.231.93.153] 19606  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245007/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_09; classtype:trojan-activity; sid:91245007; rev:1;)
alert tcp $HOME_NET any -> [171.228.226.103] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244982; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.154] 1370  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244985; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.213] 1289  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244986; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.229] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244988; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.211] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244987; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.14] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244989; rev:1;)
alert tcp $HOME_NET any -> [78.40.117.219] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244990; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.143] 1296  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244991; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.144] 1284  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244992; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.139] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244993; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.124] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244994; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.126] 1294  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244995; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.131] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244996; rev:1;)
alert tcp $HOME_NET any -> [45.95.147.168] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/styles.html"; depth:12; nocase; http.host; content:"38.27.163.244"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245369; rev:1;)
alert tcp $HOME_NET any -> [164.92.116.94] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"164.92.116.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245367; rev:1;)
alert tcp $HOME_NET any -> [172.86.101.115] 4483  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"45.134.225.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"usdtzshlavkovacamoke.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"2istanbullu2586.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91244910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/aftdjdu0uppzualdkjdqndbzxabxckbtm6h8zreo1wi15htkq0"; depth:55; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245363; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet7.vani.ovh"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245362; rev:1;)
alert tcp $HOME_NET any -> [185.246.64.139] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245357/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245357; rev:1;)
alert tcp $HOME_NET any -> [178.128.122.145] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245356/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245356; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.75] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245355/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245355; rev:1;)
alert tcp $HOME_NET any -> [91.202.233.135] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245354/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245354; rev:1;)
alert tcp $HOME_NET any -> [103.94.185.28] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245353/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245353; rev:1;)
alert tcp $HOME_NET any -> [154.17.15.207] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245352; rev:1;)
alert tcp $HOME_NET any -> [157.230.247.198] 443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245351; rev:1;)
alert tcp $HOME_NET any -> [217.195.207.156] 47721  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_09; classtype:trojan-activity; sid:91245347; rev:1;)
alert tcp $HOME_NET any -> [107.175.28.248] 8082  (msg:"ThreatFox VBREVSHELL botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245346/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_09; classtype:trojan-activity; sid:91245346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"118.178.231.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245345; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.61] 3232  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245344/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245344; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klnein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245331; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klnein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245332; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245333; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245334; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kltwo2vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245335; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245336; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245337; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245338; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgtwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245339; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qtfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245340; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkfourt14vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245317; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkhirteen13pt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245318; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkleven11vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245319; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jknein9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245320; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245321; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245322; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245323; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245324; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfourt14sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245325; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klhirteen13pn.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245326; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245327; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klleven11sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245328; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klleven11sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245329; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klnein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245330; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkone1sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245301; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkone1sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245302; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245303; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245304; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245305; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245306; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245307; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkten10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245308; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245309; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245310; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245311; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245312; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gktwo2pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245313; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gktwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245314; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245315; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jkeight8vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245316; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245286; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245287; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245288; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjtwo2two.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245289; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkeith8sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245290; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245291; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245292; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245293; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245294; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245295; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkhirteen13vs.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245296; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkleven11ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245297; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gkleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245298; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gknein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245299; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gknein9sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245300; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245271; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245272; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245273; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245274; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245275; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245276; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjone1vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245277; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245278; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245279; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245280; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245281; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245283; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245285; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245270; rev:1;)
alert tcp $HOME_NET any -> [186.169.53.81] 2025  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245269; rev:1;)
alert tcp $HOME_NET any -> [118.178.231.68] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"121.41.101.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"192.227.155.201"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245266; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245257; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245258; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdsix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245259; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdten10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245260; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245261; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdtwelve12vt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245262; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdtwo2pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdtwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245264; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vtten10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245265; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzzseven7vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245240; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzzthre3vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245241; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzztwo2vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245242; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdeight8ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245243; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdeight8sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245244; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdeight8vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245245; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdeleven11vt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245246; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfifteen15ht.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245247; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfifteen15vt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245248; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245249; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245250; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdfourteen14vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245251; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdnine9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245252; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdnine9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245253; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdone1pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245254; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vdone1sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245255; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kznein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245225; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kznein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245226; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kznein9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245227; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kznine9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245228; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245229; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245230; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245231; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzsix6pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245232; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzten10ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245233; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245234; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245235; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kztvelwe12ht.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245236; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kztwo2sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245237; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzzeight8vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245238; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzzfive5vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245239; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvthre3pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245210; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvthre3s.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245211; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245212; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvtwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245213; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzeigtht8sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245214; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzeleven11ht.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245215; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245216; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245217; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245218; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245219; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfourt14vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245220; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzfourteen14ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245221; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245222; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzleven11sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245223; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kzleven11vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245224; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245195; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245196; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245197; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245198; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfourteen14vs.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245199; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfourteen14vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245200; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvfourteen14vz.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245201; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvnine9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245202; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvnine9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvnine9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245204; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245205; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245206; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245207; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245208; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kvthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245209; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kllnein9pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245181; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245182; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245183; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klten10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245184; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klten10sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245185; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245186; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kltvelwe12sr.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245187; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kltwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245188; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveight8pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245189; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveight8vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245190; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveigth8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245191; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveleven11pn.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245192; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveleven11vs.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245193; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kveleven11vt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245194; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbthirteen13pn.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245167; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245168; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245169; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245170; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbtwo2pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245171; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kceight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245172; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcfourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245173; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcleven11pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245174; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcnein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245175; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kctwelve12pn.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245176; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245177; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245178; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klleven11pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245179; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kllfourt14pn.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245180; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfourteen14pt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245153; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfourteen14sb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245154; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfourteen14vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245155; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbnine9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245156; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbnine9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245157; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbnine9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245158; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbone1vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245159; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245160; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245161; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245162; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245163; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245164; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbten10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245165; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbten10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245166; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbtwo2ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245138; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbtwo2pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245139; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbtwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245140; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbtwo2vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245141; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245142; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245143; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245144; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245145; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeight8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245146; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeleven11pt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245147; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeleven11sb.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245148; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbeleven11vt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245149; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245150; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245151; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kbfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245152; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245123; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245124; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245125; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245126; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245127; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245128; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245129; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245130; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbsix6vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245131; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbten10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245132; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthirteen13ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245133; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245134; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245135; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthree3ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245136; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbthree3vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245137; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245108; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245109; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245110; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245111; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfourteen14sb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245112; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbnine9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245113; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbnine9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245114; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245115; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245116; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245117; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245118; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245119; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245120; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245121; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245122; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245093; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245094; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdthree3sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245095; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdtwelve12pt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245096; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdtwelve12sr.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245097; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdtwelve12vs.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245098; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdtwo2sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245099; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbeight8ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245100; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbeight8sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245101; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbeight8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245102; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbeleven11sb.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245103; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfifteen15pt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245104; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfifteen15sb.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245105; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245106; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbfive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245107; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245078; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfourteen14pt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245079; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfourteen14sr.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245080; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfourteen14vs.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245081; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdnine9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245082; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdnine9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245083; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdnine9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245084; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245085; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245086; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245087; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdsix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245088; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdsix6sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdten10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245090; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdten10sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245091; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdten10vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245092; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeight8pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245071; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeight8sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245072; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeight8sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245073; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeleven11pt.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245074; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeleven11sr.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245075; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdeleven11vs.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245076; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bdfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test1/get.php"; depth:14; nocase; http.host; content:"sajdfue.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245070; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.50] 81  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245069; rev:1;)
alert tcp $HOME_NET any -> [198.44.178.84] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245068/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245068; rev:1;)
alert tcp $HOME_NET any -> [124.220.200.241] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245067; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.6] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245066; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.7] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245065; rev:1;)
alert tcp $HOME_NET any -> [39.40.181.3] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245064; rev:1;)
alert tcp $HOME_NET any -> [2.50.45.90] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245063; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.235] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245062; rev:1;)
alert tcp $HOME_NET any -> [72.27.136.137] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245061; rev:1;)
alert tcp $HOME_NET any -> [76.142.23.238] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245060; rev:1;)
alert tcp $HOME_NET any -> [188.119.66.163] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245059; rev:1;)
alert tcp $HOME_NET any -> [192.46.228.106] 445  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245058; rev:1;)
alert tcp $HOME_NET any -> [159.69.207.158] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245057; rev:1;)
alert tcp $HOME_NET any -> [94.232.45.42] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245056; rev:1;)
alert tcp $HOME_NET any -> [136.0.3.71] 5295  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245055; rev:1;)
alert tcp $HOME_NET any -> [162.252.175.153] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245054; rev:1;)
alert tcp $HOME_NET any -> [62.182.84.172] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245053; rev:1;)
alert tcp $HOME_NET any -> [43.198.251.145] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245052; rev:1;)
alert tcp $HOME_NET any -> [113.190.198.225] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91245051; rev:1;)
alert tcp $HOME_NET any -> [185.11.61.171] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245045; rev:1;)
alert tcp $HOME_NET any -> [185.11.61.172] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245046; rev:1;)
alert tcp $HOME_NET any -> [185.11.61.169] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245043/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245043; rev:1;)
alert tcp $HOME_NET any -> [185.11.61.170] 443  (msg:"ThreatFox Matanbuchus botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245044/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245044; rev:1;)
alert tcp $HOME_NET any -> [185.255.114.104] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245041/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91245041; rev:1;)
alert tcp $HOME_NET any -> [65.108.20.239] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245036; rev:1;)
alert tcp $HOME_NET any -> [20.104.183.199] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnsrv.prdcdn.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245024; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.prdcdn.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245023; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updates.prdcdn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245021; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"citrix.prdcdn.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1245022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245022; rev:1;)
alert tcp $HOME_NET any -> [103.253.146.79] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"103.253.146.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245019; rev:1;)
alert tcp $HOME_NET any -> [3.108.192.191] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"3.108.192.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.204.251.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"165.154.131.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245015; rev:1;)
alert tcp $HOME_NET any -> [43.153.228.97] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"128.199.71.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245012; rev:1;)
alert tcp $HOME_NET any -> [137.184.117.57] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1245006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"137.184.117.57"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.48.58.156"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"45.134.225.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"101.200.164.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"60.28.220.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1245000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91245000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/hu9v3jmvtlysh83svxuafwgzv7c-wfwox8h9z"; depth:42; nocase; http.host; content:"175.197.65.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91244999; rev:1;)
alert tcp $HOME_NET any -> [3.125.188.168] 14402  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91244998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"vip.z886888.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91244983; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vip.z886888.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_08; classtype:trojan-activity; sid:91244984; rev:1;)
alert tcp $HOME_NET any -> [188.120.225.37] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244981/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244981; rev:1;)
alert tcp $HOME_NET any -> [142.171.226.188] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244980/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244980; rev:1;)
alert tcp $HOME_NET any -> [81.19.140.77] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244979; rev:1;)
alert tcp $HOME_NET any -> [142.11.199.59] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244978; rev:1;)
alert tcp $HOME_NET any -> [95.181.173.126] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244977; rev:1;)
alert tcp $HOME_NET any -> [23.224.144.50] 20300  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244976; rev:1;)
alert tcp $HOME_NET any -> [151.30.227.158] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244975; rev:1;)
alert tcp $HOME_NET any -> [2.88.130.140] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244974; rev:1;)
alert tcp $HOME_NET any -> [41.99.0.26] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244973; rev:1;)
alert tcp $HOME_NET any -> [72.27.99.56] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244972; rev:1;)
alert tcp $HOME_NET any -> [45.136.15.139] 53  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244971; rev:1;)
alert tcp $HOME_NET any -> [40.124.181.17] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244970; rev:1;)
alert tcp $HOME_NET any -> [37.35.109.128] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244969; rev:1;)
alert tcp $HOME_NET any -> [129.159.131.26] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244968; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.208] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244967; rev:1;)
alert tcp $HOME_NET any -> [139.162.36.86] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244966/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244966; rev:1;)
alert tcp $HOME_NET any -> [194.124.33.109] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244965/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244965; rev:1;)
alert tcp $HOME_NET any -> [194.124.33.109] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244964/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244964; rev:1;)
alert tcp $HOME_NET any -> [37.1.214.247] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244963/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244963; rev:1;)
alert tcp $HOME_NET any -> [37.1.214.6] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244962/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244962; rev:1;)
alert tcp $HOME_NET any -> [115.85.46.21] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244961/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244961; rev:1;)
alert tcp $HOME_NET any -> [194.163.169.13] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244960/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244960; rev:1;)
alert tcp $HOME_NET any -> [46.8.221.19] 8443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244959/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244959; rev:1;)
alert tcp $HOME_NET any -> [46.8.221.19] 443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244958/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_08; classtype:trojan-activity; sid:91244958; rev:1;)
alert tcp $HOME_NET any -> [80.77.23.52] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244951/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244951; rev:1;)
alert tcp $HOME_NET any -> [91.240.202.234] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244952/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244952; rev:1;)
alert tcp $HOME_NET any -> [94.247.42.247] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244953/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244953; rev:1;)
alert tcp $HOME_NET any -> [167.88.162.223] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244954; rev:1;)
alert tcp $HOME_NET any -> [167.88.162.241] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244955/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244955; rev:1;)
alert tcp $HOME_NET any -> [172.86.70.28] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244956/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244956; rev:1;)
alert tcp $HOME_NET any -> [185.212.44.92] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244957/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244957; rev:1;)
alert tcp $HOME_NET any -> [45.11.180.28] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244948/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244948; rev:1;)
alert tcp $HOME_NET any -> [45.61.152.227] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244949/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244949; rev:1;)
alert tcp $HOME_NET any -> [45.155.250.207] 80  (msg:"ThreatFox SharkBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244950/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244950; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peacecheese.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244938/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244938; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pipelinning.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244939/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244939; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pixgraphie.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244940/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244940; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"redactweb.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244941/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244941; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sdlsd.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244942/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244942; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"shinemarksystems.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244943/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244943; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"sms-atc.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244944/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244944; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"strokestownlearningzone.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244945/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244945; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thebestoftenerife.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244946/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244946; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"thesolutionmatrix.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244947/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244947; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"a1photoprinting.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244911/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244911; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"americanhomeservicesllc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244912/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244912; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"anambrabasiceducation.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244913/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244913; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"audiolabelectronics.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244914; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"b2bsupermarkets.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244915; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"b2bturkishtextile.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244916; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"chryatech.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244917; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cmfgsi.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244918; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"colortreeva.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244919; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"computerfeuerwehr.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244920; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"crabonchips.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244921; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cristinastanciu.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244922; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"daffigallery.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244923; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"dallassutherland.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244924; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"detectiveman.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244925; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"etsprayfoam.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"freeautotalk.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244927; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"happeelearning.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244928; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hostel99.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244929; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"insproscp.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244930/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244930; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jobmalta.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244931; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kingtonyamerica.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244932; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mello-roos.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244933; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"michaelcaneconsultants.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244934/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244934; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mowilderness.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244935/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244935; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mtgimports.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244936/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244936; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"netdognetworks.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244937/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_08; classtype:trojan-activity; sid:91244937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagevmjspacketupdategamebigloadtraffictestdatalife.php"; depth:56; nocase; http.host; content:"icanzuo.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/u7koxg.php"; depth:47; nocase; http.host; content:"www.nsglamour.de"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/tlsgvu.php"; depth:42; nocase; http.host; content:"mrs-batiment.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/ifzgav.php"; depth:45; nocase; http.host; content:"wxgrant.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/iaawld.php"; depth:46; nocase; http.host; content:"criaturafantastica.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244903; rev:1;)
alert tcp $HOME_NET any -> [80.87.192.43] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244902; rev:1;)
alert tcp $HOME_NET any -> [45.84.226.86] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244901; rev:1;)
alert tcp $HOME_NET any -> [167.71.91.12] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244900; rev:1;)
alert tcp $HOME_NET any -> [119.45.162.251] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244899; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.9] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244898; rev:1;)
alert tcp $HOME_NET any -> [189.140.59.81] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244897; rev:1;)
alert tcp $HOME_NET any -> [159.235.7.188] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244896; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.31] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244895; rev:1;)
alert tcp $HOME_NET any -> [47.236.84.82] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244893; rev:1;)
alert tcp $HOME_NET any -> [47.236.84.82] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244894; rev:1;)
alert tcp $HOME_NET any -> [174.138.6.9] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244892; rev:1;)
alert tcp $HOME_NET any -> [20.127.230.167] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244891; rev:1;)
alert tcp $HOME_NET any -> [38.180.91.39] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244890; rev:1;)
alert tcp $HOME_NET any -> [95.179.189.177] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244889/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244889; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.148] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244888/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244888; rev:1;)
alert tcp $HOME_NET any -> [104.238.35.20] 16655  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244887; rev:1;)
alert tcp $HOME_NET any -> [47.98.126.140] 10004  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244886/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244886; rev:1;)
alert tcp $HOME_NET any -> [37.1.208.232] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244885/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244885; rev:1;)
alert tcp $HOME_NET any -> [170.187.232.104] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244884/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244884; rev:1;)
alert tcp $HOME_NET any -> [35.233.38.208] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244883/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244883; rev:1;)
alert tcp $HOME_NET any -> [103.193.176.76] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244882; rev:1;)
alert tcp $HOME_NET any -> [103.193.176.76] 8080  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244881/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244881; rev:1;)
alert tcp $HOME_NET any -> [142.93.131.96] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244880; rev:1;)
alert tcp $HOME_NET any -> [142.93.131.96] 43555  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244879/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/8ub8qyhvfkehhmfr4dgcou1vlkki6dw1ssuj3l6p7si3omdean"; depth:55; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244878; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.203] 37942  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244877/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244877; rev:1;)
alert tcp $HOME_NET any -> [172.93.160.2] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244876/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalpythonrequestpollbaseasyncgeneratorwpdlepublic.php"; depth:58; nocase; http.host; content:"421820cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/useraccount.aspx"; depth:17; nocase; http.host; content:"muagol.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/useraccount.aspx"; depth:17; nocase; http.host; content:"selevkis.app"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/view/stylesheet/50k.png"; depth:30; nocase; http.host; content:"988skins.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244872; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.116] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244871; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.116] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2wpcdn/multi/88/bigload/sql8defaultlow/httprequestprotonbigload/api7voiddbdatalife/publicjavascripttemp5/videobigloadmultidefaultwindowswordpresspublictemporary.php"; depth:165; nocase; http.host; content:"86.110.194.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244869; rev:1;)
alert tcp $HOME_NET any -> [194.116.173.25] 6519  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244868; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windows11.loseyourip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244849; rev:1;)
alert tcp $HOME_NET any -> [124.221.133.199] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244867; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.bwork.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c11/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244865; rev:1;)
alert tcp $HOME_NET any -> [20.121.128.235] 4876  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244864/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244864; rev:1;)
alert tcp $HOME_NET any -> [20.121.128.235] 4845  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244863/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244863; rev:1;)
alert tcp $HOME_NET any -> [20.121.128.235] 4834  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244862/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244862; rev:1;)
alert tcp $HOME_NET any -> [20.121.128.235] 4674  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244861/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244861; rev:1;)
alert tcp $HOME_NET any -> [83.97.20.141] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"83.97.20.141"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.35.19.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v3/s25fogl"; depth:15; nocase; http.host; content:"static.chat5188.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.71.38.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"83.97.20.141"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244853; rev:1;)
alert tcp $HOME_NET any -> [83.97.20.141] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244854; rev:1;)
alert tcp $HOME_NET any -> [47.243.108.86] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244852; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.chat5188.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v3/s25fogl"; depth:15; nocase; http.host; content:"static.chat5188.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244850; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"securecloudmanage.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244844; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oneblackwood.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244845; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buygreenstudio.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244846; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"startupbuss.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244847; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"topgamecheats.dev"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244843; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galaxybotnet.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244840; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cnc.shakeit.biz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244841; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.freetube.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244842; rev:1;)
alert tcp $HOME_NET any -> [95.217.142.46] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"114.55.133.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"45.134.225.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"192.3.101.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"121.41.107.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"61.170.84.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"61.170.44.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"security-socks777.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244832; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security-socks777.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"security-socks777.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.104.179.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"8.222.165.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"192.3.101.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"81.69.242.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"5.101.0.245"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"5.101.0.245"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"www.cloudflarecache.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/5gn1hb9coo2yjr2gfysvdjro2gm1e9rk"; depth:50; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/5gn1hb9coo2yjr2gfysvdjro2gm1e9rk"; depth:50; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jj.jpg"; depth:7; nocase; http.host; content:"91.92.254.77"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j4fvskd3/index.php"; depth:19; nocase; http.host; content:"topgamecheats.dev"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"185.14.30.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244813; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"livinglearning.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pages/login.php"; depth:16; nocase; http.host; content:"livinglearning.info"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244815; rev:1;)
alert tcp $HOME_NET any -> [185.14.30.218] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244812; rev:1;)
alert tcp $HOME_NET any -> [139.84.139.29] 5273  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244798; rev:1;)
alert tcp $HOME_NET any -> [3.67.161.133] 10058  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244800/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244800; rev:1;)
alert tcp $HOME_NET any -> [3.127.181.115] 10058  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244801/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_07; classtype:trojan-activity; sid:91244801; rev:1;)
alert tcp $HOME_NET any -> [193.124.205.30] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244803; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.119] 6666  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244804; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.226] 6996  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244805; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.21] 60195  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244806; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.30] 420  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244807; rev:1;)
alert tcp $HOME_NET any -> [78.40.117.36] 1302  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244808; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.2] 1  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244809; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.231] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244810; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.119] 1234  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244811; rev:1;)
alert tcp $HOME_NET any -> [191.88.249.10] 4433  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_07; classtype:trojan-activity; sid:91244802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0927241.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_07; classtype:trojan-activity; sid:91244799; rev:1;)
alert tcp $HOME_NET any -> [1.94.52.236] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244797; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xunleicloud.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"xunleicloud.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244795; rev:1;)
alert tcp $HOME_NET any -> [3.127.59.75] 11855  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244790/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244790; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 11855  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244791/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244791; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.5] 8090  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244792/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244792; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.18] 1981  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244793/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244793; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rverde.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244794/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244794; rev:1;)
alert tcp $HOME_NET any -> [45.84.0.177] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/message/amd"; depth:17; nocase; http.host; content:"45.84.0.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244788; rev:1;)
alert tcp $HOME_NET any -> [170.130.165.129] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244787; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shopmoneyweb.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/accounts/v1/basic-accounts/pinned"; depth:38; nocase; http.host; content:"shopmoneyweb.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"1.94.52.236"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244784; rev:1;)
alert tcp $HOME_NET any -> [45.84.0.177] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/quit/message/amd"; depth:17; nocase; http.host; content:"45.84.0.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"194.165.16.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244780; rev:1;)
alert tcp $HOME_NET any -> [194.165.16.55] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"security-socks.expert"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244779; rev:1;)
alert tcp $HOME_NET any -> [52.28.112.211] 11855  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244778; rev:1;)
alert tcp $HOME_NET any -> [35.158.159.254] 11855  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244777; rev:1;)
alert tcp $HOME_NET any -> [192.119.110.233] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244776/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244776; rev:1;)
alert tcp $HOME_NET any -> [161.35.62.207] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244775/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244775; rev:1;)
alert tcp $HOME_NET any -> [51.142.10.24] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244774/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244774; rev:1;)
alert tcp $HOME_NET any -> [154.247.162.241] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244773/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244773; rev:1;)
alert tcp $HOME_NET any -> [39.40.148.240] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244772/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244772; rev:1;)
alert tcp $HOME_NET any -> [157.245.45.26] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244771/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244771; rev:1;)
alert tcp $HOME_NET any -> [8.219.183.36] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244770/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244770; rev:1;)
alert tcp $HOME_NET any -> [45.152.85.15] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244769/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244769; rev:1;)
alert tcp $HOME_NET any -> [198.23.228.167] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244768; rev:1;)
alert tcp $HOME_NET any -> [5.206.224.58] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244767; rev:1;)
alert tcp $HOME_NET any -> [185.163.124.133] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/"; depth:7; nocase; http.host; content:"185.163.124.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/"; depth:7; nocase; http.host; content:"185.163.124.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244763; rev:1;)
alert tcp $HOME_NET any -> [91.198.77.158] 4483  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1.exe"; depth:7; nocase; http.host; content:"91.198.77.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244765; rev:1;)
alert tcp $HOME_NET any -> [185.163.124.133] 7777  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244760; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"distributors.commdistinc.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244747; rev:1;)
alert tcp $HOME_NET any -> [87.121.58.103] 32105  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244732; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.103] 32105  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/4xcgqyhfkt0cmh8kmdtzrh"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auvm/6875"; depth:10; nocase; http.host; content:"topflowersclub.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrd/4462"; depth:9; nocase; http.host; content:"yourunitedlaws.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244758; rev:1;)
alert tcp $HOME_NET any -> [154.12.236.248] 13786  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244749; rev:1;)
alert tcp $HOME_NET any -> [158.247.240.58] 5632  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244750; rev:1;)
alert tcp $HOME_NET any -> [70.34.199.64] 9785  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244751; rev:1;)
alert tcp $HOME_NET any -> [94.72.104.77] 13724  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244752; rev:1;)
alert tcp $HOME_NET any -> [154.53.55.165] 13783  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244753; rev:1;)
alert tcp $HOME_NET any -> [45.77.63.237] 5632  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244754; rev:1;)
alert tcp $HOME_NET any -> [94.72.104.80] 5000  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244755; rev:1;)
alert tcp $HOME_NET any -> [198.38.94.213] 2224  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244756; rev:1;)
alert tcp $HOME_NET any -> [70.34.223.164] 5000  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244757; rev:1;)
alert tcp $HOME_NET any -> [209.182.234.69] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"www.cloudflarecache.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244745; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cloudflarecache.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"test.qqweixinzhuce.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.56.251.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244743; rev:1;)
alert tcp $HOME_NET any -> [34.131.18.55] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"55.18.131.34.bc.googleusercontent.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244740; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"55.18.131.34.bc.googleusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.200.164.66"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244738; rev:1;)
alert tcp $HOME_NET any -> [206.237.16.117] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244737; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.msn-microsoft.co"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244736; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.msn-microsoft.co"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244735; rev:1;)
alert tcp $HOME_NET any -> [198.44.174.232] 10086  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244734; rev:1;)
alert tcp $HOME_NET any -> [179.15.14.181] 9091  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244733; rev:1;)
alert tcp $HOME_NET any -> [178.238.112.11] 56555  (msg:"ThreatFox RMS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"i-wallet.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244728; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"i-wallet.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244729; rev:1;)
alert tcp $HOME_NET any -> [95.141.41.8] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244727; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"googlesupportacc.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bg"; depth:3; nocase; http.host; content:"googlesupportacc.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244725; rev:1;)
alert tcp $HOME_NET any -> [45.90.97.172] 2211  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244724/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"81.71.140.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244722; rev:1;)
alert tcp $HOME_NET any -> [81.71.140.170] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"14.116.174.122"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.13.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244720; rev:1;)
alert tcp $HOME_NET any -> [116.203.13.151] 9494  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.127.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.183.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244717; rev:1;)
alert tcp $HOME_NET any -> [88.99.127.167] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244715; rev:1;)
alert tcp $HOME_NET any -> [95.216.183.48] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244716; rev:1;)
alert tcp $HOME_NET any -> [193.57.41.76] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244714; rev:1;)
alert tcp $HOME_NET any -> [163.197.242.202] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244713; rev:1;)
alert tcp $HOME_NET any -> [209.126.86.48] 1194  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244712; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.10] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244711; rev:1;)
alert tcp $HOME_NET any -> [89.117.23.25] 46450  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244710/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244710; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.184] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244709/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244709; rev:1;)
alert tcp $HOME_NET any -> [72.27.199.181] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244708/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244708; rev:1;)
alert tcp $HOME_NET any -> [45.150.198.28] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244707/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244707; rev:1;)
alert tcp $HOME_NET any -> [38.147.189.157] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244706/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244706; rev:1;)
alert tcp $HOME_NET any -> [91.143.101.212] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244705/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244705; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.44] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244704/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244704; rev:1;)
alert tcp $HOME_NET any -> [185.11.61.57] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244703; rev:1;)
alert tcp $HOME_NET any -> [136.0.3.71] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244702; rev:1;)
alert tcp $HOME_NET any -> [20.168.0.131] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244701; rev:1;)
alert tcp $HOME_NET any -> [15.235.166.83] 80  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_06; classtype:trojan-activity; sid:91244700; rev:1;)
alert tcp $HOME_NET any -> [185.233.203.43] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244641; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.149] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244637; rev:1;)
alert tcp $HOME_NET any -> [185.237.206.57] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244642; rev:1;)
alert tcp $HOME_NET any -> [206.188.197.213] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244648; rev:1;)
alert tcp $HOME_NET any -> [4.210.191.162] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244660; rev:1;)
alert tcp $HOME_NET any -> [193.149.129.179] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244661; rev:1;)
alert tcp $HOME_NET any -> [5.188.87.40] 36543  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244669; rev:1;)
alert tcp $HOME_NET any -> [45.140.146.2] 443  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzuymgi3mtixowfk/"; depth:18; nocase; http.host; content:"83.97.73.205"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244688; rev:1;)
alert tcp $HOME_NET any -> [192.3.216.140] 16519  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244699/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_06; classtype:trojan-activity; sid:91244699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/base93/3multibasetest/3/trackauth/linuxtoasync6/longpoll/cpuserver2wp/tracklinux/phpasynccentral.php"; depth:101; nocase; http.host; content:"79.174.94.173"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244698; rev:1;)
alert tcp $HOME_NET any -> [174.93.198.242] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244697; rev:1;)
alert tcp $HOME_NET any -> [62.122.184.95] 8888  (msg:"ThreatFox StealthWorker Go botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_06; classtype:trojan-activity; sid:91244696; rev:1;)
alert tcp $HOME_NET any -> [185.158.251.20] 23  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244695/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244695; rev:1;)
alert tcp $HOME_NET any -> [109.248.170.151] 7443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244694; rev:1;)
alert tcp $HOME_NET any -> [45.134.225.247] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244693; rev:1;)
alert tcp $HOME_NET any -> [124.71.9.23] 8005  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244692; rev:1;)
alert tcp $HOME_NET any -> [47.123.4.117] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244691/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244691; rev:1;)
alert tcp $HOME_NET any -> [39.108.229.236] 800  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244690/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244690; rev:1;)
alert tcp $HOME_NET any -> [3.146.206.189] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244689/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_06; classtype:trojan-activity; sid:91244689; rev:1;)
alert tcp $HOME_NET any -> [13.50.244.252] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244686/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244686; rev:1;)
alert tcp $HOME_NET any -> [89.23.99.198] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244685/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244685; rev:1;)
alert tcp $HOME_NET any -> [197.119.48.109] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244684/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244684; rev:1;)
alert tcp $HOME_NET any -> [103.155.214.72] 443  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244683/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244683; rev:1;)
alert tcp $HOME_NET any -> [142.132.224.223] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244682/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244682; rev:1;)
alert tcp $HOME_NET any -> [142.132.224.223] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244681; rev:1;)
alert tcp $HOME_NET any -> [5.75.209.178] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244678; rev:1;)
alert tcp $HOME_NET any -> [20.169.80.43] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244677; rev:1;)
alert tcp $HOME_NET any -> [154.23.141.66] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244676; rev:1;)
alert tcp $HOME_NET any -> [193.124.205.30] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244675; rev:1;)
alert tcp $HOME_NET any -> [45.83.207.249] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244674; rev:1;)
alert tcp $HOME_NET any -> [110.164.146.49] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244673/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244673; rev:1;)
alert tcp $HOME_NET any -> [128.90.145.218] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244672/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244672; rev:1;)
alert tcp $HOME_NET any -> [31.6.179.181] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244671/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244671; rev:1;)
alert tcp $HOME_NET any -> [174.78.242.29] 9100  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244670/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244670; rev:1;)
alert tcp $HOME_NET any -> [20.163.176.140] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244668; rev:1;)
alert tcp $HOME_NET any -> [8.130.122.174] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244667/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244667; rev:1;)
alert tcp $HOME_NET any -> [111.229.198.177] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244666/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244666; rev:1;)
alert tcp $HOME_NET any -> [164.92.191.107] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244665/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244665; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.188] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244664/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244664; rev:1;)
alert tcp $HOME_NET any -> [74.91.29.67] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244663/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244663; rev:1;)
alert tcp $HOME_NET any -> [154.23.178.139] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244662/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244662; rev:1;)
alert tcp $HOME_NET any -> [67.205.152.19] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244659/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244659; rev:1;)
alert tcp $HOME_NET any -> [46.249.38.211] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244658/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244658; rev:1;)
alert tcp $HOME_NET any -> [34.88.176.115] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244657/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244657; rev:1;)
alert tcp $HOME_NET any -> [54.145.92.29] 8083  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244656; rev:1;)
alert tcp $HOME_NET any -> [154.9.255.31] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244655; rev:1;)
alert tcp $HOME_NET any -> [3.146.206.189] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244654; rev:1;)
alert tcp $HOME_NET any -> [39.104.66.132] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244653; rev:1;)
alert tcp $HOME_NET any -> [45.76.196.30] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244652/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244652; rev:1;)
alert tcp $HOME_NET any -> [47.92.146.233] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244651/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244651; rev:1;)
alert tcp $HOME_NET any -> [107.174.241.206] 7989  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244650; rev:1;)
alert tcp $HOME_NET any -> [8.222.158.76] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244649/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244649; rev:1;)
alert tcp $HOME_NET any -> [3.11.29.211] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244647/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244647; rev:1;)
alert tcp $HOME_NET any -> [43.136.71.208] 8881  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244646/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244646; rev:1;)
alert tcp $HOME_NET any -> [120.48.5.80] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244645/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244645; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.156] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244644/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244644; rev:1;)
alert tcp $HOME_NET any -> [69.30.232.230] 1433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244643; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.206] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244639; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.33] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244638; rev:1;)
alert tcp $HOME_NET any -> [37.120.141.144] 5903  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244640; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ui_cache.js"; depth:12; nocase; http.host; content:"apicachebot.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"apicachebot.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"commdistinc.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.254.207.135"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"marxrwo9090.duckdns.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"194.147.140.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/marxrwo.txt"; depth:16; nocase; http.host; content:"nzaria.org"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.178.170.30"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1244620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244620; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hzp02itt0a.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244625; rev:1;)
alert tcp $HOME_NET any -> [193.178.170.30] 7771  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244626; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.146] 4002  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"194.165.16.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244635; rev:1;)
alert tcp $HOME_NET any -> [194.165.16.55] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244636; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"security-socks.expert"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/understand/v2.61/rylqupm8ll"; depth:28; nocase; http.host; content:"security-socks.expert"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c12/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervmjs_pollauthapibasecdndownloads.php"; depth:45; nocase; http.host; content:"h172956.srv11.test-hf.su"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kioy/five/fre.php"; depth:18; nocase; http.host; content:"91.92.252.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244629/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kioy/five/fre.php"; depth:18; nocase; http.host; content:"91.92.252.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244628; rev:1;)
alert tcp $HOME_NET any -> [95.217.250.22] 36043  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244627; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 14210  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244624; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 14210  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244623; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 14210  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244622; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 14210  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244621; rev:1;)
alert tcp $HOME_NET any -> [181.131.218.39] 4041  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244619; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"39.107.70.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"121.5.66.186"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"161.35.186.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.5.66.186"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244607; rev:1;)
alert tcp $HOME_NET any -> [84.46.240.42] 2083  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244606/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244606; rev:1;)
alert tcp $HOME_NET any -> [111.229.149.200] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244605; rev:1;)
alert tcp $HOME_NET any -> [20.19.32.59] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244604; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.3] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244603/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244603; rev:1;)
alert tcp $HOME_NET any -> [85.110.178.102] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244602/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244602; rev:1;)
alert tcp $HOME_NET any -> [37.56.108.122] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244601/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244601; rev:1;)
alert tcp $HOME_NET any -> [89.23.107.13] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244600/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244600; rev:1;)
alert tcp $HOME_NET any -> [81.95.8.174] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244599/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244599; rev:1;)
alert tcp $HOME_NET any -> [172.105.0.147] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244598; rev:1;)
alert tcp $HOME_NET any -> [124.223.215.119] 65413  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244597; rev:1;)
alert tcp $HOME_NET any -> [37.1.214.247] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244596; rev:1;)
alert tcp $HOME_NET any -> [172.247.113.97] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244595; rev:1;)
alert tcp $HOME_NET any -> [151.236.16.48] 5901  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244594; rev:1;)
alert tcp $HOME_NET any -> [23.227.202.28] 35676  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244593; rev:1;)
alert tcp $HOME_NET any -> [23.94.120.119] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244592; rev:1;)
alert tcp $HOME_NET any -> [104.238.60.87] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244591; rev:1;)
alert tcp $HOME_NET any -> [143.244.186.6] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244590; rev:1;)
alert tcp $HOME_NET any -> [69.176.89.82] 443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244589; rev:1;)
alert tcp $HOME_NET any -> [179.60.150.34] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"179.60.150.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/q9dyqu9x6rjwvcdqhumrmy"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244582; rev:1;)
alert tcp $HOME_NET any -> [65.21.21.176] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244581/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244581; rev:1;)
alert tcp $HOME_NET any -> [193.203.203.211] 443  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244580/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244580; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"afdhf198jfadafdkfad.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244579; rev:1;)
alert tcp $HOME_NET any -> [65.21.21.176] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalpollsqldblinuxgenerator.php"; depth:36; nocase; http.host; content:"113304cm.n9shteam2.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244577; rev:1;)
alert tcp $HOME_NET any -> [65.108.20.226] 37715  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"41.231.54.88"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"96.126.101.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"200.58.122.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"briefscala.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"briefscala.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"briefscala.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244575; rev:1;)
alert tcp $HOME_NET any -> [18.156.13.209] 17647  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244567/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244567; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 17647  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244568; rev:1;)
alert tcp $HOME_NET any -> [3.68.56.232] 10352  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244569; rev:1;)
alert tcp $HOME_NET any -> [117.72.46.146] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"117.72.46.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"60.246.28.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244564; rev:1;)
alert tcp $HOME_NET any -> [104.237.252.14] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244541/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244541; rev:1;)
alert tcp $HOME_NET any -> [3.64.4.198] 19976  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244515/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244515; rev:1;)
alert tcp $HOME_NET any -> [3.67.112.102] 19976  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244514/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244514; rev:1;)
alert tcp $HOME_NET any -> [145.239.202.110] 8094  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dark.vbs"; depth:9; nocase; http.host; content:"145.239.202.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.219.54.123"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.69.242.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244562; rev:1;)
alert tcp $HOME_NET any -> [159.203.67.15] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244561; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wizjqpi1.azureedge.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/filesystem.htm"; depth:15; nocase; http.host; content:"wizjqpi1.azureedge.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.100.229.207"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gv"; depth:3; nocase; http.host; content:"154.82.81.27"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/as"; depth:3; nocase; http.host; content:"154.82.81.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244554; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.trailcocompany.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244552; rev:1;)
alert tcp $HOME_NET any -> [137.220.55.94] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/2i00fa-t5zxohtu1hspr"; depth:25; nocase; http.host; content:"175.197.65.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/4zt2say1wkoheml0x8bbfa"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dam.html"; depth:9; nocase; http.host; content:"firmwarefusion.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vfo2"; depth:5; nocase; http.host; content:"122.51.118.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244544; rev:1;)
alert tcp $HOME_NET any -> [122.51.118.39] 23333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244543; rev:1;)
alert tcp $HOME_NET any -> [103.151.123.225] 7800  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c12/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244540/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c11/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.213.10"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.180.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199649267298"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uprizin"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.180.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.214.7"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244533; rev:1;)
alert tcp $HOME_NET any -> [5.75.214.7] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244532; rev:1;)
alert tcp $HOME_NET any -> [188.120.254.185] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244531; rev:1;)
alert tcp $HOME_NET any -> [157.245.16.54] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244530/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244530; rev:1;)
alert tcp $HOME_NET any -> [85.192.40.131] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244529/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244529; rev:1;)
alert tcp $HOME_NET any -> [59.174.225.176] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244528/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244528; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.2] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244527/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244527; rev:1;)
alert tcp $HOME_NET any -> [41.99.9.210] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244526/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244526; rev:1;)
alert tcp $HOME_NET any -> [201.124.218.102] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244525/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244525; rev:1;)
alert tcp $HOME_NET any -> [146.19.173.108] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244524; rev:1;)
alert tcp $HOME_NET any -> [185.130.46.231] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244523/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244523; rev:1;)
alert tcp $HOME_NET any -> [185.94.164.105] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244522/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244522; rev:1;)
alert tcp $HOME_NET any -> [37.1.214.6] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244521/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244521; rev:1;)
alert tcp $HOME_NET any -> [175.197.65.135] 8082  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244520/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244520; rev:1;)
alert tcp $HOME_NET any -> [94.103.87.88] 445  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244519/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244519; rev:1;)
alert tcp $HOME_NET any -> [172.174.105.127] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244518; rev:1;)
alert tcp $HOME_NET any -> [179.8.14.54] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244517/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244517; rev:1;)
alert tcp $HOME_NET any -> [103.214.173.80] 20000  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_05; classtype:trojan-activity; sid:91244516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/line/updateflower4external/eternalpacketprocesslongpollprotectbasewindowstraffictemporary.php"; depth:94; nocase; http.host; content:"95.142.35.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_05; classtype:trojan-activity; sid:91244513; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 10757  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244451/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244451; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 10757  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244452/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244452; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"electric-guest.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244455; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 35608  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244456/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244456; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"points-detect.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244457/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244457; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"artist-shared.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244458/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244458; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stories-boulevard.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244459/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244459; rev:1;)
alert tcp $HOME_NET any -> [45.85.117.121] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244468/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244468; rev:1;)
alert tcp $HOME_NET any -> [37.221.67.4] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244467/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244467; rev:1;)
alert tcp $HOME_NET any -> [5.255.115.46] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244465/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244465; rev:1;)
alert tcp $HOME_NET any -> [5.255.118.76] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244466/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244466; rev:1;)
alert tcp $HOME_NET any -> [45.61.156.54] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244463/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244463; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.128] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244464/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244464; rev:1;)
alert tcp $HOME_NET any -> [155.94.208.159] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244462/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244462; rev:1;)
alert tcp $HOME_NET any -> [5.255.120.61] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244461/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244461; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.114] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244460/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244460; rev:1;)
alert tcp $HOME_NET any -> [45.129.199.202] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244469/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244469; rev:1;)
alert tcp $HOME_NET any -> [46.246.98.52] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244470/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244470; rev:1;)
alert tcp $HOME_NET any -> [80.66.88.70] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244471/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244471; rev:1;)
alert tcp $HOME_NET any -> [155.94.208.162] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244472/; target:src_ip; metadata: confidence_level 85, first_seen 2024_03_05; classtype:trojan-activity; sid:91244472; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.165] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244473/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244473; rev:1;)
alert tcp $HOME_NET any -> [217.195.153.215] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244474/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244474; rev:1;)
alert tcp $HOME_NET any -> [209.54.96.58] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244475/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244475; rev:1;)
alert tcp $HOME_NET any -> [3.125.188.168] 15966  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244486/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244486; rev:1;)
alert tcp $HOME_NET any -> [3.68.56.232] 15966  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244484/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244484; rev:1;)
alert tcp $HOME_NET any -> [3.124.67.191] 15966  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244485/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244485; rev:1;)
alert tcp $HOME_NET any -> [37.44.238.80] 8190  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244483/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_05; classtype:trojan-activity; sid:91244483; rev:1;)
alert tcp $HOME_NET any -> [5.199.161.93] 6783  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244512/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244512; rev:1;)
alert tcp $HOME_NET any -> [182.149.199.249] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244511/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244511; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.46] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244510/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244510; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.46] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244509/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244509; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.46] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244508; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.46] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244507; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.46] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244506; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.46] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244505; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.46] 2082  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244504/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244504; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.46] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244503; rev:1;)
alert tcp $HOME_NET any -> [107.148.37.67] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244502; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.208] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244501/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244501; rev:1;)
alert tcp $HOME_NET any -> [69.30.232.226] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244500/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244500; rev:1;)
alert tcp $HOME_NET any -> [69.30.232.229] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244499; rev:1;)
alert tcp $HOME_NET any -> [38.207.173.147] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244498; rev:1;)
alert tcp $HOME_NET any -> [188.25.164.217] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244497; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.69] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244496; rev:1;)
alert tcp $HOME_NET any -> [144.202.23.219] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244495; rev:1;)
alert tcp $HOME_NET any -> [46.226.166.200] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244494; rev:1;)
alert tcp $HOME_NET any -> [95.216.180.93] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244493; rev:1;)
alert tcp $HOME_NET any -> [95.216.180.93] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244492; rev:1;)
alert tcp $HOME_NET any -> [95.216.180.93] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244491; rev:1;)
alert tcp $HOME_NET any -> [116.202.2.143] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244490; rev:1;)
alert tcp $HOME_NET any -> [5.75.213.10] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244489; rev:1;)
alert tcp $HOME_NET any -> [5.75.213.10] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244488/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244488; rev:1;)
alert tcp $HOME_NET any -> [128.90.115.54] 4433  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244487/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_05; classtype:trojan-activity; sid:91244487; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.139] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244454; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.16] 30641  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244453; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 10757  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244450; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 10757  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244448; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 10757  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244449; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 10757  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244447; rev:1;)
alert tcp $HOME_NET any -> [195.54.170.36] 22033  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pneh2sxqk0/index.php"; depth:21; nocase; http.host; content:"91.92.242.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244445; rev:1;)
alert tcp $HOME_NET any -> [157.230.110.136] 8899  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244434; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.238] 999  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244435; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.11] 6697  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244436; rev:1;)
alert tcp $HOME_NET any -> [20.205.11.156] 9506  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244444; rev:1;)
alert tcp $HOME_NET any -> [84.201.167.175] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244443; rev:1;)
alert tcp $HOME_NET any -> [104.233.192.16] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244442; rev:1;)
alert tcp $HOME_NET any -> [72.27.83.159] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244441; rev:1;)
alert tcp $HOME_NET any -> [152.136.171.162] 4433  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244440; rev:1;)
alert tcp $HOME_NET any -> [175.197.65.135] 6379  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244439; rev:1;)
alert tcp $HOME_NET any -> [154.90.62.224] 53  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244438; rev:1;)
alert tcp $HOME_NET any -> [185.225.70.160] 43029  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244437; rev:1;)
alert tcp $HOME_NET any -> [43.154.25.56] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244433; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onedogsclub.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244423; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wipresolutions.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244424; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recentbeelive.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244425; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trailcocompany.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244426; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trailcosolutions.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244427; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artstrailreviews.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244428; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 16267  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244432; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 16267  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244431; rev:1;)
alert tcp $HOME_NET any -> [94.72.114.95] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"185.81.68.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244420; rev:1;)
alert tcp $HOME_NET any -> [65.109.11.145] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244418; rev:1;)
alert tcp $HOME_NET any -> [116.202.2.143] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.2.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244416; rev:1;)
alert tcp $HOME_NET any -> [49.12.103.42] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.11.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.103.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244414; rev:1;)
alert tcp $HOME_NET any -> [103.116.52.207] 23597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244413/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244413; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"314.hongdrama.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244411; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hongdrama.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order%20list.vbs"; depth:17; nocase; http.host; content:"37.49.228.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/purchase.vbs"; depth:13; nocase; http.host; content:"37.49.228.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dark.vbs"; depth:9; nocase; http.host; content:"149.56.252.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244408; rev:1;)
alert tcp $HOME_NET any -> [103.78.0.41] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244239/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244239; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"botnet.vani.ovh"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244240/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244240; rev:1;)
alert tcp $HOME_NET any -> [194.127.178.5] 23597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244249/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244249; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc.moneymakernation.online"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244250; rev:1;)
alert tcp $HOME_NET any -> [45.155.249.96] 2023  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244251/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244251; rev:1;)
alert tcp $HOME_NET any -> [107.175.3.10] 7536  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244253/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244253; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zofav.aus.mimico-cooperative.org"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244255; rev:1;)
alert tcp $HOME_NET any -> [149.56.252.31] 8094  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244404; rev:1;)
alert tcp $HOME_NET any -> [107.175.3.10] 7536  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244252/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244252; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aus.mimico-cooperative.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"149.56.252.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/web/path/gate.php"; depth:20; nocase; http.host; content:"myetherwallet.kl.com.ua"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/web/gate.php"; depth:15; nocase; http.host; content:"myetherwallet.kl.com.ua"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244405; rev:1;)
alert tcp $HOME_NET any -> [139.59.16.171] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244402; rev:1;)
alert tcp $HOME_NET any -> [45.77.154.69] 30092  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244403; rev:1;)
alert tcp $HOME_NET any -> [165.232.101.47] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244401; rev:1;)
alert tcp $HOME_NET any -> [74.207.231.13] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244400; rev:1;)
alert tcp $HOME_NET any -> [54.148.146.229] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244399; rev:1;)
alert tcp $HOME_NET any -> [47.99.186.100] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244398; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.230] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244397; rev:1;)
alert tcp $HOME_NET any -> [93.119.13.109] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244396; rev:1;)
alert tcp $HOME_NET any -> [121.37.222.182] 5001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244395; rev:1;)
alert tcp $HOME_NET any -> [20.212.234.70] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244394; rev:1;)
alert tcp $HOME_NET any -> [194.182.90.109] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244393; rev:1;)
alert tcp $HOME_NET any -> [3.69.130.202] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244392; rev:1;)
alert tcp $HOME_NET any -> [43.136.86.22] 31220  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244391; rev:1;)
alert tcp $HOME_NET any -> [106.15.52.156] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244390; rev:1;)
alert tcp $HOME_NET any -> [43.229.134.14] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244389; rev:1;)
alert tcp $HOME_NET any -> [198.13.46.179] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244388; rev:1;)
alert tcp $HOME_NET any -> [24.199.126.139] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244387; rev:1;)
alert tcp $HOME_NET any -> [43.132.234.114] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244386; rev:1;)
alert tcp $HOME_NET any -> [64.226.106.235] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244385; rev:1;)
alert tcp $HOME_NET any -> [128.199.98.189] 43333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244384; rev:1;)
alert tcp $HOME_NET any -> [54.89.6.172] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244383; rev:1;)
alert tcp $HOME_NET any -> [3.21.161.218] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244382; rev:1;)
alert tcp $HOME_NET any -> [91.134.226.170] 2053  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244381; rev:1;)
alert tcp $HOME_NET any -> [159.89.212.121] 4433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244380; rev:1;)
alert tcp $HOME_NET any -> [186.121.34.135] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244379; rev:1;)
alert tcp $HOME_NET any -> [149.129.241.76] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244378; rev:1;)
alert tcp $HOME_NET any -> [3.135.49.252] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244377; rev:1;)
alert tcp $HOME_NET any -> [52.28.220.250] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244376; rev:1;)
alert tcp $HOME_NET any -> [52.28.220.250] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244375; rev:1;)
alert tcp $HOME_NET any -> [103.27.202.188] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244374; rev:1;)
alert tcp $HOME_NET any -> [44.222.157.145] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244373; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accountcapabilities-pa.accguide.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip177.ip-51-210-73.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244371; rev:1;)
alert tcp $HOME_NET any -> [154.223.21.28] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244370; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.137] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244369; rev:1;)
alert tcp $HOME_NET any -> [117.72.10.229] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244368; rev:1;)
alert tcp $HOME_NET any -> [8.140.55.145] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244367; rev:1;)
alert tcp $HOME_NET any -> [34.172.89.75] 80  (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244366; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.niggas.icu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244365; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"binplat.elementfx.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244363; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"se-5.ironhide.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244364; rev:1;)
alert tcp $HOME_NET any -> [134.255.254.225] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244362; rev:1;)
alert tcp $HOME_NET any -> [81.230.10.189] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244361; rev:1;)
alert tcp $HOME_NET any -> [103.116.52.207] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244360; rev:1;)
alert tcp $HOME_NET any -> [103.172.79.74] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244359; rev:1;)
alert tcp $HOME_NET any -> [194.127.178.5] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244358; rev:1;)
alert tcp $HOME_NET any -> [36.152.201.67] 65535  (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244357; rev:1;)
alert tcp $HOME_NET any -> [183.249.20.106] 8090  (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244356; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip140.ip-51-195-83.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244355; rev:1;)
alert tcp $HOME_NET any -> [34.200.37.176] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244353; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-200-37-176.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244354; rev:1;)
alert tcp $HOME_NET any -> [195.211.97.9] 80  (msg:"ThreatFox Lumma Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244352; rev:1;)
alert tcp $HOME_NET any -> [20.77.71.31] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244351; rev:1;)
alert tcp $HOME_NET any -> [185.78.76.40] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244350; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.33] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244349; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.74] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244348; rev:1;)
alert tcp $HOME_NET any -> [172.208.54.18] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244347; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.137] 8443  (msg:"ThreatFox DeimosC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244346; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kardiocentrumnitra-fingera.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244345; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fresocialcasinogames.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244344; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"126.124.141.34.bc.googleusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244343; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-169-174-23.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244342; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edgarmcneil.autos"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244341; rev:1;)
alert tcp $HOME_NET any -> [81.69.242.185] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244340; rev:1;)
alert tcp $HOME_NET any -> [81.69.242.185] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244339; rev:1;)
alert tcp $HOME_NET any -> [191.82.223.234] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244338; rev:1;)
alert tcp $HOME_NET any -> [14.225.210.222] 12345  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244337; rev:1;)
alert tcp $HOME_NET any -> [181.162.168.165] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244336; rev:1;)
alert tcp $HOME_NET any -> [185.221.198.67] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244335; rev:1;)
alert tcp $HOME_NET any -> [45.145.42.229] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244334; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grinevitchnicolas5.fvds.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244332; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mesixcrypto.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244333; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fi119-files.canceltap.online"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244330; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s1.devsapi.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244331; rev:1;)
alert tcp $HOME_NET any -> [51.195.231.121] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244329; rev:1;)
alert tcp $HOME_NET any -> [185.174.101.80] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244328; rev:1;)
alert tcp $HOME_NET any -> [147.124.217.110] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244327; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.174] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244326; rev:1;)
alert tcp $HOME_NET any -> [69.64.95.233] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244324; rev:1;)
alert tcp $HOME_NET any -> [69.64.95.233] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244325; rev:1;)
alert tcp $HOME_NET any -> [147.124.213.188] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244323; rev:1;)
alert tcp $HOME_NET any -> [89.117.49.133] 1996  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244322; rev:1;)
alert tcp $HOME_NET any -> [23.26.201.73] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244321; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.125] 777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244320; rev:1;)
alert tcp $HOME_NET any -> [135.125.21.74] 4242  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244319; rev:1;)
alert tcp $HOME_NET any -> [139.162.63.45] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244318; rev:1;)
alert tcp $HOME_NET any -> [15.235.166.83] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244317/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244317; rev:1;)
alert tcp $HOME_NET any -> [5.180.151.91] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244315/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244315; rev:1;)
alert tcp $HOME_NET any -> [91.149.253.90] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244316/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244316; rev:1;)
alert tcp $HOME_NET any -> [194.87.213.6] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244314/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244314; rev:1;)
alert tcp $HOME_NET any -> [68.183.236.120] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244313/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244313; rev:1;)
alert tcp $HOME_NET any -> [64.225.53.227] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244311/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244311; rev:1;)
alert tcp $HOME_NET any -> [207.174.3.213] 38443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244312/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_04; classtype:trojan-activity; sid:91244312; rev:1;)
alert tcp $HOME_NET any -> [105.102.177.34] 443  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244309; rev:1;)
alert tcp $HOME_NET any -> [47.94.241.49] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244307; rev:1;)
alert tcp $HOME_NET any -> [121.199.40.70] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244308; rev:1;)
alert tcp $HOME_NET any -> [121.5.69.117] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244306; rev:1;)
alert tcp $HOME_NET any -> [47.109.106.162] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244305; rev:1;)
alert tcp $HOME_NET any -> [124.70.158.35] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244304; rev:1;)
alert tcp $HOME_NET any -> [101.36.111.175] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244303; rev:1;)
alert tcp $HOME_NET any -> [1.32.228.98] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244301; rev:1;)
alert tcp $HOME_NET any -> [209.141.44.168] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244302; rev:1;)
alert tcp $HOME_NET any -> [120.46.94.192] 8785  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244300; rev:1;)
alert tcp $HOME_NET any -> [8.130.105.233] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244299; rev:1;)
alert tcp $HOME_NET any -> [148.135.127.214] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244297; rev:1;)
alert tcp $HOME_NET any -> [148.135.127.214] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244298; rev:1;)
alert tcp $HOME_NET any -> [95.169.24.74] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244296; rev:1;)
alert tcp $HOME_NET any -> [47.236.248.52] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244295; rev:1;)
alert tcp $HOME_NET any -> [47.236.248.52] 2052  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244294; rev:1;)
alert tcp $HOME_NET any -> [193.42.61.102] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244293; rev:1;)
alert tcp $HOME_NET any -> [61.160.207.61] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244291; rev:1;)
alert tcp $HOME_NET any -> [101.34.243.38] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244292; rev:1;)
alert tcp $HOME_NET any -> [123.57.204.175] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244290; rev:1;)
alert tcp $HOME_NET any -> [8.130.119.173] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244289; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.44] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244287; rev:1;)
alert tcp $HOME_NET any -> [8.130.119.173] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244288; rev:1;)
alert tcp $HOME_NET any -> [146.190.160.218] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244286; rev:1;)
alert tcp $HOME_NET any -> [45.159.210.152] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244285; rev:1;)
alert tcp $HOME_NET any -> [60.204.133.143] 9876  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244283; rev:1;)
alert tcp $HOME_NET any -> [45.159.210.152] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244284; rev:1;)
alert tcp $HOME_NET any -> [107.173.171.251] 65443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jovial-ellis.104-168-102-175.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244281; rev:1;)
alert tcp $HOME_NET any -> [49.4.115.199] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244280; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.224] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244278; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.224] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244279; rev:1;)
alert tcp $HOME_NET any -> [43.241.16.222] 56158  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244277; rev:1;)
alert tcp $HOME_NET any -> [49.235.169.136] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244276; rev:1;)
alert tcp $HOME_NET any -> [101.133.148.66] 8023  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244275; rev:1;)
alert tcp $HOME_NET any -> [43.156.27.199] 804  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244274; rev:1;)
alert tcp $HOME_NET any -> [139.180.192.219] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244272; rev:1;)
alert tcp $HOME_NET any -> [123.254.107.57] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244273; rev:1;)
alert tcp $HOME_NET any -> [139.180.192.219] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244271; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"angry-khorana.104-168-102-175.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244270; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ucaresupport.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244268; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nice-torvalds.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244269; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"167-71-186-178.ipv4.staticdns2.io"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244267; rev:1;)
alert tcp $HOME_NET any -> [42.192.4.189] 54333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244265; rev:1;)
alert tcp $HOME_NET any -> [38.6.223.9] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244266; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-110-41-134-233.compute.hwclouds-dns.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244264; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"192.lan-vg2-1.static.rozabg.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244262; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jovial-ellis.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dirapushka.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244261; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.festive-euclid.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244260; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244258; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adoring-hellman.104-168-102-175.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244259; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ucaresupport.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beautiful-fermi.104-168-102-175.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244257; rev:1;)
alert tcp $HOME_NET any -> [123.60.159.23] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"1.14.28.172"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"49.233.44.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"80.85.154.37"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.81.68.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"49.233.44.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.48.5.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244242; rev:1;)
alert tcp $HOME_NET any -> [103.67.163.213] 9462  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244241/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"121.43.33.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"139.199.180.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.113.195.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.4.154.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244235; rev:1;)
alert tcp $HOME_NET any -> [45.77.160.60] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244234; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.recentbeelive.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244233; rev:1;)
alert tcp $HOME_NET any -> [108.61.210.72] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244232; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.netiapp.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244230; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.netiapp.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"121.4.154.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.71.9.23"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"118.194.233.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/require-jquery-v1.js"; depth:21; nocase; http.host; content:"47.104.28.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244225; rev:1;)
alert tcp $HOME_NET any -> [206.238.199.68] 48458  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vvs/inc/c874c1a5333207.php"; depth:27; nocase; http.host; content:"www.texlandbd.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244222; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.43] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244176; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.45] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244177; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.68] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244179; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.58] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244178; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.92] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244180; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.18] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244183; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.110] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244181; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.17] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244182; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.22] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244184; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.23] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244185; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.24] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244186; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.25] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244187; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.26] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244188; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.27] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244189; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.28] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244190; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.29] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244191; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.30] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244192; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.31] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244193; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.34] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244194; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.242] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244195; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.244] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244196; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.50] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244199; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.248] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244197; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.49] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244198; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.52] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244200; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.56] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244201; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.82] 3090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244202; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.83] 3090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244203; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.102] 3090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244205; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.123] 3090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244206; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.156] 3090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244207; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.100] 3090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244204; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.173] 3090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244208; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.174] 3090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244209; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.175] 3090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244210; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.176] 3090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244211; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.178] 3090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244212; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.192] 38421  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244213; rev:1;)
alert tcp $HOME_NET any -> [46.101.135.216] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244214; rev:1;)
alert tcp $HOME_NET any -> [138.197.171.172] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244215; rev:1;)
alert tcp $HOME_NET any -> [143.110.247.222] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244216; rev:1;)
alert tcp $HOME_NET any -> [147.182.149.112] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244217; rev:1;)
alert tcp $HOME_NET any -> [147.182.149.113] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244218; rev:1;)
alert tcp $HOME_NET any -> [159.89.191.108] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244219; rev:1;)
alert tcp $HOME_NET any -> [167.99.190.250] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244220; rev:1;)
alert tcp $HOME_NET any -> [178.62.242.26] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244221; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.34] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244175; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.28] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244174; rev:1;)
alert tcp $HOME_NET any -> [142.171.8.138] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244173/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244173; rev:1;)
alert tcp $HOME_NET any -> [79.137.207.163] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244172; rev:1;)
alert tcp $HOME_NET any -> [78.129.165.233] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244171; rev:1;)
alert tcp $HOME_NET any -> [3.112.78.101] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244170; rev:1;)
alert tcp $HOME_NET any -> [45.32.91.55] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244169; rev:1;)
alert tcp $HOME_NET any -> [185.203.116.51] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244168/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244168; rev:1;)
alert tcp $HOME_NET any -> [109.248.150.210] 50270  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244167/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_04; classtype:trojan-activity; sid:91244167; rev:1;)
alert tcp $HOME_NET any -> [34.31.226.230] 37558  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244164; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.243] 1947  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_04; classtype:trojan-activity; sid:91244166; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"originwealth.ydns.eu"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_04; classtype:trojan-activity; sid:91244165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sew/inc/10a5031d37bc79.php"; depth:27; nocase; http.host; content:"originwealth.ydns.eu"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive.php"; depth:12; nocase; http.host; content:"ct46452.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.92.99.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c44a765f550f6a2f.php"; depth:21; nocase; http.host; content:"89.105.201.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244160; rev:1;)
alert tcp $HOME_NET any -> [20.84.67.57] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244159/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244159; rev:1;)
alert tcp $HOME_NET any -> [82.120.216.108] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244158/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244158; rev:1;)
alert tcp $HOME_NET any -> [216.238.83.84] 8000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244157/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244157; rev:1;)
alert tcp $HOME_NET any -> [74.48.220.34] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244156/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244156; rev:1;)
alert tcp $HOME_NET any -> [45.67.228.91] 3666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244155/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91244155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalimagevideopipetempdownloads.php"; depth:39; nocase; http.host; content:"82.146.60.218"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244154; rev:1;)
alert tcp $HOME_NET any -> [136.244.118.172] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244149/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244149; rev:1;)
alert tcp $HOME_NET any -> [143.198.136.173] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244150/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244150; rev:1;)
alert tcp $HOME_NET any -> [146.190.128.252] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244151; rev:1;)
alert tcp $HOME_NET any -> [159.223.67.132] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244152/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244152; rev:1;)
alert tcp $HOME_NET any -> [78.141.224.44] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244153/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91244153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.141.224.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"146.190.128.252"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.223.67.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"143.198.136.173"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"136.244.118.172"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pe/build.php"; depth:13; nocase; http.host; content:"yarnglove.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pstbbk.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/du.php"; depth:7; nocase; http.host; content:"glovefire.site"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dub.php"; depth:8; nocase; http.host; content:"glovefire.site"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244140; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gdfjkghndfjkghdfjkghdf.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1244138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pp.php"; depth:7; nocase; http.host; content:"chessfang.online"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1244139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91244139; rev:1;)
alert tcp $HOME_NET any -> [47.236.111.110] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244137/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244137; rev:1;)
alert tcp $HOME_NET any -> [119.29.225.65] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244136/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244136; rev:1;)
alert tcp $HOME_NET any -> [114.215.183.77] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244135/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244135; rev:1;)
alert tcp $HOME_NET any -> [89.208.253.204] 4433  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244134/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244134; rev:1;)
alert tcp $HOME_NET any -> [38.6.164.8] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244133/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244133; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.113] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244132/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244132; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.194] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244131/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244131; rev:1;)
alert tcp $HOME_NET any -> [87.241.217.87] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244130/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244130; rev:1;)
alert tcp $HOME_NET any -> [65.0.98.39] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244129/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244129; rev:1;)
alert tcp $HOME_NET any -> [185.62.57.11] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244128/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244128; rev:1;)
alert tcp $HOME_NET any -> [184.144.200.107] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244127/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244127; rev:1;)
alert tcp $HOME_NET any -> [213.142.159.91] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244126/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244126; rev:1;)
alert tcp $HOME_NET any -> [94.98.194.203] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244125/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244125; rev:1;)
alert tcp $HOME_NET any -> [94.96.157.6] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244124/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244124; rev:1;)
alert tcp $HOME_NET any -> [94.49.180.101] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244123/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244123; rev:1;)
alert tcp $HOME_NET any -> [64.237.212.192] 1800  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244122; rev:1;)
alert tcp $HOME_NET any -> [41.109.32.78] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244121; rev:1;)
alert tcp $HOME_NET any -> [140.82.54.39] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244120; rev:1;)
alert tcp $HOME_NET any -> [45.74.60.199] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244119; rev:1;)
alert tcp $HOME_NET any -> [185.29.11.37] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244118; rev:1;)
alert tcp $HOME_NET any -> [41.68.133.39] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244117; rev:1;)
alert tcp $HOME_NET any -> [38.146.219.232] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244116; rev:1;)
alert tcp $HOME_NET any -> [50.3.70.191] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244115; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.108] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244114; rev:1;)
alert tcp $HOME_NET any -> [185.169.180.151] 82  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244113; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.103] 1741  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244112/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244112; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 1925  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244111/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244111; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2154  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244110/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244110; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2081  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244109/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244109; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244108; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244107/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244107; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244106; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2121  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244105; rev:1;)
alert tcp $HOME_NET any -> [187.135.86.23] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244104/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244104; rev:1;)
alert tcp $HOME_NET any -> [198.50.138.20] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244103/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244103; rev:1;)
alert tcp $HOME_NET any -> [198.27.120.255] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244102/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244102; rev:1;)
alert tcp $HOME_NET any -> [80.253.246.36] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244101; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.6] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244100; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.6] 2121  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244099/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244099; rev:1;)
alert tcp $HOME_NET any -> [31.156.119.149] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244098/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244098; rev:1;)
alert tcp $HOME_NET any -> [88.243.82.116] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244097; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.7] 2002  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244096/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244096; rev:1;)
alert tcp $HOME_NET any -> [185.219.177.105] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244095/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244095; rev:1;)
alert tcp $HOME_NET any -> [83.229.84.160] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244094/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244094; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.115] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244093; rev:1;)
alert tcp $HOME_NET any -> [87.120.84.188] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244092; rev:1;)
alert tcp $HOME_NET any -> [213.14.155.98] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244091; rev:1;)
alert tcp $HOME_NET any -> [108.165.106.7] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244090; rev:1;)
alert tcp $HOME_NET any -> [154.197.98.85] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244089; rev:1;)
alert tcp $HOME_NET any -> [87.121.87.101] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244088; rev:1;)
alert tcp $HOME_NET any -> [159.65.150.184] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244087; rev:1;)
alert tcp $HOME_NET any -> [47.92.246.30] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244086; rev:1;)
alert tcp $HOME_NET any -> [129.226.154.245] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244085; rev:1;)
alert tcp $HOME_NET any -> [42.193.16.213] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244084; rev:1;)
alert tcp $HOME_NET any -> [47.97.110.109] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244083/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244083; rev:1;)
alert tcp $HOME_NET any -> [81.70.0.37] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244082/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244082; rev:1;)
alert tcp $HOME_NET any -> [117.50.182.87] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244081/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244081; rev:1;)
alert tcp $HOME_NET any -> [39.105.101.138] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244080; rev:1;)
alert tcp $HOME_NET any -> [8.222.165.110] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244079/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244079; rev:1;)
alert tcp $HOME_NET any -> [101.43.161.148] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244078/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244078; rev:1;)
alert tcp $HOME_NET any -> [59.110.142.91] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244077/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244077; rev:1;)
alert tcp $HOME_NET any -> [110.41.134.233] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244076/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244076; rev:1;)
alert tcp $HOME_NET any -> [103.191.15.10] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244075/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244075; rev:1;)
alert tcp $HOME_NET any -> [119.3.220.200] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244074/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244074; rev:1;)
alert tcp $HOME_NET any -> [101.133.164.210] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244073/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244073; rev:1;)
alert tcp $HOME_NET any -> [43.136.71.208] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244072/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244072; rev:1;)
alert tcp $HOME_NET any -> [47.119.19.34] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244071/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244071; rev:1;)
alert tcp $HOME_NET any -> [114.132.218.55] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244070/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244070; rev:1;)
alert tcp $HOME_NET any -> [139.9.41.156] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244069/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244069; rev:1;)
alert tcp $HOME_NET any -> [39.104.230.184] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244068/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244068; rev:1;)
alert tcp $HOME_NET any -> [121.40.63.121] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244067; rev:1;)
alert tcp $HOME_NET any -> [34.82.156.114] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244066/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244066; rev:1;)
alert tcp $HOME_NET any -> [104.225.235.101] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244065/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244065; rev:1;)
alert tcp $HOME_NET any -> [137.220.197.164] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244064/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244064; rev:1;)
alert tcp $HOME_NET any -> [81.19.138.57] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244063/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244063; rev:1;)
alert tcp $HOME_NET any -> [149.88.75.24] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244062/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244062; rev:1;)
alert tcp $HOME_NET any -> [204.93.201.161] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244061/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244061; rev:1;)
alert tcp $HOME_NET any -> [47.76.140.200] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244060/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244060; rev:1;)
alert tcp $HOME_NET any -> [15.168.110.184] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244059/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244059; rev:1;)
alert tcp $HOME_NET any -> [107.172.196.196] 2087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244058; rev:1;)
alert tcp $HOME_NET any -> [103.163.208.121] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244057; rev:1;)
alert tcp $HOME_NET any -> [45.86.162.149] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244056; rev:1;)
alert tcp $HOME_NET any -> [88.214.27.74] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244055; rev:1;)
alert tcp $HOME_NET any -> [64.23.179.131] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244054; rev:1;)
alert tcp $HOME_NET any -> [107.151.240.201] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244053/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244053; rev:1;)
alert tcp $HOME_NET any -> [85.114.96.2] 80  (msg:"ThreatFox MintStealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244051/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244051; rev:1;)
alert tcp $HOME_NET any -> [54.221.151.132] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244049/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244049; rev:1;)
alert tcp $HOME_NET any -> [13.232.135.125] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244048/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244048; rev:1;)
alert tcp $HOME_NET any -> [54.221.151.132] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244047/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244047; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.103] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244046/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244046; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.78] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244045/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244045; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.147] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244044/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244044; rev:1;)
alert tcp $HOME_NET any -> [220.69.33.81] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244043/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244043; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.60] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244042/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244042; rev:1;)
alert tcp $HOME_NET any -> [13.37.127.130] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244041/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244041; rev:1;)
alert tcp $HOME_NET any -> [45.67.231.21] 1337  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244040/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244040; rev:1;)
alert tcp $HOME_NET any -> [18.232.250.39] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244039/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244039; rev:1;)
alert tcp $HOME_NET any -> [172.233.33.155] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244038/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244038; rev:1;)
alert tcp $HOME_NET any -> [52.87.175.64] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244037/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244037; rev:1;)
alert tcp $HOME_NET any -> [159.100.13.218] 8889  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244036/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244036; rev:1;)
alert tcp $HOME_NET any -> [89.117.49.133] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244035/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244035; rev:1;)
alert tcp $HOME_NET any -> [4.245.215.11] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244034/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244034; rev:1;)
alert tcp $HOME_NET any -> [13.232.153.222] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244033/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244033; rev:1;)
alert tcp $HOME_NET any -> [175.136.80.148] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244032/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244032; rev:1;)
alert tcp $HOME_NET any -> [38.87.196.103] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244031/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244031; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.10] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244030/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244030; rev:1;)
alert tcp $HOME_NET any -> [13.233.120.71] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244029/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244029; rev:1;)
alert tcp $HOME_NET any -> [109.123.247.164] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244028/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244028; rev:1;)
alert tcp $HOME_NET any -> [144.217.238.169] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244027/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244027; rev:1;)
alert tcp $HOME_NET any -> [159.223.86.91] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244026/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244026; rev:1;)
alert tcp $HOME_NET any -> [77.91.74.224] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244025/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244025; rev:1;)
alert tcp $HOME_NET any -> [46.4.162.29] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244024/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244024; rev:1;)
alert tcp $HOME_NET any -> [207.154.218.205] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244023/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244023; rev:1;)
alert tcp $HOME_NET any -> [43.204.111.25] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244022/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244022; rev:1;)
alert tcp $HOME_NET any -> [38.92.97.13] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244021/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244021; rev:1;)
alert tcp $HOME_NET any -> [145.239.230.233] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244020/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244020; rev:1;)
alert tcp $HOME_NET any -> [201.230.41.153] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244019/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244019; rev:1;)
alert tcp $HOME_NET any -> [128.46.157.249] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244018/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244018; rev:1;)
alert tcp $HOME_NET any -> [108.59.196.9] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244017/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244017; rev:1;)
alert tcp $HOME_NET any -> [38.87.198.48] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244016/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244016; rev:1;)
alert tcp $HOME_NET any -> [45.134.225.247] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244015/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244015; rev:1;)
alert tcp $HOME_NET any -> [206.188.196.251] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244014/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244014; rev:1;)
alert tcp $HOME_NET any -> [5.255.102.67] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244013/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244013; rev:1;)
alert tcp $HOME_NET any -> [198.52.128.72] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244012/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244012; rev:1;)
alert tcp $HOME_NET any -> [64.190.113.198] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244011/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244011; rev:1;)
alert tcp $HOME_NET any -> [54.193.250.83] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244010/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244010; rev:1;)
alert tcp $HOME_NET any -> [173.249.11.184] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244009/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244009; rev:1;)
alert tcp $HOME_NET any -> [217.160.39.160] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244008/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244008; rev:1;)
alert tcp $HOME_NET any -> [34.16.167.198] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244007/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244007; rev:1;)
alert tcp $HOME_NET any -> [123.16.208.62] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244006/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244006; rev:1;)
alert tcp $HOME_NET any -> [51.116.102.221] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244005/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244005; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.181] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244004/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244004; rev:1;)
alert tcp $HOME_NET any -> [193.32.162.64] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244003/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244003; rev:1;)
alert tcp $HOME_NET any -> [185.81.114.195] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244002/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244002; rev:1;)
alert tcp $HOME_NET any -> [78.38.80.242] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244001/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244001; rev:1;)
alert tcp $HOME_NET any -> [60.204.215.22] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1244000/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91244000; rev:1;)
alert tcp $HOME_NET any -> [176.123.3.245] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243999/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243999; rev:1;)
alert tcp $HOME_NET any -> [152.89.198.72] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243998/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243998; rev:1;)
alert tcp $HOME_NET any -> [41.216.189.203] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243997; rev:1;)
alert tcp $HOME_NET any -> [49.13.130.177] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243996/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243996; rev:1;)
alert tcp $HOME_NET any -> [194.0.206.23] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243995/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243995; rev:1;)
alert tcp $HOME_NET any -> [107.175.0.200] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243994/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243994; rev:1;)
alert tcp $HOME_NET any -> [213.109.202.135] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243993/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243993; rev:1;)
alert tcp $HOME_NET any -> [158.255.1.15] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243992/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243992; rev:1;)
alert tcp $HOME_NET any -> [175.136.87.155] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243991/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243991; rev:1;)
alert tcp $HOME_NET any -> [185.158.248.34] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243990/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243990; rev:1;)
alert tcp $HOME_NET any -> [141.98.234.46] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243989/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243989; rev:1;)
alert tcp $HOME_NET any -> [108.30.148.85] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243988/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243988; rev:1;)
alert tcp $HOME_NET any -> [77.105.166.172] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243987/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243987; rev:1;)
alert tcp $HOME_NET any -> [83.41.137.16] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243986/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243986; rev:1;)
alert tcp $HOME_NET any -> [38.99.82.235] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243985/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243985; rev:1;)
alert tcp $HOME_NET any -> [88.119.167.206] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243984/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243984; rev:1;)
alert tcp $HOME_NET any -> [37.27.5.78] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243983/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243983; rev:1;)
alert tcp $HOME_NET any -> [95.216.221.12] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243982; rev:1;)
alert tcp $HOME_NET any -> [45.227.254.4] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243981/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243981; rev:1;)
alert tcp $HOME_NET any -> [130.51.22.23] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243980; rev:1;)
alert tcp $HOME_NET any -> [47.250.145.12] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243979/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243979; rev:1;)
alert tcp $HOME_NET any -> [138.201.10.112] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243978/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagecpusql.php"; depth:16; nocase; http.host; content:"058493cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243977; rev:1;)
alert tcp $HOME_NET any -> [35.197.194.79] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243976/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243976; rev:1;)
alert tcp $HOME_NET any -> [35.195.225.207] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243975/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243975; rev:1;)
alert tcp $HOME_NET any -> [220.158.216.145] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243974/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243974; rev:1;)
alert tcp $HOME_NET any -> [35.228.165.245] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243973/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243973; rev:1;)
alert tcp $HOME_NET any -> [34.88.169.69] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243972/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243972; rev:1;)
alert tcp $HOME_NET any -> [38.60.191.190] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243971/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243971; rev:1;)
alert tcp $HOME_NET any -> [93.66.153.13] 9002  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243970/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243970; rev:1;)
alert tcp $HOME_NET any -> [52.91.67.138] 8084  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243969/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243969; rev:1;)
alert tcp $HOME_NET any -> [49.232.250.192] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243968/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243968; rev:1;)
alert tcp $HOME_NET any -> [182.23.67.109] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243967/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243967; rev:1;)
alert tcp $HOME_NET any -> [47.103.218.35] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243966/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243966; rev:1;)
alert tcp $HOME_NET any -> [3.146.206.189] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243965/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243965; rev:1;)
alert tcp $HOME_NET any -> [121.43.58.124] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243964/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243964; rev:1;)
alert tcp $HOME_NET any -> [38.180.105.19] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243963/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243963; rev:1;)
alert tcp $HOME_NET any -> [111.231.140.197] 3333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243962/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243962; rev:1;)
alert tcp $HOME_NET any -> [38.47.123.60] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243961/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243961; rev:1;)
alert tcp $HOME_NET any -> [101.43.191.108] 9998  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243960/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243960; rev:1;)
alert tcp $HOME_NET any -> [107.191.53.240] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243959/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243959; rev:1;)
alert tcp $HOME_NET any -> [47.96.174.24] 8060  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243958/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243958; rev:1;)
alert tcp $HOME_NET any -> [49.233.44.237] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243957/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243957; rev:1;)
alert tcp $HOME_NET any -> [80.85.154.37] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243956/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243956; rev:1;)
alert tcp $HOME_NET any -> [49.233.44.237] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243955/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_03; classtype:trojan-activity; sid:91243955; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.143] 9821  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/topipe3process/javascripttemporarytrackcdn/universaldb1process/uploadslocalcpu/windows/externalvmproviderline/linux/10sql/1authvoiddb/updatetraffic/pipe/generatorflowersql/trafficgamevideo/tracklocal3http/authpublicupdatewindows/geocpudatalifejs/geo/poll_cpuvm/cpuprocessordefaultdblinuxgeneratordownloadstemporary.php"; depth:319; nocase; http.host; content:"80.78.243.170"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243953; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.249] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243946; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.102] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243949; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.250] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243947; rev:1;)
alert tcp $HOME_NET any -> [46.23.108.251] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243948; rev:1;)
alert tcp $HOME_NET any -> [45.125.66.100] 61616  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.231.140.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"112.252.202.220"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243945; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jdkgradle.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243944; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.142] 1337  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243943; rev:1;)
alert tcp $HOME_NET any -> [107.148.1.128] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"107.148.1.128"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"129.211.211.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"120.26.196.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"43.134.23.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243938; rev:1;)
alert tcp $HOME_NET any -> [135.181.241.148] 49113  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243907; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 12125  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243908; rev:1;)
alert tcp $HOME_NET any -> [3.68.171.119] 12125  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check.php"; depth:10; nocase; http.host; content:"5.42.65.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sosorry.php"; depth:12; nocase; http.host; content:"5.42.65.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bebrik.php"; depth:11; nocase; http.host; content:"5.42.65.20"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243912; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.20] 80  (msg:"ThreatFox Phonk botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzdinzu5njjkztnm/"; depth:18; nocase; http.host; content:"185.198.69.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243920; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 14744  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243923; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 14744  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243924; rev:1;)
alert tcp $HOME_NET any -> [62.109.6.72] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243937; rev:1;)
alert tcp $HOME_NET any -> [91.240.84.52] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243936; rev:1;)
alert tcp $HOME_NET any -> [92.246.139.121] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243935; rev:1;)
alert tcp $HOME_NET any -> [198.46.226.223] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243934; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.41] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243933; rev:1;)
alert tcp $HOME_NET any -> [91.202.233.190] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243932; rev:1;)
alert tcp $HOME_NET any -> [103.61.225.212] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243931/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243931; rev:1;)
alert tcp $HOME_NET any -> [104.238.60.87] 5995  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243930/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243930; rev:1;)
alert tcp $HOME_NET any -> [142.129.135.121] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243929/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243929; rev:1;)
alert tcp $HOME_NET any -> [34.124.224.8] 10002  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243928/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"125.46.203.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243927; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"pushkinorigin.ydns.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_03; classtype:trojan-activity; sid:91243926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wiz/inc/1d7c50187af637.php"; depth:27; nocase; http.host; content:"pushkinorigin.ydns.eu"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243925; rev:1;)
alert tcp $HOME_NET any -> [154.27.70.229] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_03; classtype:trojan-activity; sid:91243922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9625229d.php"; depth:13; nocase; http.host; content:"a0925146.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_03; classtype:trojan-activity; sid:91243921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab3a3bb6.php"; depth:13; nocase; http.host; content:"a0922245.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243919; rev:1;)
alert tcp $HOME_NET any -> [170.130.55.139] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/accounts/v1/basic-accounts/pinned"; depth:38; nocase; http.host; content:"realzoogroup.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243916; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"realzoogroup.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243917; rev:1;)
alert tcp $HOME_NET any -> [88.214.25.254] 3389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ab.html"; depth:8; nocase; http.host; content:"86.106.20.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243914; rev:1;)
alert tcp $HOME_NET any -> [104.167.221.222] 555  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243906/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243906; rev:1;)
alert tcp $HOME_NET any -> [51.250.20.138] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243905; rev:1;)
alert tcp $HOME_NET any -> [31.190.68.42] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243904; rev:1;)
alert tcp $HOME_NET any -> [64.74.160.238] 5432  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243903; rev:1;)
alert tcp $HOME_NET any -> [45.55.128.82] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243902; rev:1;)
alert tcp $HOME_NET any -> [218.28.172.4] 80  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243901; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.185] 6996  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243900/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243900; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metis-info.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243899; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"who.juniorfoxy.ooo"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243897; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"juniorfoxy.ooo"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243898; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ravec2.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243896; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"what.ravec2.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243895; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heihuo8.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243894; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botce.heihuo8.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243893; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 10202  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243887/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243887; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 49833  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243888/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243888; rev:1;)
alert tcp $HOME_NET any -> [209.25.141.2] 42754  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243889/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243889; rev:1;)
alert tcp $HOME_NET any -> [209.25.141.2] 43778  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243890/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243890; rev:1;)
alert tcp $HOME_NET any -> [209.25.141.2] 41730  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243891/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243891; rev:1;)
alert tcp $HOME_NET any -> [209.25.141.2] 41735  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243892/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"remasterprodelherskjs.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1243881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cayennesxque.boo"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1243882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"porsherses.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1243883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243883; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"remasterprodelherskjs.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243884; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cayennesxque.boo"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243885; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"porsherses.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243886; rev:1;)
alert tcp $HOME_NET any -> [89.117.23.25] 35888  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243823/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243823; rev:1;)
alert tcp $HOME_NET any -> [198.46.176.140] 666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243835; rev:1;)
alert tcp $HOME_NET any -> [3.68.171.119] 12765  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243821/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"usdtzshlavkovalasgo.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243822; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 12765  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243819/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243819; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 12765  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243817/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243817; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 12765  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243818/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243818; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 17526  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243815/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243815; rev:1;)
alert tcp $HOME_NET any -> [198.27.120.241] 1337  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243607/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243607; rev:1;)
alert tcp $HOME_NET any -> [144.172.73.36] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243610; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.32] 2112  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243609; rev:1;)
alert tcp $HOME_NET any -> [198.46.203.232] 8723  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243836; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.23] 5656  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243837; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 19080  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243844/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_02; classtype:trojan-activity; sid:91243844; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.177] 5555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243838; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.8] 6996  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243839; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.116] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243845; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.80] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243846; rev:1;)
alert tcp $HOME_NET any -> [136.243.156.120] 53252  (msg:"ThreatFox unidentified_001 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243855; rev:1;)
alert tcp $HOME_NET any -> [210.117.212.93] 4242  (msg:"ThreatFox unidentified_001 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tempdownloads.php"; depth:18; nocase; http.host; content:"007017cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.71.130.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.143.143.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"129.211.211.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.93.216.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"159.223.220.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"107.174.241.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243873; rev:1;)
alert tcp $HOME_NET any -> [18.116.36.101] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"18.116.36.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"111.231.146.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243870; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aerh.azureedge.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243868; rev:1;)
alert tcp $HOME_NET any -> [159.89.187.246] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"aerh.azureedge.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.92.146.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"185.11.61.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"47.96.174.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"185.11.61.168"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.181.70.150"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243861; rev:1;)
alert tcp $HOME_NET any -> [38.181.70.150] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.134.221.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"107.174.241.206"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243859; rev:1;)
alert tcp $HOME_NET any -> [101.34.83.35] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"101.34.83.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243857; rev:1;)
alert tcp $HOME_NET any -> [186.195.175.239] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243854/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243854; rev:1;)
alert tcp $HOME_NET any -> [47.96.143.115] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243853/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243853; rev:1;)
alert tcp $HOME_NET any -> [124.168.78.165] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243852/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243852; rev:1;)
alert tcp $HOME_NET any -> [64.74.160.238] 1433  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243851/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_02; classtype:trojan-activity; sid:91243851; rev:1;)
alert tcp $HOME_NET any -> [159.203.25.245] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dingo"; depth:6; nocase; http.host; content:"159.203.25.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243849; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.shelter-paws.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"www.shelter-paws.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243847; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 19080  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243843; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 19080  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243841; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 19080  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243842; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 19080  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243840; rev:1;)
alert tcp $HOME_NET any -> [45.144.166.168] 1234  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243834; rev:1;)
alert tcp $HOME_NET any -> [45.77.72.150] 13917  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243833/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243833; rev:1;)
alert tcp $HOME_NET any -> [43.245.199.191] 10  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243832/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243832; rev:1;)
alert tcp $HOME_NET any -> [138.2.37.89] 36541  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243831/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243831; rev:1;)
alert tcp $HOME_NET any -> [81.161.238.67] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243830/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243830; rev:1;)
alert tcp $HOME_NET any -> [134.209.106.235] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243829/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243829; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.67] 666  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243828/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243828; rev:1;)
alert tcp $HOME_NET any -> [82.146.45.177] 80  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243827; rev:1;)
alert tcp $HOME_NET any -> [185.142.238.152] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243826/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243826; rev:1;)
alert tcp $HOME_NET any -> [94.131.106.24] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243825/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_02; classtype:trojan-activity; sid:91243825; rev:1;)
alert tcp $HOME_NET any -> [45.137.22.243] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_02; classtype:trojan-activity; sid:91243824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/calculate/in/s94apdy8m"; depth:23; nocase; http.host; content:"47.94.138.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0922009.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243816; rev:1;)
alert tcp $HOME_NET any -> [52.57.248.145] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243814; rev:1;)
alert tcp $HOME_NET any -> [34.246.235.101] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243813; rev:1;)
alert tcp $HOME_NET any -> [185.84.162.165] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243812; rev:1;)
alert tcp $HOME_NET any -> [185.45.195.223] 44133  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243811; rev:1;)
alert tcp $HOME_NET any -> [20.161.143.69] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243809; rev:1;)
alert tcp $HOME_NET any -> [20.53.122.123] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243810; rev:1;)
alert tcp $HOME_NET any -> [40.124.178.11] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243808; rev:1;)
alert tcp $HOME_NET any -> [3.230.227.93] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243807; rev:1;)
alert tcp $HOME_NET any -> [172.166.109.238] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243806; rev:1;)
alert tcp $HOME_NET any -> [20.246.36.189] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243804; rev:1;)
alert tcp $HOME_NET any -> [148.135.18.146] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243805; rev:1;)
alert tcp $HOME_NET any -> [88.92.248.233] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243803; rev:1;)
alert tcp $HOME_NET any -> [203.150.107.51] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243802; rev:1;)
alert tcp $HOME_NET any -> [20.96.214.209] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243801; rev:1;)
alert tcp $HOME_NET any -> [47.101.199.4] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243800; rev:1;)
alert tcp $HOME_NET any -> [23.102.177.73] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243799; rev:1;)
alert tcp $HOME_NET any -> [13.246.74.195] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243798; rev:1;)
alert tcp $HOME_NET any -> [159.65.154.173] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243797; rev:1;)
alert tcp $HOME_NET any -> [64.23.192.202] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243796; rev:1;)
alert tcp $HOME_NET any -> [52.21.238.43] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243795; rev:1;)
alert tcp $HOME_NET any -> [3.248.97.215] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243793; rev:1;)
alert tcp $HOME_NET any -> [4.195.13.65] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243794; rev:1;)
alert tcp $HOME_NET any -> [209.126.11.205] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243792; rev:1;)
alert tcp $HOME_NET any -> [52.230.156.245] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243791; rev:1;)
alert tcp $HOME_NET any -> [141.95.103.204] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243790; rev:1;)
alert tcp $HOME_NET any -> [3.17.238.239] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243789; rev:1;)
alert tcp $HOME_NET any -> [172.105.90.105] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243788; rev:1;)
alert tcp $HOME_NET any -> [35.91.72.47] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243787; rev:1;)
alert tcp $HOME_NET any -> [164.90.225.172] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243786; rev:1;)
alert tcp $HOME_NET any -> [139.224.226.16] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243785; rev:1;)
alert tcp $HOME_NET any -> [46.101.67.13] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243784; rev:1;)
alert tcp $HOME_NET any -> [143.198.142.205] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243783; rev:1;)
alert tcp $HOME_NET any -> [185.67.144.27] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243782; rev:1;)
alert tcp $HOME_NET any -> [172.166.104.143] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243781; rev:1;)
alert tcp $HOME_NET any -> [79.136.1.62] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243780; rev:1;)
alert tcp $HOME_NET any -> [148.251.70.245] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243779; rev:1;)
alert tcp $HOME_NET any -> [34.16.179.120] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243778; rev:1;)
alert tcp $HOME_NET any -> [52.91.198.222] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243777; rev:1;)
alert tcp $HOME_NET any -> [20.197.1.237] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243776; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"louiseanderson.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243775; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.afld.afld.email"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243774; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mehdi.fargan.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243773; rev:1;)
alert tcp $HOME_NET any -> [120.27.130.110] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243772; rev:1;)
alert tcp $HOME_NET any -> [38.6.217.139] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243771; rev:1;)
alert tcp $HOME_NET any -> [124.223.60.44] 59988  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243770; rev:1;)
alert tcp $HOME_NET any -> [209.141.35.155] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243769; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.telefonemusk.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243768; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.55.253.216.95.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243767; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.239] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243766; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.239] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243765; rev:1;)
alert tcp $HOME_NET any -> [144.172.73.36] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243764; rev:1;)
alert tcp $HOME_NET any -> [137.175.17.137] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243763; rev:1;)
alert tcp $HOME_NET any -> [194.116.216.83] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243761; rev:1;)
alert tcp $HOME_NET any -> [194.48.250.11] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243762; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fsdjkhfkjsdhfkjdhfgg.cfd"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243760; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dqspduqsfjksdfhgjks.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243759; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-234-189-192.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243758; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.onceuponatimeiwent.online"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243757; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"89-73-53-34.dynamic.chello.pl"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243756; rev:1;)
alert tcp $HOME_NET any -> [89.73.53.34] 443  (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243755; rev:1;)
alert tcp $HOME_NET any -> [158.255.74.150] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243754; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.44] 8080  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243753; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.44] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243752; rev:1;)
alert tcp $HOME_NET any -> [20.0.153.70] 8080  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243751; rev:1;)
alert tcp $HOME_NET any -> [103.215.124.119] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243750; rev:1;)
alert tcp $HOME_NET any -> [111.90.145.26] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243748; rev:1;)
alert tcp $HOME_NET any -> [103.215.124.60] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243749; rev:1;)
alert tcp $HOME_NET any -> [188.119.112.64] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243747; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.224] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243746; rev:1;)
alert tcp $HOME_NET any -> [103.155.214.134] 443  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243745; rev:1;)
alert tcp $HOME_NET any -> [181.215.4.52] 6000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243744; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kcrn.sk"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243743; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test-control.rnb-team.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243741; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"211.20.97.83.ro.ovo.sc"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243742; rev:1;)
alert tcp $HOME_NET any -> [195.214.254.161] 4444  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243740; rev:1;)
alert tcp $HOME_NET any -> [181.161.15.137] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243738; rev:1;)
alert tcp $HOME_NET any -> [51.178.185.143] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243739; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"coinprime.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243737; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grinevitchnicolas3.fvds.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243736; rev:1;)
alert tcp $HOME_NET any -> [109.116.212.249] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243734; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip181.ip-51-81-90.us"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243733; rev:1;)
alert tcp $HOME_NET any -> [93.148.180.205] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243732; rev:1;)
alert tcp $HOME_NET any -> [51.195.231.121] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243731; rev:1;)
alert tcp $HOME_NET any -> [185.174.101.80] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243729; rev:1;)
alert tcp $HOME_NET any -> [172.111.148.11] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243730; rev:1;)
alert tcp $HOME_NET any -> [216.250.255.99] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243728; rev:1;)
alert tcp $HOME_NET any -> [216.250.255.99] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243727; rev:1;)
alert tcp $HOME_NET any -> [38.180.30.53] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243726; rev:1;)
alert tcp $HOME_NET any -> [51.89.109.154] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243724; rev:1;)
alert tcp $HOME_NET any -> [51.89.109.154] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243725; rev:1;)
alert tcp $HOME_NET any -> [147.124.217.110] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243723; rev:1;)
alert tcp $HOME_NET any -> [147.124.217.110] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243722; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.152] 4747  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243721; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.134] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243720; rev:1;)
alert tcp $HOME_NET any -> [142.11.201.125] 8712  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243718; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.174] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243719; rev:1;)
alert tcp $HOME_NET any -> [89.117.49.133] 6006  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243717; rev:1;)
alert tcp $HOME_NET any -> [89.117.49.133] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243716; rev:1;)
alert tcp $HOME_NET any -> [69.64.95.233] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243715; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.251] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243714; rev:1;)
alert tcp $HOME_NET any -> [193.124.205.80] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243712; rev:1;)
alert tcp $HOME_NET any -> [188.126.90.14] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243713; rev:1;)
alert tcp $HOME_NET any -> [128.90.122.163] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243711; rev:1;)
alert tcp $HOME_NET any -> [192.159.99.54] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243710; rev:1;)
alert tcp $HOME_NET any -> [172.245.134.75] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243709; rev:1;)
alert tcp $HOME_NET any -> [38.55.204.19] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243708/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243708; rev:1;)
alert tcp $HOME_NET any -> [78.89.158.155] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243707/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243707; rev:1;)
alert tcp $HOME_NET any -> [78.129.165.233] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243705/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243705; rev:1;)
alert tcp $HOME_NET any -> [45.10.246.27] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243706/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243706; rev:1;)
alert tcp $HOME_NET any -> [121.43.52.194] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243704/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243704; rev:1;)
alert tcp $HOME_NET any -> [104.40.132.124] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243703/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243703; rev:1;)
alert tcp $HOME_NET any -> [137.184.114.2] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243702/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243702; rev:1;)
alert tcp $HOME_NET any -> [195.201.223.219] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243701/; target:src_ip; metadata: confidence_level 90, first_seen 2024_03_01; classtype:trojan-activity; sid:91243701; rev:1;)
alert tcp $HOME_NET any -> [105.100.30.87] 1001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243700; rev:1;)
alert tcp $HOME_NET any -> [149.28.155.53] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243699; rev:1;)
alert tcp $HOME_NET any -> [176.32.38.186] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243698; rev:1;)
alert tcp $HOME_NET any -> [185.81.68.249] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243696; rev:1;)
alert tcp $HOME_NET any -> [47.109.149.105] 8085  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243697; rev:1;)
alert tcp $HOME_NET any -> [185.81.68.249] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243695; rev:1;)
alert tcp $HOME_NET any -> [185.81.68.249] 445  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243694; rev:1;)
alert tcp $HOME_NET any -> [101.36.111.175] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243692; rev:1;)
alert tcp $HOME_NET any -> [43.134.20.68] 9520  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243693; rev:1;)
alert tcp $HOME_NET any -> [107.172.196.196] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243691; rev:1;)
alert tcp $HOME_NET any -> [47.98.232.222] 22311  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243690; rev:1;)
alert tcp $HOME_NET any -> [119.91.209.244] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243689; rev:1;)
alert tcp $HOME_NET any -> [47.109.106.162] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243687; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.192] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243688; rev:1;)
alert tcp $HOME_NET any -> [43.140.250.89] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243686; rev:1;)
alert tcp $HOME_NET any -> [43.140.250.89] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243685; rev:1;)
alert tcp $HOME_NET any -> [182.149.199.249] 8123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243684; rev:1;)
alert tcp $HOME_NET any -> [23.26.137.225] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243683; rev:1;)
alert tcp $HOME_NET any -> [114.116.18.42] 2087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243681; rev:1;)
alert tcp $HOME_NET any -> [43.139.122.66] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243682; rev:1;)
alert tcp $HOME_NET any -> [123.57.186.159] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243680; rev:1;)
alert tcp $HOME_NET any -> [124.71.9.23] 8500  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243679; rev:1;)
alert tcp $HOME_NET any -> [111.231.74.147] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243678; rev:1;)
alert tcp $HOME_NET any -> [121.36.77.90] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243677; rev:1;)
alert tcp $HOME_NET any -> [118.24.128.204] 8086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243676; rev:1;)
alert tcp $HOME_NET any -> [138.201.132.254] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243675; rev:1;)
alert tcp $HOME_NET any -> [185.204.0.115] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243674; rev:1;)
alert tcp $HOME_NET any -> [154.3.1.95] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243673; rev:1;)
alert tcp $HOME_NET any -> [111.229.213.107] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243672; rev:1;)
alert tcp $HOME_NET any -> [60.204.151.115] 3214  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243670; rev:1;)
alert tcp $HOME_NET any -> [8.130.95.105] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243671; rev:1;)
alert tcp $HOME_NET any -> [175.27.162.205] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243669; rev:1;)
alert tcp $HOME_NET any -> [39.107.89.22] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243668; rev:1;)
alert tcp $HOME_NET any -> [39.105.204.175] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243667; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nebula-cdn.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243666; rev:1;)
alert tcp $HOME_NET any -> [123.56.251.159] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243665; rev:1;)
alert tcp $HOME_NET any -> [43.153.228.97] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243663; rev:1;)
alert tcp $HOME_NET any -> [43.153.228.97] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243664; rev:1;)
alert tcp $HOME_NET any -> [39.109.127.135] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243662; rev:1;)
alert tcp $HOME_NET any -> [159.75.104.8] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243661; rev:1;)
alert tcp $HOME_NET any -> [47.98.120.157] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243659; rev:1;)
alert tcp $HOME_NET any -> [117.72.46.146] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243660; rev:1;)
alert tcp $HOME_NET any -> [47.245.122.5] 2052  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243658; rev:1;)
alert tcp $HOME_NET any -> [119.91.214.99] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243657; rev:1;)
alert tcp $HOME_NET any -> [8.134.221.219] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243655; rev:1;)
alert tcp $HOME_NET any -> [119.91.214.99] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243656; rev:1;)
alert tcp $HOME_NET any -> [172.105.37.93] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243654; rev:1;)
alert tcp $HOME_NET any -> [103.243.212.108] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243653; rev:1;)
alert tcp $HOME_NET any -> [8.217.186.171] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243651; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"odoo.tendadaalma.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243652; rev:1;)
alert tcp $HOME_NET any -> [141.98.81.98] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243650; rev:1;)
alert tcp $HOME_NET any -> [74.235.140.183] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243649; rev:1;)
alert tcp $HOME_NET any -> [118.89.124.242] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243648; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.distracted-cannon.104-168-102-175.plesk.page"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243646; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pensive-cerf.104-168-102-175.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243647; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hungry-dijkstra.104-168-102-175.plesk.page"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243644; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.adoring-hellman.104-168-102-175.plesk.page"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243645; rev:1;)
alert tcp $HOME_NET any -> [120.79.44.225] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-116-36-101.us-east-2.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243641; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.confident-bouman.104-168-102-175.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243642; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.friendly-dirac.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243640; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fra-col.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243638; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"optimistic-rubin.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243639; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nice-torvalds.104-168-102-175.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243636; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-75-210-134.eu-central-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243637; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.vigilant-kare.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"friendly-dirac.104-168-102-175.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243634; rev:1;)
alert tcp $HOME_NET any -> [5.35.99.203] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243633; rev:1;)
alert tcp $HOME_NET any -> [80.253.246.232] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243631; rev:1;)
alert tcp $HOME_NET any -> [217.197.107.145] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243630; rev:1;)
alert tcp $HOME_NET any -> [65.20.69.208] 5000  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243629; rev:1;)
alert tcp $HOME_NET any -> [180.140.129.152] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243628; rev:1;)
alert tcp $HOME_NET any -> [193.92.248.35] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243627; rev:1;)
alert tcp $HOME_NET any -> [167.56.207.87] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243626/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243626; rev:1;)
alert tcp $HOME_NET any -> [176.44.108.225] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243625/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243625; rev:1;)
alert tcp $HOME_NET any -> [185.174.8.138] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243624/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243624; rev:1;)
alert tcp $HOME_NET any -> [200.234.235.200] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243623/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243623; rev:1;)
alert tcp $HOME_NET any -> [185.225.70.160] 27311  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243622/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243622; rev:1;)
alert tcp $HOME_NET any -> [104.200.72.113] 40484  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243621/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243621; rev:1;)
alert tcp $HOME_NET any -> [64.74.160.238] 3306  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243620/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243620; rev:1;)
alert tcp $HOME_NET any -> [157.230.175.190] 49553  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243619/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243619; rev:1;)
alert tcp $HOME_NET any -> [45.137.22.156] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243618; rev:1;)
alert tcp $HOME_NET any -> [2.58.85.145] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243617; rev:1;)
alert tcp $HOME_NET any -> [194.87.252.184] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpserver0windows/wppublicjs/proton_vmpacket/generator8wpbase/external_/_wplow8/universalflower/3/line62/7publicpacket/geocpuupdatedefaultasyncpublicprivateuploadsdownloads.php"; depth:178; nocase; http.host; content:"176.124.192.196"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243615; rev:1;)
alert tcp $HOME_NET any -> [185.161.208.123] 8763  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9cf11b76.php"; depth:13; nocase; http.host; content:"pipikaka-ggg.000webhostapp.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243613; rev:1;)
alert tcp $HOME_NET any -> [162.19.208.109] 443  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243612; rev:1;)
alert tcp $HOME_NET any -> [94.131.11.34] 10006  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243611; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.81] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243608; rev:1;)
alert tcp $HOME_NET any -> [42.237.25.52] 7899  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/errorpage/catzx.scr"; depth:20; nocase; http.host; content:"universalmovies.top"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pollsql.php"; depth:12; nocase; http.host; content:"185.130.46.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0924648.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243603; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.104] 655  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243582/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243582; rev:1;)
alert tcp $HOME_NET any -> [103.173.255.143] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243600/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243600; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"srophuchung.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243601/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243601; rev:1;)
alert tcp $HOME_NET any -> [43.249.193.230] 8712  (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/include/template/isx.php"; depth:25; nocase; http.host; content:"qq.qqweixinzhuce.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243598; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qq.qqweixinzhuce.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"8.222.150.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"111.229.198.177"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243595; rev:1;)
alert tcp $HOME_NET any -> [111.229.198.177] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"8.222.150.46"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"120.27.131.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243592; rev:1;)
alert tcp $HOME_NET any -> [107.151.246.236] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cs"; depth:3; nocase; http.host; content:"www.micshcnds.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243589; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.micshcnds.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.113.195.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243588; rev:1;)
alert tcp $HOME_NET any -> [18.192.209.34] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/accelerate/v3.33/1f7jw12fqr2v"; depth:30; nocase; http.host; content:"18.192.209.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"test.qqweixinzhuce.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243584; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.qqweixinzhuce.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243585; rev:1;)
alert tcp $HOME_NET any -> [139.64.172.17] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243583/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"43.134.183.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"139.199.180.136"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243573; rev:1;)
alert tcp $HOME_NET any -> [118.89.124.242] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/facvicon.jpg"; depth:19; nocase; http.host; content:"117.50.47.141"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243570; rev:1;)
alert tcp $HOME_NET any -> [143.244.186.189] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243569; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn043sc.azureedge.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ms-settings-proximity"; depth:22; nocase; http.host; content:"cdn043sc.azureedge.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nv"; depth:3; nocase; http.host; content:"45.148.120.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243566; rev:1;)
alert tcp $HOME_NET any -> [47.92.171.109] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.92.171.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.112.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243562; rev:1;)
alert tcp $HOME_NET any -> [88.198.112.251] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243560; rev:1;)
alert tcp $HOME_NET any -> [95.217.28.14] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"aljannatquranteach.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"aljannatquranteach.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"aljannatquranteach.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243508; rev:1;)
alert tcp $HOME_NET any -> [45.142.182.90] 9931  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243509/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243509; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"varinspector.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_03_01; classtype:trojan-activity; sid:91243515; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 18909  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243525/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243525; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"888juantriana88.dynuddns.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243527/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243527; rev:1;)
alert tcp $HOME_NET any -> [147.124.205.158] 9561  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243540/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243540; rev:1;)
alert tcp $HOME_NET any -> [104.194.157.55] 8082  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243559/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243559; rev:1;)
alert tcp $HOME_NET any -> [104.194.157.55] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243558/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243558; rev:1;)
alert tcp $HOME_NET any -> [46.226.164.60] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243557/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243557; rev:1;)
alert tcp $HOME_NET any -> [65.20.73.169] 13783  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243556/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243556; rev:1;)
alert tcp $HOME_NET any -> [45.32.31.179] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243555/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243555; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.11] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243554/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243554; rev:1;)
alert tcp $HOME_NET any -> [90.52.128.121] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243553; rev:1;)
alert tcp $HOME_NET any -> [173.207.111.8] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243552; rev:1;)
alert tcp $HOME_NET any -> [41.97.68.49] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243551; rev:1;)
alert tcp $HOME_NET any -> [175.13.35.124] 4432  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243550; rev:1;)
alert tcp $HOME_NET any -> [72.27.146.121] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243549/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243549; rev:1;)
alert tcp $HOME_NET any -> [106.75.66.128] 53  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243548; rev:1;)
alert tcp $HOME_NET any -> [130.193.40.155] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243547; rev:1;)
alert tcp $HOME_NET any -> [201.174.9.2] 3392  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243546; rev:1;)
alert tcp $HOME_NET any -> [92.39.211.142] 4444  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243545; rev:1;)
alert tcp $HOME_NET any -> [35.193.229.206] 60000  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243544; rev:1;)
alert tcp $HOME_NET any -> [170.187.200.132] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243543; rev:1;)
alert tcp $HOME_NET any -> [37.1.208.20] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243542; rev:1;)
alert tcp $HOME_NET any -> [103.150.208.227] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_03_01; classtype:trojan-activity; sid:91243541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v5jh"; depth:5; nocase; http.host; content:"103.191.15.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243539/; target:src_ip; metadata: confidence_level 75, first_seen 2024_03_01; classtype:trojan-activity; sid:91243539; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.55] 5000  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243538/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243538; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.107] 5000  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243537/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243537; rev:1;)
alert tcp $HOME_NET any -> [171.80.216.99] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243536/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243536; rev:1;)
alert tcp $HOME_NET any -> [89.23.107.13] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243535/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243535; rev:1;)
alert tcp $HOME_NET any -> [193.178.147.164] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243534/; target:src_ip; metadata: confidence_level 80, first_seen 2024_03_01; classtype:trojan-activity; sid:91243534; rev:1;)
alert tcp $HOME_NET any -> [39.100.103.225] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243533; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"30ht.com.w.kunlunpi.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"30ht.com.w.kunlunpi.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243531; rev:1;)
alert tcp $HOME_NET any -> [39.108.147.5] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"39.108.147.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243529; rev:1;)
alert tcp $HOME_NET any -> [39.100.103.225] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243528; rev:1;)
alert tcp $HOME_NET any -> [191.89.247.6] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243526; rev:1;)
alert tcp $HOME_NET any -> [46.250.238.168] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243524/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243524; rev:1;)
alert tcp $HOME_NET any -> [192.248.159.76] 2222  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243523/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243523; rev:1;)
alert tcp $HOME_NET any -> [23.95.44.73] 65535  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243522/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243522; rev:1;)
alert tcp $HOME_NET any -> [39.40.163.25] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243521/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243521; rev:1;)
alert tcp $HOME_NET any -> [86.225.209.225] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243520/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243520; rev:1;)
alert tcp $HOME_NET any -> [206.81.31.145] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243519/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243519; rev:1;)
alert tcp $HOME_NET any -> [198.13.47.158] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243518; rev:1;)
alert tcp $HOME_NET any -> [151.236.16.11] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243517/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243517; rev:1;)
alert tcp $HOME_NET any -> [128.14.226.110] 143  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0/central3cputemp/6trafficeternalgeo/dump4requestmariadb/dbexternal/cpuprotonpoll4/longpollmariadb/dlejsauthrequest/cdn/1cpubasedle/36/external9traffic/7/update/lowlocalpython/videojs_updatedefaultgeneratorwordpress.php"; depth:220; nocase; http.host; content:"193.233.255.228"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243514; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 12607  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243513; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 12607  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerpythonhttplowupdateflowertrackwordpress.php"; depth:52; nocase; http.host; content:"147.45.197.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243511; rev:1;)
alert tcp $HOME_NET any -> [198.44.174.170] 10086  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243510; rev:1;)
alert tcp $HOME_NET any -> [18.162.156.152] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243505; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d9msk9dy9tbnk.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243503; rev:1;)
alert tcp $HOME_NET any -> [4.158.105.167] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-2.8.4.min.js"; depth:20; nocase; http.host; content:"d9msk9dy9tbnk.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.100.170.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.159.136.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243499; rev:1;)
alert tcp $HOME_NET any -> [18.231.151.211] 333  (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243498; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-f8oy6qld-1322248009.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-f8oy6qld-1322248009.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243496; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intl.ccb.com.w.cdngslb.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"intl.ccb.com.w.cdngslb.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243494; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"all.mbblitz.net.w.cdngslb.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"all.mbblitz.net.w.cdngslb.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243492; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"udptestsh6062.ialicdn.com.w.cdngslb.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"udptestsh6062.ialicdn.com.w.cdngslb.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"61.170.44.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"36.150.211.193"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"119.167.249.113"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"117.34.18.87"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"61.170.88.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243485; rev:1;)
alert tcp $HOME_NET any -> [154.38.160.55] 35888  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternal3/0server/downloads/better/7linuxdle/traffic/processorto4default/external/wordpressimage/phpwp/lowuploads0/6processorsql/updateprocessortest/packetbigload.php"; depth:166; nocase; http.host; content:"188.120.229.213"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243483; rev:1;)
alert tcp $HOME_NET any -> [107.175.113.194] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243482; rev:1;)
alert tcp $HOME_NET any -> [162.19.25.207] 8080  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243479/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mrado.kozow.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243480/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243480; rev:1;)
alert tcp $HOME_NET any -> [103.77.243.215] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243481/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pzfdmserv275.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243310; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pzlkxadvert475.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243311; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shopweb95.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243312; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"straightsboycott.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243313; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ventafones.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243314; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wprogs.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243315; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yan0212.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243316; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yan0212.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243317; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zl0yy.ru"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243318; rev:1;)
alert tcp $HOME_NET any -> [138.201.196.90] 443  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243319; rev:1;)
alert tcp $HOME_NET any -> [153.92.222.162] 4001  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243320; rev:1;)
alert tcp $HOME_NET any -> [185.236.232.20] 445  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243321; rev:1;)
alert tcp $HOME_NET any -> [185.73.124.42] 4001  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243322; rev:1;)
alert tcp $HOME_NET any -> [192.53.123.202] 8080  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243323; rev:1;)
alert tcp $HOME_NET any -> [45.15.159.28] 8080  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243325; rev:1;)
alert tcp $HOME_NET any -> [45.63.66.10] 443  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243326; rev:1;)
alert tcp $HOME_NET any -> [64.176.214.51] 443  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243327; rev:1;)
alert tcp $HOME_NET any -> [45.147.231.86] 4254  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243324; rev:1;)
alert tcp $HOME_NET any -> [69.10.60.115] 4018  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243328; rev:1;)
alert tcp $HOME_NET any -> [80.85.84.79] 4001  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243329; rev:1;)
alert tcp $HOME_NET any -> [89.187.184.206] 4299  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243330; rev:1;)
alert tcp $HOME_NET any -> [94.198.51.247] 4337  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243332; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.109] 4372  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243331; rev:1;)
alert tcp $HOME_NET any -> [94.198.55.181] 4337  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243333; rev:1;)
alert tcp $HOME_NET any -> [82.153.138.25] 13338  (msg:"ThreatFox xmrig payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243429/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243429; rev:1;)
alert tcp $HOME_NET any -> [15.204.223.194] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243443; rev:1;)
alert tcp $HOME_NET any -> [79.228.201.177] 666  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243444/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_29; classtype:trojan-activity; sid:91243444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzi4mgfhzji2mmm5/"; depth:18; nocase; http.host; content:"karmelinanoonethousandbaby.net"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243445; rev:1;)
alert tcp $HOME_NET any -> [147.45.197.186] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mainnetwork.sysromeu.eu.org"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1243476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.11.93.150"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1243477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"leadsoftware.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243309; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"advertsp74.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243307; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gam0ver.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243308; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lkk.collection.aixpirts.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243304; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"collection.aixpirts.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243305; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"visitclouds.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243253; rev:1;)
alert tcp $HOME_NET any -> [185.172.129.234] 34244  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243474; rev:1;)
alert tcp $HOME_NET any -> [103.114.104.158] 7800  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0923143.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243472; rev:1;)
alert tcp $HOME_NET any -> [46.226.164.18] 50555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243471; rev:1;)
alert tcp $HOME_NET any -> [106.75.66.128] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243470/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243470; rev:1;)
alert tcp $HOME_NET any -> [139.9.65.87] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243469/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243469; rev:1;)
alert tcp $HOME_NET any -> [50.35.137.22] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243468/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243468; rev:1;)
alert tcp $HOME_NET any -> [24.177.42.139] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0922949.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_29; classtype:trojan-activity; sid:91243466; rev:1;)
alert tcp $HOME_NET any -> [173.249.27.72] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243465/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243465; rev:1;)
alert tcp $HOME_NET any -> [43.138.70.217] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243464/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243464; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.85] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243463/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243463; rev:1;)
alert tcp $HOME_NET any -> [82.97.251.102] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243462/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_29; classtype:trojan-activity; sid:91243462; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.177] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243461/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243461; rev:1;)
alert tcp $HOME_NET any -> [41.96.34.101] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243460/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243460; rev:1;)
alert tcp $HOME_NET any -> [43.139.235.226] 5003  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243459/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243459; rev:1;)
alert tcp $HOME_NET any -> [139.196.191.50] 3389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243458/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243458; rev:1;)
alert tcp $HOME_NET any -> [8.218.157.182] 4488  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243457/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243457; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.48] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243456/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243456; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.10] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243455/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243455; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.184] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243454/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243454; rev:1;)
alert tcp $HOME_NET any -> [5.75.211.82] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243453/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243453; rev:1;)
alert tcp $HOME_NET any -> [65.109.240.92] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243452/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243452; rev:1;)
alert tcp $HOME_NET any -> [95.217.240.158] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243451/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243451; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.251] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243450/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243450; rev:1;)
alert tcp $HOME_NET any -> [5.75.209.178] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243449/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243449; rev:1;)
alert tcp $HOME_NET any -> [128.90.108.211] 4433  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243448/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243448; rev:1;)
alert tcp $HOME_NET any -> [110.41.44.130] 8888  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243447/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243447; rev:1;)
alert tcp $HOME_NET any -> [103.74.172.161] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_29; classtype:trojan-activity; sid:91243446; rev:1;)
alert tcp $HOME_NET any -> [175.197.65.135] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/rtrovpivygzklxemdw38"; depth:25; nocase; http.host; content:"175.197.65.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243441; rev:1;)
alert tcp $HOME_NET any -> [15.228.170.102] 5000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243440; rev:1;)
alert tcp $HOME_NET any -> [186.170.114.55] 1111  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243439; rev:1;)
alert tcp $HOME_NET any -> [83.213.157.103] 1515  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243438; rev:1;)
alert tcp $HOME_NET any -> [147.45.68.159] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243437; rev:1;)
alert tcp $HOME_NET any -> [187.213.196.57] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243436/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243436; rev:1;)
alert tcp $HOME_NET any -> [105.102.19.215] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243435/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243435; rev:1;)
alert tcp $HOME_NET any -> [45.120.106.149] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243434/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243434; rev:1;)
alert tcp $HOME_NET any -> [5.161.64.218] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243433; rev:1;)
alert tcp $HOME_NET any -> [45.61.138.43] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243432/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"122.51.118.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243431; rev:1;)
alert tcp $HOME_NET any -> [74.81.46.139] 44085  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"117.50.185.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.110.253.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"118.89.124.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243424; rev:1;)
alert tcp $HOME_NET any -> [45.32.7.25] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243423; rev:1;)
alert tcp $HOME_NET any -> [143.110.247.233] 8008  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243422; rev:1;)
alert tcp $HOME_NET any -> [123.206.115.56] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243421; rev:1;)
alert tcp $HOME_NET any -> [185.43.222.193] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243420; rev:1;)
alert tcp $HOME_NET any -> [185.43.221.137] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243419; rev:1;)
alert tcp $HOME_NET any -> [3.65.151.202] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243418; rev:1;)
alert tcp $HOME_NET any -> [172.201.219.183] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243417; rev:1;)
alert tcp $HOME_NET any -> [213.171.15.75] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243416; rev:1;)
alert tcp $HOME_NET any -> [124.71.205.116] 13333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243415; rev:1;)
alert tcp $HOME_NET any -> [159.138.58.51] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243414; rev:1;)
alert tcp $HOME_NET any -> [170.64.213.114] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243413; rev:1;)
alert tcp $HOME_NET any -> [123.60.185.117] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243412; rev:1;)
alert tcp $HOME_NET any -> [37.251.160.104] 54043  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243411; rev:1;)
alert tcp $HOME_NET any -> [124.220.97.65] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243410; rev:1;)
alert tcp $HOME_NET any -> [135.181.16.103] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243409; rev:1;)
alert tcp $HOME_NET any -> [34.101.73.141] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243408; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssl.deenpel.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243407; rev:1;)
alert tcp $HOME_NET any -> [1.117.229.230] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243406; rev:1;)
alert tcp $HOME_NET any -> [49.51.68.151] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243405; rev:1;)
alert tcp $HOME_NET any -> [154.201.66.219] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243404; rev:1;)
alert tcp $HOME_NET any -> [150.158.137.47] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243403; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trustabletechsupport.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243402; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gfdjlgkdjfgkdfjgkml.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243401; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-230-177-18.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243400; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcalendars.inspirestudiosteam.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243399; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mg.inspirestudiosteam.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243398; rev:1;)
alert tcp $HOME_NET any -> [154.8.204.75] 58082  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243397; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.238] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243396; rev:1;)
alert tcp $HOME_NET any -> [20.65.178.69] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243395; rev:1;)
alert tcp $HOME_NET any -> [20.82.182.10] 8080  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243394; rev:1;)
alert tcp $HOME_NET any -> [20.251.169.136] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243393; rev:1;)
alert tcp $HOME_NET any -> [188.27.189.235] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243392; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lemon.haryadi.my.id"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243391; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cardiochallenge.at"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bignas.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23-227-193-214.static.hvvc.us"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243387; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-84-126-255.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243388; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.116] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243386; rev:1;)
alert tcp $HOME_NET any -> [5.144.177.67] 6090  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243385; rev:1;)
alert tcp $HOME_NET any -> [194.33.191.159] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243384; rev:1;)
alert tcp $HOME_NET any -> [213.183.63.187] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243383; rev:1;)
alert tcp $HOME_NET any -> [107.155.112.166] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243382; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cryptobetix.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243381; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"212-70-149-199.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243380; rev:1;)
alert tcp $HOME_NET any -> [151.81.14.228] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243378; rev:1;)
alert tcp $HOME_NET any -> [216.250.255.99] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243377; rev:1;)
alert tcp $HOME_NET any -> [45.134.83.165] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243376; rev:1;)
alert tcp $HOME_NET any -> [191.88.250.63] 4210  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243374; rev:1;)
alert tcp $HOME_NET any -> [172.111.148.61] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243375; rev:1;)
alert tcp $HOME_NET any -> [128.90.113.56] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243373; rev:1;)
alert tcp $HOME_NET any -> [178.73.192.17] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243372; rev:1;)
alert tcp $HOME_NET any -> [206.123.132.164] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243371; rev:1;)
alert tcp $HOME_NET any -> [23.227.194.232] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243370/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_28; classtype:trojan-activity; sid:91243370; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.7] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243369; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.7] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243368; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.7] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243366; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.7] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243367; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.5] 15443  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243365; rev:1;)
alert tcp $HOME_NET any -> [105.102.242.10] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243364; rev:1;)
alert tcp $HOME_NET any -> [124.156.162.162] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243363; rev:1;)
alert tcp $HOME_NET any -> [1.14.69.16] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243361; rev:1;)
alert tcp $HOME_NET any -> [1.14.69.16] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243362; rev:1;)
alert tcp $HOME_NET any -> [1.14.69.16] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243360; rev:1;)
alert tcp $HOME_NET any -> [23.224.176.9] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243359; rev:1;)
alert tcp $HOME_NET any -> [120.27.131.3] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243357; rev:1;)
alert tcp $HOME_NET any -> [218.93.206.191] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243358; rev:1;)
alert tcp $HOME_NET any -> [124.222.51.98] 60081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243355; rev:1;)
alert tcp $HOME_NET any -> [62.234.32.192] 8085  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243356; rev:1;)
alert tcp $HOME_NET any -> [47.98.168.171] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243354; rev:1;)
alert tcp $HOME_NET any -> [106.52.244.189] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243353; rev:1;)
alert tcp $HOME_NET any -> [185.11.61.168] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243351; rev:1;)
alert tcp $HOME_NET any -> [143.110.176.113] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243352; rev:1;)
alert tcp $HOME_NET any -> [185.11.61.168] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243350; rev:1;)
alert tcp $HOME_NET any -> [150.158.137.47] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243349; rev:1;)
alert tcp $HOME_NET any -> [1.14.64.150] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243348; rev:1;)
alert tcp $HOME_NET any -> [3.75.210.134] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243347; rev:1;)
alert tcp $HOME_NET any -> [122.51.118.39] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243346; rev:1;)
alert tcp $HOME_NET any -> [91.245.253.85] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243345; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rns.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243343; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"distracted-cannon.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243344; rev:1;)
alert tcp $HOME_NET any -> [114.116.224.74] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243342; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.practical-black.104-168-102-175.plesk.page"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243341; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"167-71-186-178.ipv4.staticdns3.io"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243340; rev:1;)
alert tcp $HOME_NET any -> [52.190.15.163] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243338; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fairyfoxgames.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243339; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dirapushka.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243337; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"practical-black.104-168-102-175.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243336; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyn.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243335; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-91-59-255.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243334; rev:1;)
alert tcp $HOME_NET any -> [46.183.223.64] 22364  (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243306; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assets.samfund.co"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243302; rev:1;)
alert tcp $HOME_NET any -> [159.223.86.140] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243303; rev:1;)
alert tcp $HOME_NET any -> [159.223.220.165] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243301; rev:1;)
alert tcp $HOME_NET any -> [78.141.217.186] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243300; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.trailcosolutions.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"106.52.244.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"45.76.196.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"111.231.74.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"118.24.128.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243294; rev:1;)
alert tcp $HOME_NET any -> [89.185.85.207] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243293; rev:1;)
alert tcp $HOME_NET any -> [172.174.236.21] 1337  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243292; rev:1;)
alert tcp $HOME_NET any -> [39.40.128.22] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243291; rev:1;)
alert tcp $HOME_NET any -> [2.88.198.236] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243290; rev:1;)
alert tcp $HOME_NET any -> [108.181.0.232] 58049  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243289/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243289; rev:1;)
alert tcp $HOME_NET any -> [178.250.156.165] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243288/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243288; rev:1;)
alert tcp $HOME_NET any -> [62.109.15.31] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243287/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243287; rev:1;)
alert tcp $HOME_NET any -> [87.120.84.190] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243286/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243286; rev:1;)
alert tcp $HOME_NET any -> [62.217.179.132] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243285; rev:1;)
alert tcp $HOME_NET any -> [84.201.143.26] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux/lineupdateprocessordefaultdleprivate.php"; depth:47; nocase; http.host; content:"89.23.98.146"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243283; rev:1;)
alert tcp $HOME_NET any -> [124.223.215.119] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"117.50.185.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.92.99.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.142.184.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"175.24.130.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"159.223.220.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssjcw.com.w.kunlunpi.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ssjcw.com.w.kunlunpi.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243261; rev:1;)
alert tcp $HOME_NET any -> [122.51.118.39] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"122.51.118.39"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xlvc"; depth:5; nocase; http.host; content:"118.31.75.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243258/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.209.178"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243256; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.251] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243254; rev:1;)
alert tcp $HOME_NET any -> [5.75.209.178] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243255; rev:1;)
alert tcp $HOME_NET any -> [185.217.197.52] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243252; rev:1;)
alert tcp $HOME_NET any -> [166.1.173.27] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nl7l"; depth:5; nocase; http.host; content:"118.31.75.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243250; rev:1;)
alert tcp $HOME_NET any -> [118.31.75.32] 1145  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243248; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"berlyndinero.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243227/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243227; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.67] 7771  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243226; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.26] 8651  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243222/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ntbizmm4zdq2mwy2/"; depth:18; nocase; http.host; content:"185.198.69.111"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzi5odzlngfhyznh/"; depth:18; nocase; http.host; content:"213.109.202.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243220; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.146] 8008  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243214/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243214; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ronymahmoud.casacam.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243213/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243213; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.102] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_28; classtype:trojan-activity; sid:91243212; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brainyworkslogos.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243211; rev:1;)
alert tcp $HOME_NET any -> [103.173.254.239] 42516  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"212.129.36.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"31.207.37.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243243; rev:1;)
alert tcp $HOME_NET any -> [83.69.236.128] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243246; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asyncfunctionapi.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"60.204.133.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/layout/fd6pr1n8lq5h"; depth:24; nocase; http.host; content:"47.99.182.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243244; rev:1;)
alert tcp $HOME_NET any -> [185.161.248.199] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243241/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243241; rev:1;)
alert tcp $HOME_NET any -> [147.135.85.114] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243240; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.6] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243239/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243239; rev:1;)
alert tcp $HOME_NET any -> [37.211.19.15] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243238; rev:1;)
alert tcp $HOME_NET any -> [75.164.85.121] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243237; rev:1;)
alert tcp $HOME_NET any -> [70.27.138.200] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243236; rev:1;)
alert tcp $HOME_NET any -> [73.155.10.152] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243235/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243235; rev:1;)
alert tcp $HOME_NET any -> [94.237.63.16] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243234/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243234; rev:1;)
alert tcp $HOME_NET any -> [172.181.54.61] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243233/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243233; rev:1;)
alert tcp $HOME_NET any -> [15.228.57.29] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243232/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243232; rev:1;)
alert tcp $HOME_NET any -> [23.227.194.232] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243231/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243231; rev:1;)
alert tcp $HOME_NET any -> [213.226.100.35] 53  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243230/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_28; classtype:trojan-activity; sid:91243230; rev:1;)
alert tcp $HOME_NET any -> [147.124.208.234] 4483  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0923769.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243228; rev:1;)
alert tcp $HOME_NET any -> [103.198.26.210] 1902  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243225; rev:1;)
alert tcp $HOME_NET any -> [155.94.211.9] 42119  (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243224; rev:1;)
alert tcp $HOME_NET any -> [122.52.26.100] 1818  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_28; classtype:trojan-activity; sid:91243223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/unsalted-condensed-soups/"; depth:37; nocase; http.host; content:"pickilish.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243219/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/chunky/"; depth:19; nocase; http.host; content:"pickilish.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243218/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"49.234.185.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243216; rev:1;)
alert tcp $HOME_NET any -> [49.234.185.12] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243217; rev:1;)
alert tcp $HOME_NET any -> [191.88.250.63] 4203  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243215; rev:1;)
alert tcp $HOME_NET any -> [65.21.101.232] 6392  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243210; rev:1;)
alert tcp $HOME_NET any -> [154.246.13.166] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243209; rev:1;)
alert tcp $HOME_NET any -> [103.179.188.223] 19990  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243206; rev:1;)
alert tcp $HOME_NET any -> [2.57.149.235] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243205; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.190] 5525  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243131; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.84] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243132; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.29] 60195  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243133; rev:1;)
alert tcp $HOME_NET any -> [37.221.92.112] 5555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243134; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.220] 2821  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243135; rev:1;)
alert tcp $HOME_NET any -> [45.86.86.176] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243136; rev:1;)
alert tcp $HOME_NET any -> [94.103.188.45] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243137; rev:1;)
alert tcp $HOME_NET any -> [176.123.2.50] 8872  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243138; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.179] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243204; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.46] 59962  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243130; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.59] 13  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243129; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.229] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243128; rev:1;)
alert tcp $HOME_NET any -> [193.35.18.164] 60195  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243127; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.43] 6666  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243125; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.231] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243126; rev:1;)
alert tcp $HOME_NET any -> [185.196.11.28] 51231  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243123; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.14] 23213  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243124; rev:1;)
alert tcp $HOME_NET any -> [185.155.186.25] 443  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243120; rev:1;)
alert tcp $HOME_NET any -> [185.155.184.55] 443  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243119; rev:1;)
alert tcp $HOME_NET any -> [193.203.238.147] 443  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243203; rev:1;)
alert tcp $HOME_NET any -> [79.174.2.133] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243202; rev:1;)
alert tcp $HOME_NET any -> [3.131.21.160] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243201; rev:1;)
alert tcp $HOME_NET any -> [91.221.22.159] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243200; rev:1;)
alert tcp $HOME_NET any -> [93.185.167.79] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243197; rev:1;)
alert tcp $HOME_NET any -> [8.222.199.64] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243198; rev:1;)
alert tcp $HOME_NET any -> [20.56.21.162] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243196; rev:1;)
alert tcp $HOME_NET any -> [64.23.182.218] 3443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243195; rev:1;)
alert tcp $HOME_NET any -> [128.199.108.110] 2087  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243194; rev:1;)
alert tcp $HOME_NET any -> [20.96.212.59] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243193; rev:1;)
alert tcp $HOME_NET any -> [64.23.179.200] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243192; rev:1;)
alert tcp $HOME_NET any -> [124.222.124.9] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243191; rev:1;)
alert tcp $HOME_NET any -> [154.201.80.138] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243190; rev:1;)
alert tcp $HOME_NET any -> [123.254.104.237] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243189; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.210] 80  (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243188; rev:1;)
alert tcp $HOME_NET any -> [91.208.92.66] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243187; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.60] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243186; rev:1;)
alert tcp $HOME_NET any -> [185.36.81.46] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243185; rev:1;)
alert tcp $HOME_NET any -> [18.204.80.51] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243184; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asqrecruitment.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243183; rev:1;)
alert tcp $HOME_NET any -> [5.199.162.93] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243182; rev:1;)
alert tcp $HOME_NET any -> [45.15.159.44] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243180; rev:1;)
alert tcp $HOME_NET any -> [20.0.153.70] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243181; rev:1;)
alert tcp $HOME_NET any -> [124.156.162.114] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243179; rev:1;)
alert tcp $HOME_NET any -> [185.16.39.117] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243178; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.52] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243177; rev:1;)
alert tcp $HOME_NET any -> [181.162.154.20] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243176; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.58] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243175; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.32] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243174; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cenixcrypto.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243173; rev:1;)
alert tcp $HOME_NET any -> [91.142.74.218] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243172; rev:1;)
alert tcp $HOME_NET any -> [23.26.201.73] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243170; rev:1;)
alert tcp $HOME_NET any -> [51.89.109.154] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243171; rev:1;)
alert tcp $HOME_NET any -> [45.134.83.162] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243169; rev:1;)
alert tcp $HOME_NET any -> [45.134.83.165] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243168; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.11] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243167; rev:1;)
alert tcp $HOME_NET any -> [191.88.250.63] 4208  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243166; rev:1;)
alert tcp $HOME_NET any -> [128.90.113.242] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243165; rev:1;)
alert tcp $HOME_NET any -> [85.99.80.60] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243164; rev:1;)
alert tcp $HOME_NET any -> [2.58.85.145] 6004  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243163; rev:1;)
alert tcp $HOME_NET any -> [195.123.217.139] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243162/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243162; rev:1;)
alert tcp $HOME_NET any -> [185.142.184.93] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243161/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243161; rev:1;)
alert tcp $HOME_NET any -> [192.210.140.35] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243160/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243160; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.210] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243159/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243159; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.216] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243158/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243158; rev:1;)
alert tcp $HOME_NET any -> [88.214.25.240] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243157/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_27; classtype:trojan-activity; sid:91243157; rev:1;)
alert tcp $HOME_NET any -> [1.92.90.232] 8000  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243156/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243156; rev:1;)
alert tcp $HOME_NET any -> [103.108.41.242] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243155; rev:1;)
alert tcp $HOME_NET any -> [103.142.146.7] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243154; rev:1;)
alert tcp $HOME_NET any -> [4.210.191.162] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243153; rev:1;)
alert tcp $HOME_NET any -> [8.222.150.46] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243152; rev:1;)
alert tcp $HOME_NET any -> [213.252.246.7] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243151; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.217] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243150; rev:1;)
alert tcp $HOME_NET any -> [23.94.240.215] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243149; rev:1;)
alert tcp $HOME_NET any -> [43.138.101.9] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243148; rev:1;)
alert tcp $HOME_NET any -> [136.144.240.165] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243146; rev:1;)
alert tcp $HOME_NET any -> [149.104.27.205] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243147; rev:1;)
alert tcp $HOME_NET any -> [23.94.240.216] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243145; rev:1;)
alert tcp $HOME_NET any -> [120.48.5.80] 6009  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243144; rev:1;)
alert tcp $HOME_NET any -> [121.196.221.250] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243142; rev:1;)
alert tcp $HOME_NET any -> [103.142.146.6] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243143; rev:1;)
alert tcp $HOME_NET any -> [103.142.146.5] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243141; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bh8bwt.link"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243140; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"was.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243139; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.5] 2054  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243117/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243117; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clarosecurity-com.duckdns.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243118/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/665cf811.php"; depth:13; nocase; http.host; content:"f0924067.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243116; rev:1;)
alert tcp $HOME_NET any -> [185.244.150.230] 443  (msg:"ThreatFox Dridex botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243095; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"goalmikeas.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243107/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243107; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"wedshotrag.live"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243108/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243108; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 12780  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243115; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 12780  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243114; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 12780  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243113; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 12780  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243112; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 12780  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"49.234.185.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"141.98.81.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243109; rev:1;)
alert tcp $HOME_NET any -> [70.27.138.200] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243106/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243106; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.57] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243105/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"20.107.244.135"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"185.193.126.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.120.37.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.142.90.7"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243094; rev:1;)
alert tcp $HOME_NET any -> [185.11.61.124] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ku.css"; depth:7; nocase; http.host; content:"185.11.61.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/layout/fd6pr1n8lq5h"; depth:24; nocase; http.host; content:"47.99.182.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1/get"; depth:7; nocase; http.host; content:"3gjanc04hk.execute-api.us-east-2.amazonaws.com"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3gjanc04hk.execute-api.us-east-2.amazonaws.com"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.43.191.108"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243088; rev:1;)
alert tcp $HOME_NET any -> [47.76.78.183] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"2.57.149.150"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243021/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"2istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243022/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"3istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243023/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"4istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243024/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"5istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243025/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"6istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243026/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztiwndezzjm4yjyw/"; depth:18; nocase; http.host; content:"8istanbullu2586.xyz"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243027/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243027; rev:1;)
alert tcp $HOME_NET any -> [67.203.7.148] 2909  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243030; rev:1;)
alert tcp $HOME_NET any -> [34.174.78.212] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243039/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243039; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"blesblochem.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243040/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243040; rev:1;)
alert tcp $HOME_NET any -> [20.218.68.91] 7690  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/beacon.bin"; depth:11; nocase; http.host; content:"43.129.239.195"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243084; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.146] 8004  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243079/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_27; classtype:trojan-activity; sid:91243079; rev:1;)
alert tcp $HOME_NET any -> [155.94.208.137] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243085; rev:1;)
alert tcp $HOME_NET any -> [85.239.33.149] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.82"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243082; rev:1;)
alert tcp $HOME_NET any -> [65.109.240.92] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243080; rev:1;)
alert tcp $HOME_NET any -> [5.75.211.82] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243081; rev:1;)
alert tcp $HOME_NET any -> [195.16.74.230] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243078; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hotzhuan.com.w.kunlunpi.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243076; rev:1;)
alert tcp $HOME_NET any -> [47.92.146.233] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.hotzhuan.com.w.kunlunpi.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"sfzd.tianxuesong.com.w.kunlunpi.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243073; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sfzd.tianxuesong.com.w.kunlunpi.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ss.wfpay.xyz.w.kunlunpi.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243071; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ss.wfpay.xyz.w.kunlunpi.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243072; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cdnyychanlun.com.w.kunlunpi.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1243070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.cdnyychanlun.com.w.kunlunpi.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"767163cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243068; rev:1;)
alert tcp $HOME_NET any -> [43.136.20.206] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243067; rev:1;)
alert tcp $HOME_NET any -> [123.253.108.241] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243066; rev:1;)
alert tcp $HOME_NET any -> [38.54.108.163] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243065/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243065; rev:1;)
alert tcp $HOME_NET any -> [20.197.231.238] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243064; rev:1;)
alert tcp $HOME_NET any -> [201.124.231.216] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243063; rev:1;)
alert tcp $HOME_NET any -> [185.17.105.152] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243062; rev:1;)
alert tcp $HOME_NET any -> [161.35.79.43] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243061; rev:1;)
alert tcp $HOME_NET any -> [103.139.93.20] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243060; rev:1;)
alert tcp $HOME_NET any -> [164.92.243.255] 42691  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243058; rev:1;)
alert tcp $HOME_NET any -> [94.103.87.88] 1433  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243057; rev:1;)
alert tcp $HOME_NET any -> [131.186.22.89] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_27; classtype:trojan-activity; sid:91243056; rev:1;)
alert tcp $HOME_NET any -> [124.70.208.179] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243054; rev:1;)
alert tcp $HOME_NET any -> [120.46.69.230] 65500  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243053/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243053; rev:1;)
alert tcp $HOME_NET any -> [107.172.5.67] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243052/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243052; rev:1;)
alert tcp $HOME_NET any -> [124.223.200.131] 10010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243051/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243051; rev:1;)
alert tcp $HOME_NET any -> [187.135.94.233] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243050/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243050; rev:1;)
alert tcp $HOME_NET any -> [187.135.94.233] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243049/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243049; rev:1;)
alert tcp $HOME_NET any -> [187.135.94.233] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243048/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243048; rev:1;)
alert tcp $HOME_NET any -> [187.135.94.233] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243047/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243047; rev:1;)
alert tcp $HOME_NET any -> [187.135.142.198] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243046/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243046; rev:1;)
alert tcp $HOME_NET any -> [187.135.142.198] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243045/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243045; rev:1;)
alert tcp $HOME_NET any -> [66.225.254.138] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243043; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 15443  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243044/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243044; rev:1;)
alert tcp $HOME_NET any -> [103.108.41.243] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243042/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_27; classtype:trojan-activity; sid:91243042; rev:1;)
alert tcp $HOME_NET any -> [185.133.40.68] 7108  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_27; classtype:trojan-activity; sid:91243041; rev:1;)
alert tcp $HOME_NET any -> [182.18.90.146] 34444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243038; rev:1;)
alert tcp $HOME_NET any -> [34.86.252.187] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243037; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243036; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cce379fc.php"; depth:13; nocase; http.host; content:"cs52256.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243035; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/checkin"; depth:8; nocase; http.host; content:"84.32.188.104"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243034; rev:1;)
alert tcp $HOME_NET any -> [47.92.99.156] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.92.99.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243031; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 43389  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"825947295cm.whiteproducts.ru"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243028; rev:1;)
alert tcp $HOME_NET any -> [149.102.235.115] 3000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonwindows.php"; depth:18; nocase; http.host; content:"597359lm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"185.195.24.252"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243018; rev:1;)
alert tcp $HOME_NET any -> [191.88.249.121] 4433  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243017; rev:1;)
alert tcp $HOME_NET any -> [2.88.117.178] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243016; rev:1;)
alert tcp $HOME_NET any -> [94.49.209.30] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243015; rev:1;)
alert tcp $HOME_NET any -> [78.166.15.66] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243014/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243014; rev:1;)
alert tcp $HOME_NET any -> [31.117.7.53] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243013/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243013; rev:1;)
alert tcp $HOME_NET any -> [154.247.5.62] 993  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243012/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243012; rev:1;)
alert tcp $HOME_NET any -> [143.110.250.237] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243011/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243011; rev:1;)
alert tcp $HOME_NET any -> [103.139.93.20] 3306  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243010/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91243010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243009; rev:1;)
alert tcp $HOME_NET any -> [45.134.225.247] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"45.134.225.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243007; rev:1;)
alert tcp $HOME_NET any -> [54.94.248.37] 12778  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243005/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91243005; rev:1;)
alert tcp $HOME_NET any -> [204.44.127.146] 20188  (msg:"ThreatFox AdWind botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243006; rev:1;)
alert tcp $HOME_NET any -> [18.229.146.63] 12778  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243003; rev:1;)
alert tcp $HOME_NET any -> [18.231.93.153] 12778  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243004; rev:1;)
alert tcp $HOME_NET any -> [18.228.115.60] 12778  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243002; rev:1;)
alert tcp $HOME_NET any -> [18.229.248.167] 12778  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1243001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"gulfcoastcoffeeroasters.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"inc.sshadowso.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"mail.garciaprints.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"mail.inspirestudiosteam.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"nice-margulis.45-138-16-132.plesk.page"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"panel.swain.ir"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"pars.northpm.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"skinsmonkey.complete.homsiknet.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"sw.sono.pw"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"fleekbusiness.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"garciaprints.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"eloquent-germain.45-138-16-132.plesk.page"; depth:41; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"ebookza.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"cpcontacts.inspirestudiosteam.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"cpanel.inspirestudiosteam.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"cpanel.garciaprints.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"buygamingnfts.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"blazebit.bet"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"autodiscover.inspirestudiosteam.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.103.177.sslip.io"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.73.150.sslip.io"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.138.74.228.sslip.io"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242664; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.42.25.sslip.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.107.181.83.sslip.io"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"vpnu.top"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"webdisk.inspirestudiosteam.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"webmail.inspirestudiosteam.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.ebookza.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.fleekbusiness.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.garciaprints.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.gulfcoastcoffeeroasters.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.inspirestudiosteam.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.mg.inspirestudiosteam.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"www.mzile.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"yes.homeshopdigital.site"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"yes1.homeshopdigital.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242697; rev:1;)
alert tcp $HOME_NET any -> [3.126.37.18] 16653  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242250/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242250; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"45.138.74.228.sslip.io"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242698; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"5.42.73.150.sslip.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242699; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"89.208.103.177.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242700; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"autodiscover.inspirestudiosteam.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242701; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nice-margulis.45-138-16-132.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242715; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.garciaprints.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242713; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.inspirestudiosteam.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242714; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"inc.sshadowso.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242712; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gulfcoastcoffeeroasters.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242711; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fleekbusiness.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242709; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"garciaprints.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242710; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eloquent-germain.45-138-16-132.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242708; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ebookza.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242707; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.inspirestudiosteam.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242706; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.inspirestudiosteam.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242705; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.garciaprints.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242704; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blazebit.bet"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242702; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buygamingnfts.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242703; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.swain.ir"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242716; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pars.northpm.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242717; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"skinsmonkey.complete.homsiknet.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242718; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpnu.top"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242719; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webdisk.inspirestudiosteam.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242720; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.inspirestudiosteam.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242721; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ebookza.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242722; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fleekbusiness.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242723; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.garciaprints.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242724; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gulfcoastcoffeeroasters.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242725; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.inspirestudiosteam.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242726; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mg.inspirestudiosteam.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242727; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mzile.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242728; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yes.homeshopdigital.site"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242729; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yes1.homeshopdigital.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.147.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.138.74.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.42.25"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.107.181.83"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.138.16.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.73.150"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"92.246.136.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.162.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"104.21.12.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"104.21.44.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"172.67.152.71"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"172.67.192.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"175.110.115.65"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"198.44.171.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242745; rev:1;)
alert tcp $HOME_NET any -> [54.234.189.192] 80  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242981; rev:1;)
alert tcp $HOME_NET any -> [54.237.138.159] 80  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242971; rev:1;)
alert tcp $HOME_NET any -> [52.23.117.205] 80  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242969; rev:1;)
alert tcp $HOME_NET any -> [52.22.239.204] 80  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242968; rev:1;)
alert tcp $HOME_NET any -> [44.196.101.127] 80  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242966; rev:1;)
alert tcp $HOME_NET any -> [52.205.60.154] 80  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242964; rev:1;)
alert tcp $HOME_NET any -> [34.197.122.235] 80  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242965; rev:1;)
alert tcp $HOME_NET any -> [5.161.113.150] 25658  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242963/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"bbsupplyandsalon.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"bbsupplyandsalon.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"bbsupplyandsalon.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242792; rev:1;)
alert tcp $HOME_NET any -> [192.151.243.135] 55650  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242650; rev:1;)
alert tcp $HOME_NET any -> [185.91.127.216] 5555  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"bigcuda.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"bigcuda.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242620; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"bigcuda.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242619; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4stvghabsy3dg893uhszgtyerecs44axutq5unuvsa7u8833eb.nl"; depth:53; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242589; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"refinedruffles.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242590; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"q65fpfr2wpjugu7y3ldvjjdgz8uzqak2.nl"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242591; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pve.pezow.ovh"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242601; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.97] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242603/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242603; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mnmn.espontaneo.cc"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242604/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242604; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"route.qyhgroup.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242605/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242605; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"multi-bidding.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242617/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242617; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"wwv.bmjz.vip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242618; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/voolkisms"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1243000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91243000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.158"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.112.251"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/neoschats"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199644883218"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242996; rev:1;)
alert tcp $HOME_NET any -> [88.198.112.251] 10050  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242994; rev:1;)
alert tcp $HOME_NET any -> [95.217.240.158] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242995; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nxsisgod.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242993; rev:1;)
alert tcp $HOME_NET any -> [104.129.20.167] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242989; rev:1;)
alert tcp $HOME_NET any -> [103.124.104.22] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242990; rev:1;)
alert tcp $HOME_NET any -> [204.44.125.68] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242991; rev:1;)
alert tcp $HOME_NET any -> [66.63.188.19] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242992; rev:1;)
alert tcp $HOME_NET any -> [146.19.213.36] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242982; rev:1;)
alert tcp $HOME_NET any -> [89.117.2.33] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242983; rev:1;)
alert tcp $HOME_NET any -> [176.123.2.146] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242984; rev:1;)
alert tcp $HOME_NET any -> [89.117.1.161] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242985; rev:1;)
alert tcp $HOME_NET any -> [89.117.2.34] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242986; rev:1;)
alert tcp $HOME_NET any -> [89.117.1.160] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242987; rev:1;)
alert tcp $HOME_NET any -> [103.124.104.76] 445  (msg:"ThreatFox Pikabot payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242988; rev:1;)
alert tcp $HOME_NET any -> [128.199.23.68] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242962; rev:1;)
alert tcp $HOME_NET any -> [20.161.150.170] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242961; rev:1;)
alert tcp $HOME_NET any -> [3.28.252.232] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242960; rev:1;)
alert tcp $HOME_NET any -> [167.71.231.127] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242958; rev:1;)
alert tcp $HOME_NET any -> [139.196.100.176] 60080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242959; rev:1;)
alert tcp $HOME_NET any -> [128.199.141.212] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242957; rev:1;)
alert tcp $HOME_NET any -> [165.22.73.33] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242955; rev:1;)
alert tcp $HOME_NET any -> [80.249.164.234] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242956; rev:1;)
alert tcp $HOME_NET any -> [34.125.92.141] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242954; rev:1;)
alert tcp $HOME_NET any -> [43.136.182.96] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242953; rev:1;)
alert tcp $HOME_NET any -> [157.230.24.185] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242952; rev:1;)
alert tcp $HOME_NET any -> [20.88.9.79] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242951; rev:1;)
alert tcp $HOME_NET any -> [54.194.190.84] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242950; rev:1;)
alert tcp $HOME_NET any -> [18.156.23.188] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242949; rev:1;)
alert tcp $HOME_NET any -> [3.231.20.29] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242948; rev:1;)
alert tcp $HOME_NET any -> [89.26.253.61] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242947; rev:1;)
alert tcp $HOME_NET any -> [206.221.176.188] 10718  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242946; rev:1;)
alert tcp $HOME_NET any -> [196.50.10.35] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242945; rev:1;)
alert tcp $HOME_NET any -> [107.174.250.230] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242944; rev:1;)
alert tcp $HOME_NET any -> [34.250.158.249] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242942; rev:1;)
alert tcp $HOME_NET any -> [185.43.222.163] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242943; rev:1;)
alert tcp $HOME_NET any -> [178.154.201.213] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242941; rev:1;)
alert tcp $HOME_NET any -> [64.227.66.1] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242940; rev:1;)
alert tcp $HOME_NET any -> [178.128.212.97] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242939; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accounts.deenpel.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242938; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"port.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242936; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogs.deenpel.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242937; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www3.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242935; rev:1;)
alert tcp $HOME_NET any -> [103.118.41.143] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242934; rev:1;)
alert tcp $HOME_NET any -> [47.109.142.156] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242933; rev:1;)
alert tcp $HOME_NET any -> [118.89.91.229] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242932; rev:1;)
alert tcp $HOME_NET any -> [123.60.16.239] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242931; rev:1;)
alert tcp $HOME_NET any -> [103.118.41.127] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242930; rev:1;)
alert tcp $HOME_NET any -> [152.42.162.0] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242928; rev:1;)
alert tcp $HOME_NET any -> [117.84.36.29] 8008  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242929; rev:1;)
alert tcp $HOME_NET any -> [18.183.219.84] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242927; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-16-62-149-189.eu-central-2.compute.amazonaws.com"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nic-ns3-153548.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242925; rev:1;)
alert tcp $HOME_NET any -> [91.208.92.66] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242923; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"telligenc.rest"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242924; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.142] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242922; rev:1;)
alert tcp $HOME_NET any -> [51.195.83.140] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242920; rev:1;)
alert tcp $HOME_NET any -> [51.195.83.140] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242921; rev:1;)
alert tcp $HOME_NET any -> [51.195.83.140] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242919; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dhjkfgdfkhjghdfjkgjdfoigjpi.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242917; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epsilonyouknow.party"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242918; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my.attuneiot.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242915; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-23-117-205.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242916; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-197-122-235.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242914; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-22-239-204.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242912; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maps.attuneiot.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242913; rev:1;)
alert tcp $HOME_NET any -> [52.205.60.154] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242910; rev:1;)
alert tcp $HOME_NET any -> [34.197.122.235] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242911; rev:1;)
alert tcp $HOME_NET any -> [52.22.239.204] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242909; rev:1;)
alert tcp $HOME_NET any -> [110.173.54.196] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242907; rev:1;)
alert tcp $HOME_NET any -> [20.166.248.109] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242908; rev:1;)
alert tcp $HOME_NET any -> [110.173.54.197] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242906; rev:1;)
alert tcp $HOME_NET any -> [104.43.89.110] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242904; rev:1;)
alert tcp $HOME_NET any -> [5.199.169.206] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242905; rev:1;)
alert tcp $HOME_NET any -> [110.173.54.198] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242903; rev:1;)
alert tcp $HOME_NET any -> [213.166.68.24] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242901; rev:1;)
alert tcp $HOME_NET any -> [40.119.24.133] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242902; rev:1;)
alert tcp $HOME_NET any -> [20.121.42.245] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242900; rev:1;)
alert tcp $HOME_NET any -> [110.173.54.194] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242899; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.119] 443  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242898; rev:1;)
alert tcp $HOME_NET any -> [43.204.230.44] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242896; rev:1;)
alert tcp $HOME_NET any -> [78.141.216.219] 22533  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242897; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.3-84-126-255.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242895; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev2.stocktok.io"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242893; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gbdvs.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242894; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accept.gbdvs.shop"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242892; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gbdvs.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242891; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"time.vmupdate.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242890; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtracking.web_hassinezarrat.swp23.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242889; rev:1;)
alert tcp $HOME_NET any -> [191.82.221.165] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242887; rev:1;)
alert tcp $HOME_NET any -> [35.137.73.119] 22222  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242888; rev:1;)
alert tcp $HOME_NET any -> [181.161.4.80] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242886; rev:1;)
alert tcp $HOME_NET any -> [91.134.187.25] 3336  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242885; rev:1;)
alert tcp $HOME_NET any -> [191.82.215.55] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242884; rev:1;)
alert tcp $HOME_NET any -> [103.253.17.111] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242883; rev:1;)
alert tcp $HOME_NET any -> [94.250.252.66] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242882; rev:1;)
alert tcp $HOME_NET any -> [20.199.42.249] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242881; rev:1;)
alert tcp $HOME_NET any -> [86.110.194.106] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242880; rev:1;)
alert tcp $HOME_NET any -> [209.38.188.72] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242879; rev:1;)
alert tcp $HOME_NET any -> [136.243.151.21] 63  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242878; rev:1;)
alert tcp $HOME_NET any -> [154.16.67.94] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242877; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.244] 4001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242875; rev:1;)
alert tcp $HOME_NET any -> [154.16.67.94] 4242  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242876; rev:1;)
alert tcp $HOME_NET any -> [51.77.68.50] 1231  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242874; rev:1;)
alert tcp $HOME_NET any -> [45.134.83.162] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242873; rev:1;)
alert tcp $HOME_NET any -> [51.161.107.68] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242872; rev:1;)
alert tcp $HOME_NET any -> [193.32.162.198] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242870; rev:1;)
alert tcp $HOME_NET any -> [23.26.201.73] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242871; rev:1;)
alert tcp $HOME_NET any -> [66.94.120.244] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242869; rev:1;)
alert tcp $HOME_NET any -> [45.240.136.144] 5055  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242868; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.228] 9090  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242866; rev:1;)
alert tcp $HOME_NET any -> [142.113.120.107] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242867; rev:1;)
alert tcp $HOME_NET any -> [185.117.250.169] 3393  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242865; rev:1;)
alert tcp $HOME_NET any -> [203.30.9.90] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242863; rev:1;)
alert tcp $HOME_NET any -> [184.147.209.221] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242864; rev:1;)
alert tcp $HOME_NET any -> [187.24.4.94] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242862; rev:1;)
alert tcp $HOME_NET any -> [23.251.37.231] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242861; rev:1;)
alert tcp $HOME_NET any -> [137.220.197.236] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242860; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.211] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242859/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242859; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.220] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242857/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242857; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.211] 53  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242858/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242858; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.220] 53  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242856/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242856; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.215] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242854/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242854; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.215] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242855/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242855; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.208] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242853/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242853; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.219] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242852/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242852; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.217] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242850/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242850; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.149] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242851/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242851; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.209] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242849/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242849; rev:1;)
alert tcp $HOME_NET any -> [199.248.230.106] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242847/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242847; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.218] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242848/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242848; rev:1;)
alert tcp $HOME_NET any -> [151.106.125.157] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242846/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242846; rev:1;)
alert tcp $HOME_NET any -> [130.193.34.93] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242845/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242845; rev:1;)
alert tcp $HOME_NET any -> [44.221.44.220] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242844/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242844; rev:1;)
alert tcp $HOME_NET any -> [198.13.57.34] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242843/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242843; rev:1;)
alert tcp $HOME_NET any -> [109.107.161.51] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242842/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_26; classtype:trojan-activity; sid:91242842; rev:1;)
alert tcp $HOME_NET any -> [8.130.11.62] 8000  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242841/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_26; classtype:trojan-activity; sid:91242841; rev:1;)
alert tcp $HOME_NET any -> [154.211.15.205] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242840; rev:1;)
alert tcp $HOME_NET any -> [209.141.46.45] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242838; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.62] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242839; rev:1;)
alert tcp $HOME_NET any -> [38.55.197.151] 2077  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242836; rev:1;)
alert tcp $HOME_NET any -> [47.236.86.239] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242837; rev:1;)
alert tcp $HOME_NET any -> [120.24.38.217] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242835; rev:1;)
alert tcp $HOME_NET any -> [8.130.79.120] 8787  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242834; rev:1;)
alert tcp $HOME_NET any -> [121.41.75.23] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242833; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.199] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242831; rev:1;)
alert tcp $HOME_NET any -> [116.62.130.96] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242832; rev:1;)
alert tcp $HOME_NET any -> [58.87.94.238] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242830; rev:1;)
alert tcp $HOME_NET any -> [101.133.164.210] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242829; rev:1;)
alert tcp $HOME_NET any -> [8.217.132.202] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242827; rev:1;)
alert tcp $HOME_NET any -> [124.70.180.22] 89  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242828; rev:1;)
alert tcp $HOME_NET any -> [47.108.153.69] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242826; rev:1;)
alert tcp $HOME_NET any -> [111.231.74.147] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242825; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kind-villani.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242824; rev:1;)
alert tcp $HOME_NET any -> [165.227.172.31] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242823; rev:1;)
alert tcp $HOME_NET any -> [182.149.199.245] 8123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242822; rev:1;)
alert tcp $HOME_NET any -> [20.106.175.213] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242820; rev:1;)
alert tcp $HOME_NET any -> [20.106.175.213] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242821; rev:1;)
alert tcp $HOME_NET any -> [8.219.189.106] 5060  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242819; rev:1;)
alert tcp $HOME_NET any -> [103.191.15.10] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242818; rev:1;)
alert tcp $HOME_NET any -> [38.6.177.108] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242816; rev:1;)
alert tcp $HOME_NET any -> [47.120.1.107] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242817; rev:1;)
alert tcp $HOME_NET any -> [175.178.124.71] 2087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242815; rev:1;)
alert tcp $HOME_NET any -> [175.178.124.71] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242813; rev:1;)
alert tcp $HOME_NET any -> [175.178.124.71] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242814; rev:1;)
alert tcp $HOME_NET any -> [118.25.173.248] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"104-168-102-175.plesk.page"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242811; rev:1;)
alert tcp $HOME_NET any -> [1.12.231.99] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242810; rev:1;)
alert tcp $HOME_NET any -> [206.237.21.85] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242809; rev:1;)
alert tcp $HOME_NET any -> [193.112.79.19] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242808; rev:1;)
alert tcp $HOME_NET any -> [82.157.177.73] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242806; rev:1;)
alert tcp $HOME_NET any -> [82.157.177.73] 2086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242807; rev:1;)
alert tcp $HOME_NET any -> [82.157.177.73] 2095  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242805; rev:1;)
alert tcp $HOME_NET any -> [101.42.35.218] 60020  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242804; rev:1;)
alert tcp $HOME_NET any -> [134.122.20.117] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242803; rev:1;)
alert tcp $HOME_NET any -> [118.194.233.185] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242802; rev:1;)
alert tcp $HOME_NET any -> [43.142.90.7] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242800; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"visitor-service-eu-central-1.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:62; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242801; rev:1;)
alert tcp $HOME_NET any -> [120.48.5.80] 6001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242799; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"region1.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242798; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242797; rev:1;)
alert tcp $HOME_NET any -> [185.44.71.197] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242796/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242796; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.48] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242795/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242795; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.59] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242794/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242794; rev:1;)
alert tcp $HOME_NET any -> [95.116.67.173] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242790/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242790; rev:1;)
alert tcp $HOME_NET any -> [168.149.16.139] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242789/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242789; rev:1;)
alert tcp $HOME_NET any -> [39.40.183.67] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242788/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242788; rev:1;)
alert tcp $HOME_NET any -> [213.252.246.185] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242787/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242787; rev:1;)
alert tcp $HOME_NET any -> [83.97.20.183] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242786/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242786; rev:1;)
alert tcp $HOME_NET any -> [27.102.66.59] 35201  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242785/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242785; rev:1;)
alert tcp $HOME_NET any -> [192.144.219.118] 44343  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242784/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242784; rev:1;)
alert tcp $HOME_NET any -> [47.100.101.198] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242783/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242783; rev:1;)
alert tcp $HOME_NET any -> [45.9.188.11] 47134  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242782/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242782; rev:1;)
alert tcp $HOME_NET any -> [147.45.78.13] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242781/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242781; rev:1;)
alert tcp $HOME_NET any -> [111.231.146.154] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242780/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242780; rev:1;)
alert tcp $HOME_NET any -> [43.156.27.199] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242779/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242779; rev:1;)
alert tcp $HOME_NET any -> [207.174.3.213] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242778/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242778; rev:1;)
alert tcp $HOME_NET any -> [87.98.233.247] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242777/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242777; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.81] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242776/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242776; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.81] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242775/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242775; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.81] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242774/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242774; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.81] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242773/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242773; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.81] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242772/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242772; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.81] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242771/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242771; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.81] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242770; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.81] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242769; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 15443  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242768/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242768; rev:1;)
alert tcp $HOME_NET any -> [18.156.13.209] 15443  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242767/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242767; rev:1;)
alert tcp $HOME_NET any -> [89.23.98.34] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242766/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242766; rev:1;)
alert tcp $HOME_NET any -> [159.100.14.197] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242765/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242765; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.141] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242764/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242764; rev:1;)
alert tcp $HOME_NET any -> [39.108.229.236] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242763; rev:1;)
alert tcp $HOME_NET any -> [114.132.41.186] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242762; rev:1;)
alert tcp $HOME_NET any -> [193.181.23.156] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242761; rev:1;)
alert tcp $HOME_NET any -> [197.119.73.234] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242760/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242760; rev:1;)
alert tcp $HOME_NET any -> [154.245.141.251] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242759/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242759; rev:1;)
alert tcp $HOME_NET any -> [42.117.36.184] 4444  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242758/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242758; rev:1;)
alert tcp $HOME_NET any -> [195.2.81.45] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242757/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242757; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.97] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242756/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242756; rev:1;)
alert tcp $HOME_NET any -> [95.217.240.44] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242755/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242755; rev:1;)
alert tcp $HOME_NET any -> [65.109.172.49] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242754/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242754; rev:1;)
alert tcp $HOME_NET any -> [37.27.36.6] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242753/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242753; rev:1;)
alert tcp $HOME_NET any -> [83.242.63.186] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242752/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242752; rev:1;)
alert tcp $HOME_NET any -> [136.0.3.250] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242751/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242751; rev:1;)
alert tcp $HOME_NET any -> [104.209.128.50] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242750/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_26; classtype:trojan-activity; sid:91242750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"49.234.185.12"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242660; rev:1;)
alert tcp $HOME_NET any -> [49.234.185.12] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"1.14.69.16"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.71.9.23"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"101.133.164.210"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242657; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.110] 7888  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"185.193.126.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"106.52.244.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"o.cirt.pro"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242648; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o.cirt.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242649; rev:1;)
alert tcp $HOME_NET any -> [154.90.62.138] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/study/constants/7rmolfy0b"; depth:26; nocase; http.host; content:"154.90.62.138"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242646; rev:1;)
alert tcp $HOME_NET any -> [5.42.66.14] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/244e7da752dca7a602d55ea79cb79681.html"; depth:38; nocase; http.host; content:"firmwarefusion.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"firmwarefusion.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242644; rev:1;)
alert tcp $HOME_NET any -> [185.117.250.169] 4483  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242642; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.219] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242641; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"104.156.140.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242640; rev:1;)
alert tcp $HOME_NET any -> [198.44.171.3] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242639; rev:1;)
alert tcp $HOME_NET any -> [137.220.197.175] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242638; rev:1;)
alert tcp $HOME_NET any -> [45.152.65.230] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242637; rev:1;)
alert tcp $HOME_NET any -> [149.104.27.224] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242636; rev:1;)
alert tcp $HOME_NET any -> [69.159.0.252] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242635; rev:1;)
alert tcp $HOME_NET any -> [41.230.86.197] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242634; rev:1;)
alert tcp $HOME_NET any -> [154.247.237.145] 993  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242633; rev:1;)
alert tcp $HOME_NET any -> [82.67.60.21] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242632; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.244] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242631; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.214] 80  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_26; classtype:trojan-activity; sid:91242630; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8a45dff2.php"; depth:13; nocase; http.host; content:"a0914958.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_26; classtype:trojan-activity; sid:91242629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0923400.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242628; rev:1;)
alert tcp $HOME_NET any -> [159.223.220.165] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242627; rev:1;)
alert tcp $HOME_NET any -> [88.214.25.235] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalpipetosecureasynctrackuploads.php"; depth:42; nocase; http.host; content:"80.85.246.217"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"88.214.25.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242624; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"igo0gle.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242623; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"microsoftsyst3m.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242622; rev:1;)
alert tcp $HOME_NET any -> [79.137.202.68] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242616; rev:1;)
alert tcp $HOME_NET any -> [41.96.125.98] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242615; rev:1;)
alert tcp $HOME_NET any -> [105.108.32.227] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242614; rev:1;)
alert tcp $HOME_NET any -> [79.107.151.150] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242613; rev:1;)
alert tcp $HOME_NET any -> [154.247.237.145] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242612; rev:1;)
alert tcp $HOME_NET any -> [2.91.177.204] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242611; rev:1;)
alert tcp $HOME_NET any -> [20.80.88.247] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242610; rev:1;)
alert tcp $HOME_NET any -> [136.0.3.71] 5671  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242609; rev:1;)
alert tcp $HOME_NET any -> [47.98.126.140] 10000  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242608/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242608; rev:1;)
alert tcp $HOME_NET any -> [185.250.151.246] 8443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242607/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242607; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 55430  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"121.43.58.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242602; rev:1;)
alert tcp $HOME_NET any -> [87.88.94.223] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.172.49"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"142.132.224.223"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242597; rev:1;)
alert tcp $HOME_NET any -> [5.75.215.159] 9001  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242593; rev:1;)
alert tcp $HOME_NET any -> [95.217.240.44] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242594; rev:1;)
alert tcp $HOME_NET any -> [65.109.172.49] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242595; rev:1;)
alert tcp $HOME_NET any -> [34.86.252.187] 5050  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"106.54.228.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.134.225.245"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"121.43.58.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242586; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.baidu12366.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242584; rev:1;)
alert tcp $HOME_NET any -> [106.54.228.198] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.baidu12366.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242583; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sonystore.xyz"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242581; rev:1;)
alert tcp $HOME_NET any -> [39.98.192.104] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"www.sonystore.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"43.136.71.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"154.197.98.85"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242578; rev:1;)
alert tcp $HOME_NET any -> [88.214.25.36] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242577; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.pain.capetown"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/eternalrequestlowtestdle.php"; depth:31; nocase; http.host; content:"5.182.87.104"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242575; rev:1;)
alert tcp $HOME_NET any -> [42.237.24.42] 7899  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242574; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worker-orange-unit-abfb.gwadarportt.workers.dev"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242573; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailpsab-modgovpk.hopto.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242545; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailsco-govpk.hopto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242546; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailsco-govpk.myvnc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242547; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meter-ntdccompk.myvnc.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242548; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"meter-ntdccompk.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242549; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mof-govnp.servehttp.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242550; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navy-govbd.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242551; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newmail-armymilbd.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242552; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news-ptvcompk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242553; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news.ntc-telecomcorporation.workers.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242554; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ntc-telecomcorporation.workers.dev"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242555; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offer-ptclnetpk.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242556; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveblog.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242557; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveftp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242558; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveirc.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242559; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pak-gov-pk.workers.dev"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242560; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pakistan-gov-pk.workers.dev"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242561; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pertest-ntdccompk.ddnsking.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242562; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piac-compk.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242563; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal-ptclnetpk.servehttp.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242564; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rewards-ptclnetpk.viewdns.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242565; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdmx-financegovpk.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242566; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sharepakistan-mofa.viewdns.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242567; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support-ntc.servehttp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242568; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibe-ptclnetpk.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242569; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibe-ptclnetpk.viewdns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242570; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail-gda-gov-pk.gwadarportt.workers.dev"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242571; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"worker-crimson-bread-052d.crypton0019.workers.dev"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242572; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-ecp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242518; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-gwadarport-gov-pk.ntc-telecomcorporation.workers.dev"; depth:57; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242519; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hit-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242520; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hitgovpk.myvnc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242521; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hitgovpk.servegame.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242522; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hitgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242523; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-invest-gov-pk.gwadarportt.workers.dev"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242524; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mod-gov-pk.pakistan-gov-pk.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242525; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242526; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modp-gov-pk.government-pak.workers.dev"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242527; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242528; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modp-gov-pk.pak-gov-pk.workers.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242529; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242530; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.gotdns.ch"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242531; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.myddns.me"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242532; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofapk.servehttp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242533; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-nespak-com-pk.gwadarportt.workers.dev"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242534; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-ntcgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242535; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-paf-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242536; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-pc-gov-pk-login.ethanhunthero125.workers.dev"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242537; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-pofgovpk.3utilities.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242538; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-pofgovpk.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242539; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-sco-gov-pk.crypton0019.workers.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242540; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-sco-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242541; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-scogovpk.servehalflife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242542; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-scogovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242543; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailhit-govpk.hopto.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242544; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"diagov.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242494; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"discounts-ptclnetpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242495; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elccorp-net.ntc-telecomcorporation.workers.dev"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242496; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eservice-ptclnetpk.servehttp.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242497; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ethanhunthero125.workers.dev"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242498; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govnp.servehalflife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242499; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govpk.serveblog.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242500; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govpk.serveftp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242501; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"govaruba.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242502; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"government-pak.workers.dev"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242503; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwadarport-gov-pk.gwadarportt.workers.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242504; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hrmis-financegovpk.serveftp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242505; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ideas2024-pakistan.myvnc.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242506; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ideaspakistan-govpk.myvnc.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242507; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iportal-ntdcgovpk.myvnc.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242508; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-armylk.myvnc.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242509; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-armylk.servehalflife.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242510; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-bafmilbd.myvnc.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242511; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-bafmilbd.servequake.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242512; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depo-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242513; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depogovpk.myvnc.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242514; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depogovpk.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242515; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-dgdp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242516; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-dgdpgovpk.servehalflife.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242517; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"203-124351878443.hopto.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242486; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"advisory-cabinetgpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242487; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awards-piacaero.servehalflife.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242488; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awards-piacaero.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242489; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap-mofagovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242490; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap-mofapk.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242491; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"circular-financegov.servehalflife.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242492; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crypton0019.workers.dev"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242493; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme89.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242485; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz78543.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242466; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz7963.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz8456.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242468; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz87636.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242469; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz8798.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242470; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz9856.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz986.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242472; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz9872.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242473; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayersistemleri15547.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242474; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayersistemleri23547.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242475; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme12.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242476; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme34.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme39.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme437.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme46.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242480; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme53.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242481; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme5427.xyz"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242482; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme547.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242483; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayserhdguncelleme82.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242484; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz543.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242449; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz54453.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242450; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz54748.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242451; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz5516.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242452; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz5646.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242453; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz5736.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242454; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz576.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242455; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz657.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242456; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz676.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242457; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz6766.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242458; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz677.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242459; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz685.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242460; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz7554.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242461; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz76342.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242462; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz766.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242463; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz7693.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242464; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz7786.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242465; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3256.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242430; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz345.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242431; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz34616.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242432; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3466.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242433; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz36357.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242434; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3786.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242435; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz43.xyz"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242436; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz436.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242437; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4367.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242438; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4378.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242439; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4432.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242440; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz453.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242441; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4533.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242442; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz45436.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242443; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz4567.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242444; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz45676.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242445; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz45678.xyz"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242446; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz525.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242447; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz532.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242448; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz138.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242413; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2145vvv.xyz"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242414; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2245.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242415; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz23.xyz"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242416; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz234.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242417; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2346.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242418; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz235.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242419; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2355.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242420; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2356.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242421; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz241.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242422; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2452.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242423; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz25.xyz"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242424; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz2612.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242425; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3215.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242426; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz3245.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242427; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz325.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242428; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz325336.xyz"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242429; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri689.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri775.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri8358.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242391; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri89.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242392; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri893.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242393; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri94.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242394; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri965.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242395; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite14325.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242396; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite2432.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242397; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite345436.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242398; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite4352.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242399; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite5436.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242400; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite64378.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242401; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite6473.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242402; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite7865.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242403; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videofullizlesite8368.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242404; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizleme11.club"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242405; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizleme22.club"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242406; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizleme39.club"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242407; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizleme46.club"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242408; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz1235.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242409; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz124.xyz"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242410; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz1245.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242411; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"videoplayerizlemehdvefullucretsiz1323.xyz"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242412; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri247.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242371; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri258.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri26.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242373; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri27.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242374; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri342.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242375; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri393.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242376; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri427.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242377; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri4537.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242378; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri456.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242379; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri457.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242380; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri4579.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242381; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri458.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242382; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri554.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242383; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri609.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242384; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri632.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242385; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri67.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242386; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri675.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242387; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri6799.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242388; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi7635.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242346; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi771.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242347; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi8750.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242348; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi883.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242349; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizlemesistemi956735.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242350; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi124526.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242351; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi125.website"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242352; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi2334.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242353; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi235.website"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242354; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi2356.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242355; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi326471.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242356; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi345.website"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242357; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi345738.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242358; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi347583.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242359; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi43435546.website"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242360; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi456754.website"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242361; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi5236.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242362; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi6395456.website"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242363; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi6458.website"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242364; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoizleresmi77458.website"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242365; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri009.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242366; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri123.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242367; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri15.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242368; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri234.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242369; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideoplayersistemleri2342.xyz"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242370; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi354.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242332; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi441.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242333; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi456.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242334; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi46.xyz"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242335; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi467.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242336; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi541.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242337; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi5567.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242338; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi6076.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242339; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi6539.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242340; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi656.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242341; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi658.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242342; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi6583.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242343; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi675.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242344; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi679.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242345; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu4568.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242314; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu479.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242315; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu482.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242316; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu556.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242317; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu568.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242318; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu5698.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242319; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu571.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242320; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu69.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242321; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu78.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242322; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu783.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242323; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu8570.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242324; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi050.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242325; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi076.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242326; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi1245.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242327; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi156.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242328; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi235.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242329; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi243.xyz"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242330; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hdvideofullizleservisi2467.xyz"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242331; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi482.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242293; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi546754.site"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242294; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi5684.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242295; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi6263.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242296; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi66376.site"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242297; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi86598.site"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242298; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi882.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242299; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi9034.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242300; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu05.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242301; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu093.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242302; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu1214.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242303; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu124146.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242304; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu188.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242305; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu22.xyz"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242306; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu243667.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242307; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu335.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242308; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu34521.xyz"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242309; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu345235.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242310; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu3467.xyz"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242311; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu364.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242312; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullvehdvideopleyerkurulumu436.xyz"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242313; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle394.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242260; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle42853.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242261; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle4326.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242262; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle4567.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle56765.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242264; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle6789.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242265; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle789.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242266; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle8324.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242267; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle9344.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242268; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi01234.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242269; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi0513.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242270; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi11234.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242271; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi12143.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242272; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi2213.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242273; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi2324.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242274; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi23562.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242275; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi3215.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242276; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi4321.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242277; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi43464.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242278; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi6170.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242279; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi78123.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242280; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideositeresmi993150.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242281; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi0474.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi124.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242283; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi2246.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi2548.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242285; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi289.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242286; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi34776.site"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242287; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi3969.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242288; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi437.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242289; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi445444.site"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242290; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi4583.site"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242291; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fulllhdvideoizlemeservisi46793.site"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242292; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle015919.site"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242251; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle12321.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242252; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle1252.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242253; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle2324.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242254; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle23453.site"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242255; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle2357.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle324.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242257; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle3456.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242258; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fullhdvideopleyerizle348.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.43.12.111"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242249; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2kd9w0iu-1302672236.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-2kd9w0iu-1302672236.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"129.226.83.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"185.193.126.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"3se9ewodke339f0e83.connectivitytests.com"; depth:40; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"43.139.177.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"cdn.dadadsadaccsoong.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.26.196.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz13602.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microcoft-gettask.html"; depth:23; nocase; http.host; content:"20.106.175.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242237; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fewjfhwefhwegfgwey344.cfd"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242231; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fhfhreeruu334345432.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242232; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gftfttdrtdrrttgfderrt654.cfd"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242233; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"htyfdsdghfr65443.cfd"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242234; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iefijweijfiwefiue9877.cfd"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242235; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"woolyboolydoolykooly.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242236; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rebirthbot.icu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242230; rev:1;)
alert tcp $HOME_NET any -> [15.235.131.20] 44647  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242227; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.142] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242229/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_25; classtype:trojan-activity; sid:91242229; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.loadbalance.click"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242228; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"conference-cal.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_25; classtype:trojan-activity; sid:91242212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzzhmgjjztjkogi3/"; depth:18; nocase; http.host; content:"83.97.73.195"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242210; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 80  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242211/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_25; classtype:trojan-activity; sid:91242211; rev:1;)
alert tcp $HOME_NET any -> [20.218.68.91] 23100  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242216; rev:1;)
alert tcp $HOME_NET any -> [77.105.147.157] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242226; rev:1;)
alert tcp $HOME_NET any -> [71.88.241.194] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242225/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242225; rev:1;)
alert tcp $HOME_NET any -> [167.56.121.249] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242224; rev:1;)
alert tcp $HOME_NET any -> [78.40.117.84] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242223; rev:1;)
alert tcp $HOME_NET any -> [35.193.229.206] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242222; rev:1;)
alert tcp $HOME_NET any -> [185.198.57.41] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externallinephpjavascriptsecureauthprotectlinuxuniversal.php"; depth:61; nocase; http.host; content:"82.115.223.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242220; rev:1;)
alert tcp $HOME_NET any -> [156.236.72.163] 8000  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image_securecpugamelongpollmulticentral.php"; depth:44; nocase; http.host; content:"gp104995g2.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmcpuprocessgenerator.php"; depth:26; nocase; http.host; content:"785319cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242217; rev:1;)
alert tcp $HOME_NET any -> [45.92.179.244] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242215; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.67] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_25; classtype:trojan-activity; sid:91242214; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.67] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_25; classtype:trojan-activity; sid:91242213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"185.193.126.187"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242209; rev:1;)
alert tcp $HOME_NET any -> [88.214.25.235] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"microsoftsyst3m.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"88.214.25.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enable/v9/wdoblgwr0s"; depth:21; nocase; http.host; content:"igo0gle.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242205; rev:1;)
alert tcp $HOME_NET any -> [87.98.177.182] 3131  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242204; rev:1;)
alert tcp $HOME_NET any -> [45.95.147.236] 43782  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242203/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srv.tamatri.co"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242201; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tamatri.co"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242202; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dw.c4kdeliver.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242200; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 43519  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242198/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242198; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"male-stephen.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242199/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242199; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbi.su1001-2.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242197; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbi.su1001-2.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242189; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dw.bpdeliver.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242190; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jira.letmaker.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242191; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"work.onlypirate.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242192; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a.oracleservice.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242193; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"b.oracleservice.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242194; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pwn.oracleservice.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242195; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c4k-ircd.pwndns.pw"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"teplokub.com.ua"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242188/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"kamsmad.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242186/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"souzhensil.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242187/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242187; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 20543  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242185; rev:1;)
alert tcp $HOME_NET any -> [84.212.127.234] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242184/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242184; rev:1;)
alert tcp $HOME_NET any -> [105.108.32.227] 993  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242183/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242183; rev:1;)
alert tcp $HOME_NET any -> [188.40.19.86] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242182/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242182; rev:1;)
alert tcp $HOME_NET any -> [64.227.179.34] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242181/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242181; rev:1;)
alert tcp $HOME_NET any -> [216.146.26.94] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242180/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242180; rev:1;)
alert tcp $HOME_NET any -> [216.146.26.94] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242179/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242179; rev:1;)
alert tcp $HOME_NET any -> [172.104.53.129] 10002  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242178/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242178; rev:1;)
alert tcp $HOME_NET any -> [42.2.112.129] 32002  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242177/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242177; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.149] 4001  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242176; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.83] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242175; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.197] 606  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242174/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242174; rev:1;)
alert tcp $HOME_NET any -> [95.86.227.200] 25565  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242172/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242172; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kisel228.zapto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242173/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242173; rev:1;)
alert tcp $HOME_NET any -> [192.236.162.239] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242171/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"o3c31x4fqdw2.lt"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242170/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"0n75w55jyk66.pw"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"oylg4z486xv4.info"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"13sf6uu6cvlm.la"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242163/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"papricasfla.bio"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"643y3mrh4m3d.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242165/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"xivadoivxa.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242166/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"6dtav5rvnh1q.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242167/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"decilaxcvz.life"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242168/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"9w28pp996g59.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242169/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242169; rev:1;)
alert tcp $HOME_NET any -> [185.158.251.240] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242160; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"stake.libertariancounterpoint.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/indigo"; depth:7; nocase; http.host; content:"moon.playstoreapi.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242154; rev:1;)
alert tcp $HOME_NET any -> [77.246.158.53] 13551  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242150; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"manta.brasilia.me"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242152; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloudieapp.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/voilet"; depth:7; nocase; http.host; content:"sni1.androidmetricsasia.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242153; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"instantchatapp.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242156; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"funcallback.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242157; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"appserv.ddns.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242159/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242159; rev:1;)
alert tcp $HOME_NET any -> [43.229.148.210] 5556  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242151; rev:1;)
alert tcp $HOME_NET any -> [5.42.73.150] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242149/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"5.34.198.105"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.231.74.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sosorry.php"; depth:12; nocase; http.host; content:"185.196.8.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242146; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdncloud.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/resellers/2e4wlr6u3uv"; depth:26; nocase; http.host; content:"cdncloud.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/resellers/2e4wlr6u3uv"; depth:26; nocase; http.host; content:"ipadd.show"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242141; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipadd.show"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"185.196.10.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242138; rev:1;)
alert tcp $HOME_NET any -> [148.72.132.181] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242137; rev:1;)
alert tcp $HOME_NET any -> [142.132.224.223] 9001  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242136/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242136; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 17155  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241988/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91241988; rev:1;)
alert tcp $HOME_NET any -> [52.28.247.255] 17155  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241989/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91241989; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 17155  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241990/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91241990; rev:1;)
alert tcp $HOME_NET any -> [3.126.37.18] 18876  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242004/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242004; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 18876  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242012; rev:1;)
alert tcp $HOME_NET any -> [18.156.13.209] 18876  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242013/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242013; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 18876  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242014/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242014; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.5] 18876  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242015/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242015; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"than-electoral.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242107/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242107; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 3639  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242108/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242108; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pcpanel.hackcrack.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242123; rev:1;)
alert tcp $HOME_NET any -> [18.157.68.73] 15217  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242126/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242126; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nature-dawn.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242109/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zwi0ywmyymflodbl/"; depth:18; nocase; http.host; content:"194.26.135.99"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242115; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.8] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242128/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_24; classtype:trojan-activity; sid:91242128; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.26] 1177  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242135; rev:1;)
alert tcp $HOME_NET any -> [45.138.74.228] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242134/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242134; rev:1;)
alert tcp $HOME_NET any -> [13.231.247.174] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242133/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242133; rev:1;)
alert tcp $HOME_NET any -> [95.179.200.130] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242132/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242132; rev:1;)
alert tcp $HOME_NET any -> [77.49.56.209] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242131/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242131; rev:1;)
alert tcp $HOME_NET any -> [143.198.112.191] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242130/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242130; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 10443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242129/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_24; classtype:trojan-activity; sid:91242129; rev:1;)
alert tcp $HOME_NET any -> [92.246.136.169] 16668  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ck07725.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242124; rev:1;)
alert tcp $HOME_NET any -> [121.37.66.33] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242122; rev:1;)
alert tcp $HOME_NET any -> [105.100.10.190] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242121; rev:1;)
alert tcp $HOME_NET any -> [94.154.172.74] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242120; rev:1;)
alert tcp $HOME_NET any -> [49.13.32.37] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_24; classtype:trojan-activity; sid:91242119; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 32544  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242118; rev:1;)
alert tcp $HOME_NET any -> [37.120.237.196] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242117; rev:1;)
alert tcp $HOME_NET any -> [45.80.158.25] 5055  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_24; classtype:trojan-activity; sid:91242116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"39.104.73.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"39.104.73.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imageprotect.php"; depth:17; nocase; http.host; content:"176.123.169.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242112; rev:1;)
alert tcp $HOME_NET any -> [85.159.228.138] 41572  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242111; rev:1;)
alert tcp $HOME_NET any -> [213.152.162.89] 9702  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242110; rev:1;)
alert tcp $HOME_NET any -> [65.0.50.125] 22158  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242106; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 36364  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242105; rev:1;)
alert tcp $HOME_NET any -> [51.81.42.253] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242104; rev:1;)
alert tcp $HOME_NET any -> [20.115.87.236] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242103; rev:1;)
alert tcp $HOME_NET any -> [34.250.248.33] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242102; rev:1;)
alert tcp $HOME_NET any -> [124.223.177.244] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242101; rev:1;)
alert tcp $HOME_NET any -> [138.68.180.208] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242100; rev:1;)
alert tcp $HOME_NET any -> [52.231.117.124] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242099; rev:1;)
alert tcp $HOME_NET any -> [52.87.249.14] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242098; rev:1;)
alert tcp $HOME_NET any -> [3.65.151.202] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242097; rev:1;)
alert tcp $HOME_NET any -> [34.134.123.117] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242096; rev:1;)
alert tcp $HOME_NET any -> [4.147.26.237] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242095; rev:1;)
alert tcp $HOME_NET any -> [172.104.219.42] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242094; rev:1;)
alert tcp $HOME_NET any -> [142.93.75.136] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242093; rev:1;)
alert tcp $HOME_NET any -> [167.71.229.69] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242092; rev:1;)
alert tcp $HOME_NET any -> [84.76.152.132] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242091; rev:1;)
alert tcp $HOME_NET any -> [34.66.42.107] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242090; rev:1;)
alert tcp $HOME_NET any -> [34.88.129.107] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242089; rev:1;)
alert tcp $HOME_NET any -> [138.197.168.34] 1337  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242088; rev:1;)
alert tcp $HOME_NET any -> [47.245.122.5] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242087; rev:1;)
alert tcp $HOME_NET any -> [124.220.110.22] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242086; rev:1;)
alert tcp $HOME_NET any -> [111.231.146.154] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242085; rev:1;)
alert tcp $HOME_NET any -> [84.27.0.166] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242084; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.206] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242083; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epsilon7331.uk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242082; rev:1;)
alert tcp $HOME_NET any -> [5.42.67.10] 8080  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242079; rev:1;)
alert tcp $HOME_NET any -> [5.42.67.89] 8080  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242077; rev:1;)
alert tcp $HOME_NET any -> [110.173.54.195] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242078; rev:1;)
alert tcp $HOME_NET any -> [37.140.242.93] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242076; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.12] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242075; rev:1;)
alert tcp $HOME_NET any -> [154.244.6.141] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242074; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.edgarmcneil.autos"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242072; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbdfbd.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242073; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liceback.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242071; rev:1;)
alert tcp $HOME_NET any -> [220.78.13.217] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242070; rev:1;)
alert tcp $HOME_NET any -> [181.162.129.236] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242069; rev:1;)
alert tcp $HOME_NET any -> [89.23.102.221] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242068; rev:1;)
alert tcp $HOME_NET any -> [193.233.254.32] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242066; rev:1;)
alert tcp $HOME_NET any -> [212.70.149.199] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242067; rev:1;)
alert tcp $HOME_NET any -> [86.110.194.13] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242064; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-214-93-225.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242065; rev:1;)
alert tcp $HOME_NET any -> [185.217.197.66] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242063; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ovh.rfc.pp.ua"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242062; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-152-184-1.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1242061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242061; rev:1;)
alert tcp $HOME_NET any -> [186.170.114.55] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242060; rev:1;)
alert tcp $HOME_NET any -> [46.4.37.212] 100  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242058; rev:1;)
alert tcp $HOME_NET any -> [186.170.114.55] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242059; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.244] 5003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242057; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.244] 4003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242055; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.244] 5001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242056; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.244] 4002  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242054; rev:1;)
alert tcp $HOME_NET any -> [82.165.208.218] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242053; rev:1;)
alert tcp $HOME_NET any -> [34.86.252.187] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242052; rev:1;)
alert tcp $HOME_NET any -> [185.87.150.199] 2222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242051; rev:1;)
alert tcp $HOME_NET any -> [82.97.244.235] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242050/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_23; classtype:trojan-activity; sid:91242050; rev:1;)
alert tcp $HOME_NET any -> [35.93.24.71] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242049/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_23; classtype:trojan-activity; sid:91242049; rev:1;)
alert tcp $HOME_NET any -> [114.115.129.32] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242048/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_23; classtype:trojan-activity; sid:91242048; rev:1;)
alert tcp $HOME_NET any -> [101.201.46.105] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242047; rev:1;)
alert tcp $HOME_NET any -> [65.20.80.197] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242045; rev:1;)
alert tcp $HOME_NET any -> [101.201.46.105] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242046; rev:1;)
alert tcp $HOME_NET any -> [65.20.80.197] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242044; rev:1;)
alert tcp $HOME_NET any -> [39.104.73.42] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242043; rev:1;)
alert tcp $HOME_NET any -> [34.168.39.155] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242041; rev:1;)
alert tcp $HOME_NET any -> [39.104.73.42] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242042; rev:1;)
alert tcp $HOME_NET any -> [176.32.38.186] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242040; rev:1;)
alert tcp $HOME_NET any -> [182.92.207.142] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242039; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.199] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242038; rev:1;)
alert tcp $HOME_NET any -> [45.159.209.194] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242036; rev:1;)
alert tcp $HOME_NET any -> [117.72.42.129] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242037; rev:1;)
alert tcp $HOME_NET any -> [8.222.150.46] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242034; rev:1;)
alert tcp $HOME_NET any -> [8.222.150.46] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242035; rev:1;)
alert tcp $HOME_NET any -> [45.131.132.55] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242033; rev:1;)
alert tcp $HOME_NET any -> [91.149.237.252] 52299  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242032; rev:1;)
alert tcp $HOME_NET any -> [101.200.164.66] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242030; rev:1;)
alert tcp $HOME_NET any -> [107.172.196.196] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242031; rev:1;)
alert tcp $HOME_NET any -> [154.221.17.44] 2991  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242029; rev:1;)
alert tcp $HOME_NET any -> [111.231.146.154] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242027; rev:1;)
alert tcp $HOME_NET any -> [167.71.186.178] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242028; rev:1;)
alert tcp $HOME_NET any -> [139.180.146.240] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242026; rev:1;)
alert tcp $HOME_NET any -> [43.136.71.208] 8085  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242024; rev:1;)
alert tcp $HOME_NET any -> [154.197.98.85] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242025; rev:1;)
alert tcp $HOME_NET any -> [175.24.133.171] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242023; rev:1;)
alert tcp $HOME_NET any -> [152.42.164.112] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242022; rev:1;)
alert tcp $HOME_NET any -> [221.234.36.116] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242020; rev:1;)
alert tcp $HOME_NET any -> [1.94.110.130] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242021; rev:1;)
alert tcp $HOME_NET any -> [47.254.149.115] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242019; rev:1;)
alert tcp $HOME_NET any -> [20.108.32.205] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242018; rev:1;)
alert tcp $HOME_NET any -> [52.190.15.163] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242017; rev:1;)
alert tcp $HOME_NET any -> [58.137.140.249] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"controlopposedcallyo.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"technologyenterdo.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lighterepisodeheighte.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"problemregardybuiwo.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"detectordiscusser.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"edurestunningcrackyow.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242006; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pooreveningfuseor.pw"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1242005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91242005; rev:1;)
alert tcp $HOME_NET any -> [192.210.136.123] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242003/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91242003; rev:1;)
alert tcp $HOME_NET any -> [86.98.212.14] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242002/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91242002; rev:1;)
alert tcp $HOME_NET any -> [105.155.177.133] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91242001; rev:1;)
alert tcp $HOME_NET any -> [176.233.252.31] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1242000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91242000; rev:1;)
alert tcp $HOME_NET any -> [195.78.220.27] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241999; rev:1;)
alert tcp $HOME_NET any -> [89.116.227.76] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241998; rev:1;)
alert tcp $HOME_NET any -> [37.1.210.109] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241997; rev:1;)
alert tcp $HOME_NET any -> [20.189.118.216] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241996; rev:1;)
alert tcp $HOME_NET any -> [138.124.180.245] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241995; rev:1;)
alert tcp $HOME_NET any -> [122.114.11.150] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241994/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241994; rev:1;)
alert tcp $HOME_NET any -> [130.193.34.93] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241993/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241993; rev:1;)
alert tcp $HOME_NET any -> [46.101.147.204] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"software.ftoffice.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241991; rev:1;)
alert tcp $HOME_NET any -> [103.178.234.224] 19990  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241987/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241987; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 12044  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241982/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241982; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 12044  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241983/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241983; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 12044  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241984/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241984; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 12044  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241985/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241985; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 12044  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241986/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241986; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 12607  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241977/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241977; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.16] 38277  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241978/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241978; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 12607  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241979/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241979; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cut-britney.gl.at.ply.gg"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241980/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241980; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 12607  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241981/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241981; rev:1;)
alert tcp $HOME_NET any -> [23.106.121.133] 1177  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241976/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241976; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jnchina.ydns.eu"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241975; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eu.webmailservice.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241973; rev:1;)
alert tcp $HOME_NET any -> [20.170.19.248] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241974; rev:1;)
alert tcp $HOME_NET any -> [18.219.198.202] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241972; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.byresolved.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241971; rev:1;)
alert tcp $HOME_NET any -> [46.101.147.204] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241970; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.ftoffice.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"178.20.43.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241968; rev:1;)
alert tcp $HOME_NET any -> [45.76.123.14] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241967; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rd.0x3f34.dev"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241965; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rd.0x115c.click"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241966; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"machineryideas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zewmrgqnw.php"; depth:19; nocase; http.host; content:"machineryideas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c2hitq.php"; depth:46; nocase; http.host; content:"www.marioagozzino.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/dqyzqp.php"; depth:46; nocase; http.host; content:"www.erasnetwork.eu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241961; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/hyhnv3.php"; depth:47; nocase; http.host; content:"propertystats.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241960; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/ovqugo.php"; depth:47; nocase; http.host; content:"osakaimchk.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241959; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/nnzknr.php"; depth:45; nocase; http.host; content:"carritosdelacompra.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalsecuredlecentral.php"; depth:29; nocase; http.host; content:"113754cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"39.106.26.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.92.146.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241955; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.195] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241954; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.89] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241953/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241953; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sluitionsbad.tech"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"sluitionsbad.tech"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241951; rev:1;)
alert tcp $HOME_NET any -> [185.209.162.106] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241949; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mezla.site"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241950; rev:1;)
alert tcp $HOME_NET any -> [45.11.93.150] 8964  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241936; rev:1;)
alert tcp $HOME_NET any -> [193.23.55.21] 56789  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241948; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.89] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241946; rev:1;)
alert tcp $HOME_NET any -> [38.180.71.140] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"38.180.71.140"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"78.40.116.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241943; rev:1;)
alert tcp $HOME_NET any -> [159.65.130.146] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"159.65.130.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241941; rev:1;)
alert tcp $HOME_NET any -> [20.91.244.250] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241940; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cyprusvillahomes.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/scripts/a0aba203-e3f4-4a26-81f8/get/jquery-ui-1.12.1"; depth:60; nocase; http.host; content:"cyprusvillahomes.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241938; rev:1;)
alert tcp $HOME_NET any -> [49.13.32.37] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241934; rev:1;)
alert tcp $HOME_NET any -> [192.227.231.5] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241931; rev:1;)
alert tcp $HOME_NET any -> [203.25.119.136] 48748  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241932; rev:1;)
alert tcp $HOME_NET any -> [178.79.150.75] 4444  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241929; rev:1;)
alert tcp $HOME_NET any -> [185.209.160.19] 8872  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241930/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241930; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.15] 1915  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241926; rev:1;)
alert tcp $HOME_NET any -> [146.59.12.246] 20002  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241927; rev:1;)
alert tcp $HOME_NET any -> [146.190.53.148] 81  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241928; rev:1;)
alert tcp $HOME_NET any -> [134.209.111.71] 9999  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241924; rev:1;)
alert tcp $HOME_NET any -> [141.95.81.119] 2300  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241925/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241925; rev:1;)
alert tcp $HOME_NET any -> [114.67.217.170] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241923; rev:1;)
alert tcp $HOME_NET any -> [87.121.58.103] 32015  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241921; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.181] 1337  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241922; rev:1;)
alert tcp $HOME_NET any -> [78.31.67.78] 2300  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241919/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241919; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.103] 32015  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241920/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241920; rev:1;)
alert tcp $HOME_NET any -> [47.105.86.47] 21997  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241917/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241917; rev:1;)
alert tcp $HOME_NET any -> [62.173.140.174] 17900  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241918; rev:1;)
alert tcp $HOME_NET any -> [45.154.1.68] 1420  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241915; rev:1;)
alert tcp $HOME_NET any -> [46.19.140.242] 32465  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241916; rev:1;)
alert tcp $HOME_NET any -> [31.222.202.156] 5555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241914/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/nvycjtpinaaq4eamnkgwj2"; depth:27; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241933; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hlaqy0v7-1303081427.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241912; rev:1;)
alert tcp $HOME_NET any -> [106.54.228.198] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-hlaqy0v7-1303081427.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241911; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.134] 6117  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241910/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241910; rev:1;)
alert tcp $HOME_NET any -> [154.222.236.61] 56999  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241909/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241909; rev:1;)
alert tcp $HOME_NET any -> [94.103.188.173] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241908; rev:1;)
alert tcp $HOME_NET any -> [142.171.33.169] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241907; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.176] 8872  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241882; rev:1;)
alert tcp $HOME_NET any -> [185.226.106.107] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_23; classtype:trojan-activity; sid:91241894; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.242] 2202  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241906; rev:1;)
alert tcp $HOME_NET any -> [154.247.12.253] 993  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241905; rev:1;)
alert tcp $HOME_NET any -> [209.151.153.136] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241904; rev:1;)
alert tcp $HOME_NET any -> [103.27.132.105] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241903; rev:1;)
alert tcp $HOME_NET any -> [37.1.210.109] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241902; rev:1;)
alert tcp $HOME_NET any -> [34.116.205.0] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241901; rev:1;)
alert tcp $HOME_NET any -> [165.227.122.136] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241900; rev:1;)
alert tcp $HOME_NET any -> [58.65.172.132] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241899; rev:1;)
alert tcp $HOME_NET any -> [23.227.193.214] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241898; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lastaflirtely.me"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241897; rev:1;)
alert tcp $HOME_NET any -> [209.9.200.69] 32002  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241896; rev:1;)
alert tcp $HOME_NET any -> [51.250.74.43] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_23; classtype:trojan-activity; sid:91241895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cm65198.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_23; classtype:trojan-activity; sid:91241893; rev:1;)
alert tcp $HOME_NET any -> [91.202.233.133] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241892/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241892; rev:1;)
alert tcp $HOME_NET any -> [212.192.12.222] 5008  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241891; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.227] 1000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241890/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241890; rev:1;)
alert tcp $HOME_NET any -> [83.217.9.199] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241889; rev:1;)
alert tcp $HOME_NET any -> [106.53.186.12] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241888; rev:1;)
alert tcp $HOME_NET any -> [166.88.61.138] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241887; rev:1;)
alert tcp $HOME_NET any -> [18.153.179.54] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241886; rev:1;)
alert tcp $HOME_NET any -> [35.178.199.73] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241885; rev:1;)
alert tcp $HOME_NET any -> [3.253.247.39] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_23; classtype:trojan-activity; sid:91241884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"mscs.v1.vscll.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/generatorexternal9windows/local74/3processor/js/updatebigloadprocess/httptest/uploads9universaltest/trackflower6/pipe0wp/trafficlinegameprovider/publiclocal80/6better9/processorphp/6defaultserver/0javascript/multi8external/5betterrequestlinux/uploadswindowslow/tobigloadmultiflowerasyncwptempdownloads.php"; depth:306; nocase; http.host; content:"79.137.207.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/nnzknr.php"; depth:45; nocase; http.host; content:"carritosdelacompra.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/hyhnv3.php"; depth:47; nocase; http.host; content:"propertystats.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/dqyzqp.php"; depth:46; nocase; http.host; content:"www.erasnetwork.eu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c2hitq.php"; depth:46; nocase; http.host; content:"www.marioagozzino.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/ovqugo.php"; depth:47; nocase; http.host; content:"osakaimchk.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241848; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.14] 9931  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241849; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 37064  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241850/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241850; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"training-invasion.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241851/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241851; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.97] 48795  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241874; rev:1;)
alert tcp $HOME_NET any -> [193.35.18.127] 51321  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241872; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.97] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241875/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241875; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"79-9-691.581-alps.qyhgroup.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241876/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241876; rev:1;)
alert tcp $HOME_NET any -> [38.147.172.234] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"mscs.v1.vscll.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241879; rev:1;)
alert tcp $HOME_NET any -> [159.223.220.165] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"39.104.73.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalhttp2db/longpollvoiddb2server/longpollsecure3bigload/196downloads/32proton/061/imagevmproton/1pipe/dlebigloadcentral/game/50uploadscentral/phpbigload9/externalimageapigeneratoruniversalwordpresslocalcdn.php"; depth:214; nocase; http.host; content:"77.91.124.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241873; rev:1;)
alert tcp $HOME_NET any -> [79.131.125.79] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241871; rev:1;)
alert tcp $HOME_NET any -> [154.246.82.173] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241870; rev:1;)
alert tcp $HOME_NET any -> [75.90.82.104] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241869; rev:1;)
alert tcp $HOME_NET any -> [154.247.12.253] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241868; rev:1;)
alert tcp $HOME_NET any -> [24.90.18.97] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"190.182.251.4"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"102.33.76.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.71.108.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"45.131.132.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"39.106.74.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"1.94.67.222"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1130829539006750833/1210266320600301709/4_npp.8.6.3.portable.x64.zip"; depth:81; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/onmicrosoft"; depth:12; nocase; http.host; content:"workstatpasing.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nationwide_services"; depth:20; nocase; http.host; content:"workstatpasing.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/c2hitq.php"; depth:46; nocase; http.host; content:"www.marioagozzino.it"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/dqyzqp.php"; depth:46; nocase; http.host; content:"www.erasnetwork.eu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/hyhnv3.php"; depth:47; nocase; http.host; content:"propertystats.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentytwo/nnzknr.php"; depth:45; nocase; http.host; content:"carritosdelacompra.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentythree/ovqugo.php"; depth:47; nocase; http.host; content:"osakaimchk.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w2p/panel/gate.php"; depth:19; nocase; http.host; content:"yourstudyway.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"machineryideas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/help/zzrgqnaww.php"; depth:19; nocase; http.host; content:"machineryideas.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241760; rev:1;)
alert tcp $HOME_NET any -> [103.35.189.93] 10443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241842; rev:1;)
alert tcp $HOME_NET any -> [147.189.175.79] 443  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241841; rev:1;)
alert tcp $HOME_NET any -> [34.72.103.8] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241839; rev:1;)
alert tcp $HOME_NET any -> [34.118.85.166] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241840; rev:1;)
alert tcp $HOME_NET any -> [54.206.231.185] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241838; rev:1;)
alert tcp $HOME_NET any -> [3.110.14.54] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241837; rev:1;)
alert tcp $HOME_NET any -> [172.187.145.182] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241836; rev:1;)
alert tcp $HOME_NET any -> [138.197.13.114] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241835; rev:1;)
alert tcp $HOME_NET any -> [34.16.51.172] 10443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241834; rev:1;)
alert tcp $HOME_NET any -> [96.231.143.205] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241833; rev:1;)
alert tcp $HOME_NET any -> [137.184.150.67] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241832; rev:1;)
alert tcp $HOME_NET any -> [164.177.30.14] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241831; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hwsrv-1126965.hostwindsdns.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241830; rev:1;)
alert tcp $HOME_NET any -> [39.107.109.9] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241829; rev:1;)
alert tcp $HOME_NET any -> [38.54.119.156] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241828; rev:1;)
alert tcp $HOME_NET any -> [45.207.58.56] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241827; rev:1;)
alert tcp $HOME_NET any -> [219.147.89.12] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241826; rev:1;)
alert tcp $HOME_NET any -> [51.11.25.174] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241825; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linkerfunyfile.store"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241824; rev:1;)
alert tcp $HOME_NET any -> [95.216.253.55] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241822; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"striperouter.supelle.co"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241823; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.135] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241821; rev:1;)
alert tcp $HOME_NET any -> [108.174.198.206] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241820; rev:1;)
alert tcp $HOME_NET any -> [209.141.35.151] 888  (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241819; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-88-105-125.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241818; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nice-margulis.45-138-16-132.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241817; rev:1;)
alert tcp $HOME_NET any -> [34.118.33.152] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241816; rev:1;)
alert tcp $HOME_NET any -> [91.151.88.209] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241815; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recruitis.josefbenjac.cz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241813; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"digital20.agriprotechx.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241814; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.77.129.13.49.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241812; rev:1;)
alert tcp $HOME_NET any -> [20.56.35.166] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241810; rev:1;)
alert tcp $HOME_NET any -> [107.173.118.89] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241811; rev:1;)
alert tcp $HOME_NET any -> [52.184.85.209] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241809; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"the.networkguru.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241807; rev:1;)
alert tcp $HOME_NET any -> [166.88.132.139] 8443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241808; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.145] 7539  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241806; rev:1;)
alert tcp $HOME_NET any -> [3.99.102.8] 80  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241805; rev:1;)
alert tcp $HOME_NET any -> [162.222.206.193] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241804; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.246] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241803; rev:1;)
alert tcp $HOME_NET any -> [47.128.64.139] 443  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241802; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"49.183.246.35.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241801; rev:1;)
alert tcp $HOME_NET any -> [185.146.157.85] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241800; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grinevitchnicolas4.fvds.ru"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241799; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.168] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241798; rev:1;)
alert tcp $HOME_NET any -> [172.188.29.138] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241797; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"data.iexcom.de"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241796; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.26] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241794; rev:1;)
alert tcp $HOME_NET any -> [78.129.165.233] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241795; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.65] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241793; rev:1;)
alert tcp $HOME_NET any -> [136.243.111.71] 5900  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241792; rev:1;)
alert tcp $HOME_NET any -> [113.174.1.186] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241790; rev:1;)
alert tcp $HOME_NET any -> [181.131.216.198] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241791; rev:1;)
alert tcp $HOME_NET any -> [172.111.148.12] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241789; rev:1;)
alert tcp $HOME_NET any -> [78.40.116.82] 5005  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241788/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_22; classtype:trojan-activity; sid:91241788; rev:1;)
alert tcp $HOME_NET any -> [216.245.181.105] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241787/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_22; classtype:trojan-activity; sid:91241787; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.90] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241786/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_22; classtype:trojan-activity; sid:91241786; rev:1;)
alert tcp $HOME_NET any -> [42.193.178.194] 55443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241785; rev:1;)
alert tcp $HOME_NET any -> [39.104.73.42] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241784; rev:1;)
alert tcp $HOME_NET any -> [5.34.198.105] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241783; rev:1;)
alert tcp $HOME_NET any -> [23.26.137.225] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241781; rev:1;)
alert tcp $HOME_NET any -> [23.26.137.225] 8181  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241782; rev:1;)
alert tcp $HOME_NET any -> [104.168.54.228] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241780; rev:1;)
alert tcp $HOME_NET any -> [47.113.195.22] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241778; rev:1;)
alert tcp $HOME_NET any -> [101.42.47.72] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241779; rev:1;)
alert tcp $HOME_NET any -> [38.60.253.150] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241777; rev:1;)
alert tcp $HOME_NET any -> [118.31.75.32] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241776; rev:1;)
alert tcp $HOME_NET any -> [74.235.199.105] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241774; rev:1;)
alert tcp $HOME_NET any -> [124.223.97.173] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241775; rev:1;)
alert tcp $HOME_NET any -> [74.235.199.105] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241773; rev:1;)
alert tcp $HOME_NET any -> [103.191.15.189] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241772; rev:1;)
alert tcp $HOME_NET any -> [111.92.243.96] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241770; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.227] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241771; rev:1;)
alert tcp $HOME_NET any -> [175.178.48.91] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241769; rev:1;)
alert tcp $HOME_NET any -> [47.98.214.54] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241768; rev:1;)
alert tcp $HOME_NET any -> [47.101.160.122] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241767; rev:1;)
alert tcp $HOME_NET any -> [124.222.114.227] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241766; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hr-helpdesk.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241765; rev:1;)
alert tcp $HOME_NET any -> [59.110.142.91] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241764; rev:1;)
alert tcp $HOME_NET any -> [39.105.194.11] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241763; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"software.ftoffice.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241762; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"139-162-155-161.ip.linodeusercontent.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241761; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grebiunti.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"grebiunti.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241757; rev:1;)
alert tcp $HOME_NET any -> [31.10.67.116] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241755/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241755; rev:1;)
alert tcp $HOME_NET any -> [95.216.104.115] 4328  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241756; rev:1;)
alert tcp $HOME_NET any -> [37.221.65.78] 63645  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.221.65.78"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1241746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"chernobyl.fun"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1241747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"auth.tesla-alert.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1241748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"app.tesla-alert.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1241749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241749; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mafiakorea.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241750; rev:1;)
alert tcp $HOME_NET any -> [185.158.248.141] 1344  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241753; rev:1;)
alert tcp $HOME_NET any -> [129.153.86.0] 8778  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"356873cm.nyashtyan.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"45.134.225.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"45.131.132.55"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.71.108.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241742; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ecuaecua.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241741/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241741; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.6] 2054  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"94.156.69.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"221.150.72.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/etc.clientlibs/base.min.acshash29ccd0207f7ce847c.js"; depth:52; nocase; http.host; content:"119.3.12.54"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.142.5.148"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.222.64.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"103.191.15.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241731; rev:1;)
alert tcp $HOME_NET any -> [212.102.39.208] 58095  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241723; rev:1;)
alert tcp $HOME_NET any -> [124.71.108.110] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.71.108.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241729; rev:1;)
alert tcp $HOME_NET any -> [193.29.56.130] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"193.29.56.130"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241727; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.86] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241726; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"realusatruck.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/accounts/v1/basic-accounts/pinned"; depth:38; nocase; http.host; content:"realusatruck.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241724; rev:1;)
alert tcp $HOME_NET any -> [45.142.107.117] 3549  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241717; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.139] 59666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241721; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.13] 9511  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241718; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.164] 59312  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241719; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.60] 55655  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241720; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.223] 1302  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241722; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.116] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241716; rev:1;)
alert tcp $HOME_NET any -> [185.91.127.233] 3778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241712; rev:1;)
alert tcp $HOME_NET any -> [37.221.94.43] 5555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241713; rev:1;)
alert tcp $HOME_NET any -> [146.19.191.200] 69  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241714; rev:1;)
alert tcp $HOME_NET any -> [45.138.174.72] 3778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241715; rev:1;)
alert tcp $HOME_NET any -> [185.91.127.216] 55555  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241710; rev:1;)
alert tcp $HOME_NET any -> [185.91.127.233] 56999  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241711; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.126] 35769  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241709; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.27] 3090  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241705; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.153] 3090  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241706; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.116] 3090  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241707; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.177] 3090  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241708; rev:1;)
alert tcp $HOME_NET any -> [64.176.178.205] 2017  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241704; rev:1;)
alert tcp $HOME_NET any -> [103.233.11.14] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241703/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241703; rev:1;)
alert tcp $HOME_NET any -> [103.233.11.13] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241702/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241702; rev:1;)
alert tcp $HOME_NET any -> [165.232.41.54] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241701/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241701; rev:1;)
alert tcp $HOME_NET any -> [5.42.92.25] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241700; rev:1;)
alert tcp $HOME_NET any -> [41.96.190.102] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241699; rev:1;)
alert tcp $HOME_NET any -> [41.97.43.5] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241698; rev:1;)
alert tcp $HOME_NET any -> [154.246.82.173] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241697; rev:1;)
alert tcp $HOME_NET any -> [193.239.86.189] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241696; rev:1;)
alert tcp $HOME_NET any -> [103.35.189.93] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241695; rev:1;)
alert tcp $HOME_NET any -> [103.35.189.93] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241694/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241694; rev:1;)
alert tcp $HOME_NET any -> [159.89.204.198] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241693/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241693; rev:1;)
alert tcp $HOME_NET any -> [159.89.204.198] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241692/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241692; rev:1;)
alert tcp $HOME_NET any -> [147.182.190.27] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241691/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_22; classtype:trojan-activity; sid:91241691; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"amma.myftp.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241658/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_22; classtype:trojan-activity; sid:91241658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrmzmu3odrmy2q4/"; depth:18; nocase; http.host; content:"45.93.20.145"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241659; rev:1;)
alert tcp $HOME_NET any -> [5.75.162.217] 43724  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241660; rev:1;)
alert tcp $HOME_NET any -> [185.133.40.202] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241689; rev:1;)
alert tcp $HOME_NET any -> [222.186.174.9] 43268  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241690; rev:1;)
alert tcp $HOME_NET any -> [103.28.33.96] 2023  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241688; rev:1;)
alert tcp $HOME_NET any -> [139.159.197.241] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241687/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241687; rev:1;)
alert tcp $HOME_NET any -> [161.35.203.116] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241686/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241686; rev:1;)
alert tcp $HOME_NET any -> [5.188.87.36] 36543  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241685/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241685; rev:1;)
alert tcp $HOME_NET any -> [43.137.5.20] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241684/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241684; rev:1;)
alert tcp $HOME_NET any -> [103.151.217.93] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241683/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241683; rev:1;)
alert tcp $HOME_NET any -> [43.139.74.167] 50034  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241682/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241682; rev:1;)
alert tcp $HOME_NET any -> [164.90.169.184] 31228  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241681; rev:1;)
alert tcp $HOME_NET any -> [104.129.182.25] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241680/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241680; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.128] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241679/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241679; rev:1;)
alert tcp $HOME_NET any -> [20.106.172.90] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241678; rev:1;)
alert tcp $HOME_NET any -> [4.233.217.146] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241677; rev:1;)
alert tcp $HOME_NET any -> [20.215.188.233] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241676; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.235] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241675; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.18] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241674; rev:1;)
alert tcp $HOME_NET any -> [92.223.106.203] 12134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241673/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241673; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.75] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241672/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241672; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.21] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241671/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241671; rev:1;)
alert tcp $HOME_NET any -> [116.203.3.120] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241670/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241670; rev:1;)
alert tcp $HOME_NET any -> [95.217.29.171] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241669/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241669; rev:1;)
alert tcp $HOME_NET any -> [49.13.32.193] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241668; rev:1;)
alert tcp $HOME_NET any -> [95.217.31.198] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241667/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241667; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.25] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241666/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241666; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.25] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241665/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241665; rev:1;)
alert tcp $HOME_NET any -> [159.69.103.8] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241664/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241664; rev:1;)
alert tcp $HOME_NET any -> [159.69.103.8] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241663/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241663; rev:1;)
alert tcp $HOME_NET any -> [45.148.4.19] 8888  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241662/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_22; classtype:trojan-activity; sid:91241662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_22; classtype:trojan-activity; sid:91241661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.138.212.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241657; rev:1;)
alert tcp $HOME_NET any -> [121.43.55.149] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"218.94.206.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"121.17.123.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"116.211.153.240"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"223.68.136.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"61.159.80.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"112.28.231.110"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"120.39.197.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"139.162.155.161"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241648; rev:1;)
alert tcp $HOME_NET any -> [193.168.173.45] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"193.168.173.45"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241645; rev:1;)
alert tcp $HOME_NET any -> [102.47.184.255] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geogeneratorwp.php"; depth:19; nocase; http.host; content:"102822cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241643; rev:1;)
alert tcp $HOME_NET any -> [52.28.247.255] 19437  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241642/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241642; rev:1;)
alert tcp $HOME_NET any -> [54.84.110.180] 443  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241641; rev:1;)
alert tcp $HOME_NET any -> [95.219.218.28] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241640; rev:1;)
alert tcp $HOME_NET any -> [5.15.83.50] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241639; rev:1;)
alert tcp $HOME_NET any -> [142.154.28.33] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241638; rev:1;)
alert tcp $HOME_NET any -> [41.227.173.126] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241637; rev:1;)
alert tcp $HOME_NET any -> [141.164.48.82] 8443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241636; rev:1;)
alert tcp $HOME_NET any -> [51.159.178.12] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241635; rev:1;)
alert tcp $HOME_NET any -> [94.102.49.161] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241634; rev:1;)
alert tcp $HOME_NET any -> [145.239.230.233] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241633/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241633; rev:1;)
alert tcp $HOME_NET any -> [38.132.122.178] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"116.72.22.117"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241631; rev:1;)
alert tcp $HOME_NET any -> [45.77.72.150] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241630; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.artstrailreviews.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241629; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.29.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.32.193"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241627; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.12.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.12.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.103.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241624; rev:1;)
alert tcp $HOME_NET any -> [49.13.32.193] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241622; rev:1;)
alert tcp $HOME_NET any -> [95.217.29.171] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241623; rev:1;)
alert tcp $HOME_NET any -> [159.69.103.8] 9001  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241619; rev:1;)
alert tcp $HOME_NET any -> [116.203.12.183] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241620; rev:1;)
alert tcp $HOME_NET any -> [116.203.12.183] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241621; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.180] 34241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241618; rev:1;)
alert tcp $HOME_NET any -> [195.201.121.240] 40819  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241617; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ads-quantum.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241615; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ezrgqnaww.php"; depth:20; nocase; http.host; content:"ads-quantum.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241616; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"turkeyunlikelyofw.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241613; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"resergvearyinitiani.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241612; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"associationokeo.shop"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241614; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241611; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"185.196.10.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"104.234.240.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"152.136.100.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.42.228.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241607; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"aitcaid.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"eeatgoodx.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"81.94.150.21"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.142.5.148"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241606; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"182.23.67.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sm.css"; depth:7; nocase; http.host; content:"www.nbcnews.site"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241602; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nbcnews.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241599; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.2] 1998  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241596; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 19599  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241593/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241593; rev:1;)
alert tcp $HOME_NET any -> [3.127.181.115] 13326  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241594/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241594; rev:1;)
alert tcp $HOME_NET any -> [152.89.198.197] 443  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241592; rev:1;)
alert tcp $HOME_NET any -> [172.160.250.195] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241591; rev:1;)
alert tcp $HOME_NET any -> [178.73.210.202] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241590; rev:1;)
alert tcp $HOME_NET any -> [104.238.214.185] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241589; rev:1;)
alert tcp $HOME_NET any -> [34.170.222.164] 10443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241588; rev:1;)
alert tcp $HOME_NET any -> [20.75.254.123] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241587; rev:1;)
alert tcp $HOME_NET any -> [3.84.189.215] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241586; rev:1;)
alert tcp $HOME_NET any -> [18.218.56.158] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241585; rev:1;)
alert tcp $HOME_NET any -> [51.210.242.251] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241584; rev:1;)
alert tcp $HOME_NET any -> [43.139.47.68] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241583; rev:1;)
alert tcp $HOME_NET any -> [103.140.187.137] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241582; rev:1;)
alert tcp $HOME_NET any -> [106.54.200.213] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241581; rev:1;)
alert tcp $HOME_NET any -> [106.54.200.213] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241580; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-20-229-84.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241579; rev:1;)
alert tcp $HOME_NET any -> [52.23.117.205] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241578; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.huboftest.ir"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241577; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"109.107.181.83.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241576; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.132] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241575; rev:1;)
alert tcp $HOME_NET any -> [203.161.60.175] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241573; rev:1;)
alert tcp $HOME_NET any -> [203.161.60.175] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241574; rev:1;)
alert tcp $HOME_NET any -> [89.163.145.141] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241572; rev:1;)
alert tcp $HOME_NET any -> [38.242.144.29] 7049  (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241571/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241571; rev:1;)
alert tcp $HOME_NET any -> [35.177.215.200] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241570; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.maribelgould.autos"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241569; rev:1;)
alert tcp $HOME_NET any -> [3.84.126.255] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241567; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kendraesparza.autos"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241568; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"irenecameron.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241566; rev:1;)
alert tcp $HOME_NET any -> [49.13.129.77] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241565; rev:1;)
alert tcp $HOME_NET any -> [167.172.87.109] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241563; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.93] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241564; rev:1;)
alert tcp $HOME_NET any -> [177.103.63.67] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241562; rev:1;)
alert tcp $HOME_NET any -> [20.42.80.234] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241561; rev:1;)
alert tcp $HOME_NET any -> [181.161.23.232] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241560; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.86] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241558; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.234] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241559; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hg88654.cc"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241557; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok.system111.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241555; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bistoxcrypto.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241556; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"157.32.125.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241554; rev:1;)
alert tcp $HOME_NET any -> [64.23.186.161] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241553; rev:1;)
alert tcp $HOME_NET any -> [139.162.249.47] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241552; rev:1;)
alert tcp $HOME_NET any -> [109.199.104.52] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241551; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.248] 9090  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241550; rev:1;)
alert tcp $HOME_NET any -> [89.117.21.203] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241548; rev:1;)
alert tcp $HOME_NET any -> [89.117.21.203] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241549; rev:1;)
alert tcp $HOME_NET any -> [172.111.148.20] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241547; rev:1;)
alert tcp $HOME_NET any -> [104.210.36.227] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241546; rev:1;)
alert tcp $HOME_NET any -> [194.67.204.7] 88  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241545; rev:1;)
alert tcp $HOME_NET any -> [147.189.172.103] 6969  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241544; rev:1;)
alert tcp $HOME_NET any -> [106.54.207.116] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241543; rev:1;)
alert tcp $HOME_NET any -> [15.206.179.62] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241542; rev:1;)
alert tcp $HOME_NET any -> [167.71.51.239] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241541/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241541; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.6] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241540; rev:1;)
alert tcp $HOME_NET any -> [206.188.196.107] 8080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241538; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.195] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241539; rev:1;)
alert tcp $HOME_NET any -> [1.14.69.16] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241537; rev:1;)
alert tcp $HOME_NET any -> [182.23.67.109] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241535; rev:1;)
alert tcp $HOME_NET any -> [101.42.47.72] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241536; rev:1;)
alert tcp $HOME_NET any -> [47.120.50.234] 57777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241534; rev:1;)
alert tcp $HOME_NET any -> [139.162.155.161] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241533; rev:1;)
alert tcp $HOME_NET any -> [139.9.52.98] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241531; rev:1;)
alert tcp $HOME_NET any -> [120.55.183.201] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241532; rev:1;)
alert tcp $HOME_NET any -> [146.70.44.156] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241530; rev:1;)
alert tcp $HOME_NET any -> [38.55.197.151] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241529; rev:1;)
alert tcp $HOME_NET any -> [82.157.164.51] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241528; rev:1;)
alert tcp $HOME_NET any -> [123.57.181.89] 6000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241526; rev:1;)
alert tcp $HOME_NET any -> [1.14.255.248] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241527; rev:1;)
alert tcp $HOME_NET any -> [124.71.108.110] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241524; rev:1;)
alert tcp $HOME_NET any -> [121.43.58.124] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241525; rev:1;)
alert tcp $HOME_NET any -> [103.108.107.231] 1024  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241523; rev:1;)
alert tcp $HOME_NET any -> [45.152.66.209] 7121  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241522; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"93-33-203-219.ip46.fastwebnet.it"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241520; rev:1;)
alert tcp $HOME_NET any -> [95.215.108.98] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241521; rev:1;)
alert tcp $HOME_NET any -> [43.136.40.231] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241519; rev:1;)
alert tcp $HOME_NET any -> [149.88.78.241] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241517; rev:1;)
alert tcp $HOME_NET any -> [116.204.37.20] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241518; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.252] 1992  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241516/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241516; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 19599  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241515; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 19599  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241514; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 19599  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241513; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 19599  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241512; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 19599  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c1/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241510/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241510; rev:1;)
alert tcp $HOME_NET any -> [18.158.58.205] 13326  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/static/plugins/jquery/jquery.cookie.js"; depth:41; nocase; http.host; content:"47.122.24.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241498; rev:1;)
alert tcp $HOME_NET any -> [83.69.236.143] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241499; rev:1;)
alert tcp $HOME_NET any -> [34.168.39.155] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"34.168.39.155"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"116.62.130.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"1.117.60.33"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241505; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.224] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"94.156.69.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.108.153.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.70.180.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"116.62.130.96"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241500; rev:1;)
alert tcp $HOME_NET any -> [170.75.170.7] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241483; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"event.coachgreb.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241484; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.103] 6666  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241494; rev:1;)
alert tcp $HOME_NET any -> [87.121.58.103] 6666  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241495; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.166] 671  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241496/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"91.92.246.192"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241497; rev:1;)
alert tcp $HOME_NET any -> [193.92.234.217] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241493; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hathat.azureedge.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"hathat.azureedge.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241491; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.76] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"104.21.80.122"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241489; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nkbiky.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.nkbiky.cn"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241487; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ynpuning.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"www.ynpuning.cn"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241485; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.113] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241470; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.127] 5555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241471; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.109] 5555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241472; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.136] 5555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241473; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.208] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241474; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.104] 55555  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241475; rev:1;)
alert tcp $HOME_NET any -> [45.95.146.89] 7788  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241476; rev:1;)
alert tcp $HOME_NET any -> [45.95.146.38] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241477; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.49] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241469; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"germanclics.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241467; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.244] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241468; rev:1;)
alert tcp $HOME_NET any -> [194.169.175.31] 38245  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241478; rev:1;)
alert tcp $HOME_NET any -> [85.239.34.84] 23  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241479; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.80] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241480; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stealit.onrender.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241481; rev:1;)
alert tcp $HOME_NET any -> [20.127.165.86] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f8a8b9ed.php"; depth:13; nocase; http.host; content:"f0914549.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241465; rev:1;)
alert tcp $HOME_NET any -> [157.230.180.251] 43624  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241462/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241462; rev:1;)
alert tcp $HOME_NET any -> [157.230.180.251] 49838  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241463/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0918974.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241464; rev:1;)
alert tcp $HOME_NET any -> [91.223.3.151] 4508  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241461/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241461; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ronreznick.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externalservertrackwordpresspublicprivate.php"; depth:46; nocase; http.host; content:"969727cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241458; rev:1;)
alert tcp $HOME_NET any -> [45.95.146.3] 8872  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241405/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241405; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"db2017417b23.zapto.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241406; rev:1;)
alert tcp $HOME_NET any -> [185.91.127.233] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241441; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jmoha66808.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241457; rev:1;)
alert tcp $HOME_NET any -> [185.29.10.51] 5211  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241456; rev:1;)
alert tcp $HOME_NET any -> [45.67.34.69] 443  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241455/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241455; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rourtmanjsdadhfakja.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241454; rev:1;)
alert tcp $HOME_NET any -> [178.33.57.148] 7634  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241453; rev:1;)
alert tcp $HOME_NET any -> [185.16.38.147] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241452; rev:1;)
alert tcp $HOME_NET any -> [154.7.14.19] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241451; rev:1;)
alert tcp $HOME_NET any -> [5.163.163.158] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/get_file"; depth:9; nocase; http.host; content:"posiit.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241418; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanocore73.zapto.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/shared-services/j.js"; depth:21; nocase; http.host; content:"peeriosity.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cookies"; depth:8; nocase; http.host; content:"posiit.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/traffic"; depth:8; nocase; http.host; content:"soundsend.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/intl/en/chrome/next-steps.html"; depth:31; nocase; http.host; content:"chrome.freegeneratorai.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241422; rev:1;)
alert tcp $HOME_NET any -> [41.96.168.36] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241449; rev:1;)
alert tcp $HOME_NET any -> [77.72.85.124] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241402/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yzi4mgfhzji2mmm5/"; depth:18; nocase; http.host; content:"83.97.73.254"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241408; rev:1;)
alert tcp $HOME_NET any -> [88.165.236.23] 64278  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241409; rev:1;)
alert tcp $HOME_NET any -> [3.134.39.220] 18237  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241421; rev:1;)
alert tcp $HOME_NET any -> [88.165.236.23] 54985  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241423; rev:1;)
alert tcp $HOME_NET any -> [95.20.241.161] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get_file_drop"; depth:18; nocase; http.host; content:"phpsearch.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/set_v_2_new_uuid"; depth:21; nocase; http.host; content:"student-voice.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"soundsend.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mozila.freegeneratorai.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"opera.freegeneratorai.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/01u1w1.php"; depth:11; nocase; http.host; content:"nrf2station.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w8rcye.php"; depth:11; nocase; http.host; content:"fumicenter.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241432; rev:1;)
alert tcp $HOME_NET any -> [189.253.236.111] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ui610y.php"; depth:11; nocase; http.host; content:"terravilla.fr"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jz0tno.php"; depth:11; nocase; http.host; content:"u3faktory.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o2pmcb.php"; depth:11; nocase; http.host; content:"traidinnovation.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sk5w8b.php"; depth:11; nocase; http.host; content:"401cssabatino.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wdswbw.php"; depth:11; nocase; http.host; content:"ourzanzibar-portal.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s1btpl.php"; depth:11; nocase; http.host; content:"www.alroaaacademy.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241438; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.4] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_21; classtype:trojan-activity; sid:91241440; rev:1;)
alert tcp $HOME_NET any -> [95.20.240.52] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241446; rev:1;)
alert tcp $HOME_NET any -> [91.35.211.80] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241445; rev:1;)
alert tcp $HOME_NET any -> [20.218.68.91] 13817  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elianisgalidon3020.duckdns.org"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241399; rev:1;)
alert tcp $HOME_NET any -> [5.181.202.117] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241400/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241400; rev:1;)
alert tcp $HOME_NET any -> [213.139.205.174] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241401/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241401; rev:1;)
alert tcp $HOME_NET any -> [193.168.141.40] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241403/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_21; classtype:trojan-activity; sid:91241403; rev:1;)
alert tcp $HOME_NET any -> [5.255.117.32] 4971  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241444; rev:1;)
alert tcp $HOME_NET any -> [158.160.97.165] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241443; rev:1;)
alert tcp $HOME_NET any -> [193.149.180.213] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241442/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241442; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.40] 1978  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241439; rev:1;)
alert tcp $HOME_NET any -> [167.235.36.34] 8056  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241430; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.35] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241427/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_21; classtype:trojan-activity; sid:91241427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bdjkb2xsd/index.php"; depth:20; nocase; http.host; content:"147.45.47.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241416; rev:1;)
alert tcp $HOME_NET any -> [3.14.182.203] 18237  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241415; rev:1;)
alert tcp $HOME_NET any -> [3.13.191.225] 18237  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241414; rev:1;)
alert tcp $HOME_NET any -> [3.17.7.232] 18237  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241413; rev:1;)
alert tcp $HOME_NET any -> [3.134.125.175] 18237  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241412; rev:1;)
alert tcp $HOME_NET any -> [3.22.30.40] 18237  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_21; classtype:trojan-activity; sid:91241411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/unsalted-condensed-soups/"; depth:37; nocase; http.host; content:"horseridinghotel.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241407/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.230.51.186"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.252.118.12"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.182.86.94"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.203.164.168"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.3.120"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241395; rev:1;)
alert tcp $HOME_NET any -> [116.203.3.120] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241391; rev:1;)
alert tcp $HOME_NET any -> [193.203.164.168] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241392; rev:1;)
alert tcp $HOME_NET any -> [5.252.118.12] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241393; rev:1;)
alert tcp $HOME_NET any -> [5.182.86.94] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241394; rev:1;)
alert tcp $HOME_NET any -> [5.75.210.22] 443  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chrome-online.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241388; rev:1;)
alert tcp $HOME_NET any -> [40.127.104.147] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241387; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sudarshanadisk.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241386; rev:1;)
alert tcp $HOME_NET any -> [45.77.55.133] 2078  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241385/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241385; rev:1;)
alert tcp $HOME_NET any -> [45.32.204.175] 2222  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241384/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241384; rev:1;)
alert tcp $HOME_NET any -> [72.27.83.111] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241383/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241383; rev:1;)
alert tcp $HOME_NET any -> [41.250.184.191] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241382/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241382; rev:1;)
alert tcp $HOME_NET any -> [39.40.162.179] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241381/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241381; rev:1;)
alert tcp $HOME_NET any -> [41.227.100.131] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241380/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241380; rev:1;)
alert tcp $HOME_NET any -> [2.6.198.137] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241379; rev:1;)
alert tcp $HOME_NET any -> [103.92.113.14] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241378; rev:1;)
alert tcp $HOME_NET any -> [104.248.1.234] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241377; rev:1;)
alert tcp $HOME_NET any -> [159.223.178.234] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241376; rev:1;)
alert tcp $HOME_NET any -> [159.100.6.118] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241375/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241375; rev:1;)
alert tcp $HOME_NET any -> [147.182.158.99] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241374; rev:1;)
alert tcp $HOME_NET any -> [38.132.122.178] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241373; rev:1;)
alert tcp $HOME_NET any -> [89.248.225.196] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5dce321003e6a6b5.php"; depth:21; nocase; http.host; content:"94.156.8.100"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241370; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.81] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241369; rev:1;)
alert tcp $HOME_NET any -> [94.198.50.195] 8000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241368; rev:1;)
alert tcp $HOME_NET any -> [51.159.183.32] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241367; rev:1;)
alert tcp $HOME_NET any -> [34.122.164.64] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241366; rev:1;)
alert tcp $HOME_NET any -> [212.81.188.105] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241365; rev:1;)
alert tcp $HOME_NET any -> [34.163.246.120] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241364; rev:1;)
alert tcp $HOME_NET any -> [185.119.57.49] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241363; rev:1;)
alert tcp $HOME_NET any -> [116.202.176.116] 1403  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241362; rev:1;)
alert tcp $HOME_NET any -> [54.173.139.125] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241361; rev:1;)
alert tcp $HOME_NET any -> [139.59.80.33] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241360; rev:1;)
alert tcp $HOME_NET any -> [107.151.244.111] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241359; rev:1;)
alert tcp $HOME_NET any -> [165.154.55.190] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241357; rev:1;)
alert tcp $HOME_NET any -> [103.139.93.20] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241358; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webpanel.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241356; rev:1;)
alert tcp $HOME_NET any -> [38.6.167.222] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241355; rev:1;)
alert tcp $HOME_NET any -> [38.6.167.222] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241354; rev:1;)
alert tcp $HOME_NET any -> [49.13.170.9] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241352; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.58] 8080  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241351; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.58] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241350; rev:1;)
alert tcp $HOME_NET any -> [164.90.183.39] 443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241349; rev:1;)
alert tcp $HOME_NET any -> [82.115.223.46] 7777  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241348; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kendraesparza.autos"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241347; rev:1;)
alert tcp $HOME_NET any -> [212.47.244.109] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241346; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 63696  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241345; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 9142  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241343; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 36945  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241344; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 2004  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241342; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 465  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241340; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 631  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241341; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 57609  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241339; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 48087  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241338; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 17393  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241336; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 27646  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241337; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 2404  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241335; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 41489  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241333; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 389  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241334; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 8082  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241332; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 51005  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241330; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 2053  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241331; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 2380  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241329; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 27049  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241328; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 9653  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241326; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 26238  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241327; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 2455  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241324; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 56832  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241325; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 53311  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241323; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 4444  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241321; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 18084  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241322; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 21  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241320; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 50995  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241318; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 58603  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241319; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 25516  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241317; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 13946  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241316; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 4572  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241314; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 7077  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241315; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 36249  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241313; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 8418  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241311; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 29975  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241312; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 8088  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241310; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 4433  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241308; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 5060  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241309; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 1883  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241307; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 1024  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241306; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 40240  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241304; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 65245  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241305; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 26641  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241303; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 56597  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241301; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 18080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241302; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 40961  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241300; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 40022  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241298; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 39109  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241299; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 4125  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241297; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 13999  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241295; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 49502  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241296; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241294; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 636  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241292; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 4721  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241293; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 47800  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241291; rev:1;)
alert tcp $HOME_NET any -> [193.181.41.109] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241289; rev:1;)
alert tcp $HOME_NET any -> [102.117.113.205] 1492  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241290; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.liceback.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241288; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.50] 82  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241286; rev:1;)
alert tcp $HOME_NET any -> [45.84.198.9] 30120  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241287; rev:1;)
alert tcp $HOME_NET any -> [191.82.250.214] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241285; rev:1;)
alert tcp $HOME_NET any -> [45.94.31.31] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok.system-samsung.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241283; rev:1;)
alert tcp $HOME_NET any -> [92.63.98.227] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin1.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241281; rev:1;)
alert tcp $HOME_NET any -> [38.242.236.116] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241279; rev:1;)
alert tcp $HOME_NET any -> [85.239.237.148] 2006  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241280; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.65] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241278; rev:1;)
alert tcp $HOME_NET any -> [85.215.197.98] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241277; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.63] 5000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241276; rev:1;)
alert tcp $HOME_NET any -> [103.146.179.82] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241275; rev:1;)
alert tcp $HOME_NET any -> [69.172.74.108] 4443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241274/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_20; classtype:trojan-activity; sid:91241274; rev:1;)
alert tcp $HOME_NET any -> [31.156.119.149] 88  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241273; rev:1;)
alert tcp $HOME_NET any -> [1.14.69.16] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241272; rev:1;)
alert tcp $HOME_NET any -> [123.57.235.196] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241271; rev:1;)
alert tcp $HOME_NET any -> [112.74.72.133] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241270; rev:1;)
alert tcp $HOME_NET any -> [154.9.255.31] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241269; rev:1;)
alert tcp $HOME_NET any -> [40.113.7.196] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241268; rev:1;)
alert tcp $HOME_NET any -> [43.142.183.159] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241267; rev:1;)
alert tcp $HOME_NET any -> [1.94.110.130] 808  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241265; rev:1;)
alert tcp $HOME_NET any -> [101.201.100.74] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241266; rev:1;)
alert tcp $HOME_NET any -> [8.210.229.211] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241264; rev:1;)
alert tcp $HOME_NET any -> [149.104.23.176] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241263; rev:1;)
alert tcp $HOME_NET any -> [128.199.252.34] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241261; rev:1;)
alert tcp $HOME_NET any -> [1.14.255.248] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241262; rev:1;)
alert tcp $HOME_NET any -> [39.100.90.171] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241260; rev:1;)
alert tcp $HOME_NET any -> [13.72.106.240] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241259; rev:1;)
alert tcp $HOME_NET any -> [154.92.18.140] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241258; rev:1;)
alert tcp $HOME_NET any -> [78.40.116.82] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241257; rev:1;)
alert tcp $HOME_NET any -> [154.3.8.55] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241255; rev:1;)
alert tcp $HOME_NET any -> [42.192.37.195] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241256; rev:1;)
alert tcp $HOME_NET any -> [114.132.41.186] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241254; rev:1;)
alert tcp $HOME_NET any -> [217.23.9.168] 53  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241250; rev:1;)
alert tcp $HOME_NET any -> [91.211.247.248] 53  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241251; rev:1;)
alert tcp $HOME_NET any -> [152.89.198.214] 53  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241252; rev:1;)
alert tcp $HOME_NET any -> [81.31.197.38] 53  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241253; rev:1;)
alert tcp $HOME_NET any -> [77.83.242.244] 1664  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241249; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.81] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"182.23.67.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241241; rev:1;)
alert tcp $HOME_NET any -> [80.66.89.64] 32557  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241240; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.11] 2054  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241239; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mangaforme.cloud"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241237/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5441a82c9941418d.php"; depth:21; nocase; http.host; content:"91.108.240.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/user"; depth:9; nocase; http.host; content:"service-qzxfb4ay-1318428097.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241235; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-qzxfb4ay-1318428097.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"42.193.178.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241234; rev:1;)
alert tcp $HOME_NET any -> [109.248.151.96] 52048  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241233/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"106.54.202.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.222.165.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-mlanbdgq-1301500665.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241228; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-mlanbdgq-1301500665.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"104.234.240.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cs52010.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241223; rev:1;)
alert tcp $HOME_NET any -> [83.137.157.54] 9231  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241222; rev:1;)
alert tcp $HOME_NET any -> [81.19.138.57] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241220; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-3rca94g4-1319979259.hk.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241218; rev:1;)
alert tcp $HOME_NET any -> [45.152.66.91] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-3rca94g4-1319979259.hk.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241217; rev:1;)
alert tcp $HOME_NET any -> [81.19.138.57] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"81.19.138.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cd2b41cbde8fc9c.php"; depth:21; nocase; http.host; content:"185.172.128.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241214; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.176] 51480  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241213/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241213; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.77] 1761  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"vfxfilmschool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ezrgqnaww.php"; depth:20; nocase; http.host; content:"vfxfilmschool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"vfxfilmschool.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241211; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.238] 1941  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241208; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.97] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.97"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.36.6"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241205; rev:1;)
alert tcp $HOME_NET any -> [194.169.175.233] 3609  (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241204; rev:1;)
alert tcp $HOME_NET any -> [43.229.115.106] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241203/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241203; rev:1;)
alert tcp $HOME_NET any -> [43.229.115.109] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241202/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241202; rev:1;)
alert tcp $HOME_NET any -> [43.229.115.107] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241201/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241201; rev:1;)
alert tcp $HOME_NET any -> [95.20.241.10] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241200/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241200; rev:1;)
alert tcp $HOME_NET any -> [216.137.233.159] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241199/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241199; rev:1;)
alert tcp $HOME_NET any -> [201.137.233.254] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241198/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241198; rev:1;)
alert tcp $HOME_NET any -> [175.10.223.19] 4432  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241197/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241197; rev:1;)
alert tcp $HOME_NET any -> [89.137.186.176] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241196/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241196; rev:1;)
alert tcp $HOME_NET any -> [2.50.137.96] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241195/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241195; rev:1;)
alert tcp $HOME_NET any -> [45.150.67.45] 8081  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241194/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241194; rev:1;)
alert tcp $HOME_NET any -> [23.88.118.173] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241193/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241193; rev:1;)
alert tcp $HOME_NET any -> [94.130.169.13] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241192/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241192; rev:1;)
alert tcp $HOME_NET any -> [88.214.25.240] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241191/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241191; rev:1;)
alert tcp $HOME_NET any -> [52.162.200.36] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241190/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241190; rev:1;)
alert tcp $HOME_NET any -> [146.71.78.14] 151  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241189/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241189; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bonet.networkbn.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241188; rev:1;)
alert tcp $HOME_NET any -> [103.172.79.74] 2807  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241187/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241187; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.27] 5034  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241186/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywiymjlizgqwy2fk/"; depth:18; nocase; http.host; content:"176.113.115.235"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241165; rev:1;)
alert tcp $HOME_NET any -> [156.96.155.234] 56999  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241158/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241158; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.174] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241159/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241159; rev:1;)
alert tcp $HOME_NET any -> [141.98.168.167] 9222  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241185; rev:1;)
alert tcp $HOME_NET any -> [171.233.98.70] 18274  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241184/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_20; classtype:trojan-activity; sid:91241184; rev:1;)
alert tcp $HOME_NET any -> [159.89.209.22] 2525  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241183/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241183; rev:1;)
alert tcp $HOME_NET any -> [123.57.193.197] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241182/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241182; rev:1;)
alert tcp $HOME_NET any -> [110.42.209.75] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241181/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241181; rev:1;)
alert tcp $HOME_NET any -> [47.99.93.124] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241180/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241180; rev:1;)
alert tcp $HOME_NET any -> [3.136.160.122] 20755  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241179/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241179; rev:1;)
alert tcp $HOME_NET any -> [80.66.75.53] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241178/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241178; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.37] 10003  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241177/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241177; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.6] 1895  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241176/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241176; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.6] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241175/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241175; rev:1;)
alert tcp $HOME_NET any -> [74.248.32.95] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241174/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241174; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.216] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241173/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241173; rev:1;)
alert tcp $HOME_NET any -> [37.27.36.6] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241172/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241172; rev:1;)
alert tcp $HOME_NET any -> [37.27.36.6] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241171/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_20; classtype:trojan-activity; sid:91241171; rev:1;)
alert tcp $HOME_NET any -> [185.147.34.93] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241170; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"cdn-analytic.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_20; classtype:trojan-activity; sid:91241169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bdjkb2xsd/index.php"; depth:20; nocase; http.host; content:"cdn-analytic.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/129edec4272dc2c8.php"; depth:21; nocase; http.host; content:"94.156.65.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"miwekahb.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_20; classtype:trojan-activity; sid:91241166; rev:1;)
alert tcp $HOME_NET any -> [172.86.69.21] 4042  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241164/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241164; rev:1;)
alert tcp $HOME_NET any -> [103.77.243.159] 4042  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v10.6/w2ge3sc8"; depth:24; nocase; http.host; content:"91.238.181.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1241161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241161; rev:1;)
alert tcp $HOME_NET any -> [158.101.28.51] 8778  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241160; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"followcache.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241156; rev:1;)
alert tcp $HOME_NET any -> [43.229.115.110] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241155/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241155; rev:1;)
alert tcp $HOME_NET any -> [94.49.14.17] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241154/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241154; rev:1;)
alert tcp $HOME_NET any -> [154.246.249.128] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241153/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241153; rev:1;)
alert tcp $HOME_NET any -> [78.101.24.11] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241152/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241152; rev:1;)
alert tcp $HOME_NET any -> [24.88.87.29] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241151/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241151; rev:1;)
alert tcp $HOME_NET any -> [5.226.137.157] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241150/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91241150; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.3] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241149; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"02maill.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241147; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syn.02maill.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241148; rev:1;)
alert tcp $HOME_NET any -> [198.98.56.144] 6001  (msg:"ThreatFox MrBlack botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241146/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241146; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"syn.xsvi.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241145; rev:1;)
alert tcp $HOME_NET any -> [205.234.200.26] 44188  (msg:"ThreatFox ConnectBack botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241144/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241144; rev:1;)
alert tcp $HOME_NET any -> [3.142.167.54] 19346  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241141/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241141; rev:1;)
alert tcp $HOME_NET any -> [3.142.167.4] 19346  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241142/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241142; rev:1;)
alert tcp $HOME_NET any -> [3.19.130.43] 19346  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241143/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91241143; rev:1;)
alert tcp $HOME_NET any -> [57.128.165.176] 13721  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241132; rev:1;)
alert tcp $HOME_NET any -> [141.95.106.106] 2967  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241133; rev:1;)
alert tcp $HOME_NET any -> [154.12.248.41] 5000  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241134; rev:1;)
alert tcp $HOME_NET any -> [145.239.135.24] 5243  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241135; rev:1;)
alert tcp $HOME_NET any -> [89.117.23.186] 5632  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241136; rev:1;)
alert tcp $HOME_NET any -> [148.113.141.220] 2224  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241137; rev:1;)
alert tcp $HOME_NET any -> [154.38.175.241] 13721  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241138; rev:1;)
alert tcp $HOME_NET any -> [109.199.99.131] 13721  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241139; rev:1;)
alert tcp $HOME_NET any -> [154.12.233.66] 2224  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241140; rev:1;)
alert tcp $HOME_NET any -> [89.117.23.34] 5938  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241130; rev:1;)
alert tcp $HOME_NET any -> [89.117.23.185] 2221  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241131; rev:1;)
alert tcp $HOME_NET any -> [78.168.81.13] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241129; rev:1;)
alert tcp $HOME_NET any -> [210.16.120.210] 53  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241128; rev:1;)
alert tcp $HOME_NET any -> [185.161.248.231] 443  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241127; rev:1;)
alert tcp $HOME_NET any -> [3.120.71.192] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241126; rev:1;)
alert tcp $HOME_NET any -> [54.83.238.42] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241125; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4024  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241124; rev:1;)
alert tcp $HOME_NET any -> [1.12.64.19] 53333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241123; rev:1;)
alert tcp $HOME_NET any -> [24.212.223.72] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241122; rev:1;)
alert tcp $HOME_NET any -> [139.59.57.167] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241121; rev:1;)
alert tcp $HOME_NET any -> [176.98.250.99] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241119; rev:1;)
alert tcp $HOME_NET any -> [35.157.195.58] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241120; rev:1;)
alert tcp $HOME_NET any -> [52.18.172.73] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241118; rev:1;)
alert tcp $HOME_NET any -> [52.29.64.25] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241117; rev:1;)
alert tcp $HOME_NET any -> [52.29.64.25] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241116; rev:1;)
alert tcp $HOME_NET any -> [172.174.252.134] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241115; rev:1;)
alert tcp $HOME_NET any -> [43.139.192.157] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241113; rev:1;)
alert tcp $HOME_NET any -> [3.110.143.241] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241114; rev:1;)
alert tcp $HOME_NET any -> [51.81.237.25] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241112; rev:1;)
alert tcp $HOME_NET any -> [172.234.228.130] 1724  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241111; rev:1;)
alert tcp $HOME_NET any -> [34.247.215.92] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241110; rev:1;)
alert tcp $HOME_NET any -> [167.99.92.251] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241109; rev:1;)
alert tcp $HOME_NET any -> [35.91.153.140] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241108; rev:1;)
alert tcp $HOME_NET any -> [172.166.231.240] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241107; rev:1;)
alert tcp $HOME_NET any -> [193.106.196.165] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241106; rev:1;)
alert tcp $HOME_NET any -> [212.44.236.195] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241105; rev:1;)
alert tcp $HOME_NET any -> [44.217.121.181] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241104; rev:1;)
alert tcp $HOME_NET any -> [143.110.153.37] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241103; rev:1;)
alert tcp $HOME_NET any -> [115.159.198.207] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241102; rev:1;)
alert tcp $HOME_NET any -> [13.245.182.184] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241101; rev:1;)
alert tcp $HOME_NET any -> [34.206.107.177] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241100; rev:1;)
alert tcp $HOME_NET any -> [18.208.197.178] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241099; rev:1;)
alert tcp $HOME_NET any -> [101.52.133.2] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241098; rev:1;)
alert tcp $HOME_NET any -> [137.184.239.148] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241097; rev:1;)
alert tcp $HOME_NET any -> [82.67.20.246] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241096; rev:1;)
alert tcp $HOME_NET any -> [20.47.112.27] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241094; rev:1;)
alert tcp $HOME_NET any -> [139.199.168.248] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241095; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"analytics.deenpel.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241092; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-fonts.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241093; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241091; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159-223-204-229.ipv4.staticdns2.io"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"charming-wright.142-11-199-59.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241090; rev:1;)
alert tcp $HOME_NET any -> [39.106.145.100] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241088; rev:1;)
alert tcp $HOME_NET any -> [43.136.242.247] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241087; rev:1;)
alert tcp $HOME_NET any -> [172.245.131.108] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241086; rev:1;)
alert tcp $HOME_NET any -> [106.14.24.198] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241084; rev:1;)
alert tcp $HOME_NET any -> [154.92.18.140] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241085; rev:1;)
alert tcp $HOME_NET any -> [180.113.169.93] 8008  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241083; rev:1;)
alert tcp $HOME_NET any -> [58.59.222.234] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241081; rev:1;)
alert tcp $HOME_NET any -> [82.97.251.102] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241082; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.253] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241079; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.253] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241080; rev:1;)
alert tcp $HOME_NET any -> [92.246.137.230] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241078; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.46] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241077; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.sanctamsolutions.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241075; rev:1;)
alert tcp $HOME_NET any -> [94.156.8.46] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241076; rev:1;)
alert tcp $HOME_NET any -> [93.0.93.225] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241074; rev:1;)
alert tcp $HOME_NET any -> [103.180.149.224] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241073; rev:1;)
alert tcp $HOME_NET any -> [51.250.71.111] 443  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241072; rev:1;)
alert tcp $HOME_NET any -> [39.134.69.79] 17080  (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241071; rev:1;)
alert tcp $HOME_NET any -> [54.234.189.192] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241069; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-206-73-190.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241070; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"147.45.42.25.sslip.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241068; rev:1;)
alert tcp $HOME_NET any -> [109.107.161.51] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241067; rev:1;)
alert tcp $HOME_NET any -> [34.118.125.155] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241066; rev:1;)
alert tcp $HOME_NET any -> [45.136.6.149] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241065; rev:1;)
alert tcp $HOME_NET any -> [34.16.134.132] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241063; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.32] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241064; rev:1;)
alert tcp $HOME_NET any -> [197.82.164.175] 4444  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241062; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-43-204-230-44.ap-south-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241061; rev:1;)
alert tcp $HOME_NET any -> [45.148.4.18] 8888  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241060; rev:1;)
alert tcp $HOME_NET any -> [147.189.161.48] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241059; rev:1;)
alert tcp $HOME_NET any -> [192.71.172.113] 8888  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241058; rev:1;)
alert tcp $HOME_NET any -> [178.168.70.101] 443  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241057; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linki.one"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241055; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.reneesellers.autos"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241056; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtracking.suparamining.swp23.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241054; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"24-199-107-91.ipv4.staticdns3.io"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241053; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"109.179.76.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241051; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maribelgould.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241052; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap859144-11.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241049; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reneesellers.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241050; rev:1;)
alert tcp $HOME_NET any -> [185.236.234.129] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241047; rev:1;)
alert tcp $HOME_NET any -> [139.84.137.249] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241048; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap1030125-1.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241046; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ciscointernship.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241044; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-233-144-170.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241045; rev:1;)
alert tcp $HOME_NET any -> [45.63.120.163] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241043; rev:1;)
alert tcp $HOME_NET any -> [146.70.79.64] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241042; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.laboratoriodiagnosticoescobar.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241041; rev:1;)
alert tcp $HOME_NET any -> [141.94.221.216] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241040; rev:1;)
alert tcp $HOME_NET any -> [213.176.29.29] 10000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241039; rev:1;)
alert tcp $HOME_NET any -> [146.190.103.72] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241038; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1502970.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241036; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1528797.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241037; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.145] 7000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241034; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-99-102-8.ca-central-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241035; rev:1;)
alert tcp $HOME_NET any -> [50.34.48.26] 4444  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241033; rev:1;)
alert tcp $HOME_NET any -> [51.103.213.60] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241032; rev:1;)
alert tcp $HOME_NET any -> [192.121.102.70] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241031; rev:1;)
alert tcp $HOME_NET any -> [190.9.208.167] 8081  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241030; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.190] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241029; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.223] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241028; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nv567.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241027; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.40] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin3.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241023; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kozak.timur.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241024; rev:1;)
alert tcp $HOME_NET any -> [46.149.77.191] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241022; rev:1;)
alert tcp $HOME_NET any -> [37.46.132.116] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241021; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.49] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241020; rev:1;)
alert tcp $HOME_NET any -> [178.62.237.92] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241019; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trainlog.de"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241018; rev:1;)
alert tcp $HOME_NET any -> [38.60.216.65] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241017; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kitrknis.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1241016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241016; rev:1;)
alert tcp $HOME_NET any -> [38.60.249.75] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241015; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.7] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241014; rev:1;)
alert tcp $HOME_NET any -> [213.195.118.64] 4001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241013; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.57] 8008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241012; rev:1;)
alert tcp $HOME_NET any -> [206.123.135.63] 2020  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241010; rev:1;)
alert tcp $HOME_NET any -> [192.250.225.3] 7000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241011; rev:1;)
alert tcp $HOME_NET any -> [147.135.97.94] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241009; rev:1;)
alert tcp $HOME_NET any -> [147.135.97.94] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241008; rev:1;)
alert tcp $HOME_NET any -> [147.124.213.188] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241007; rev:1;)
alert tcp $HOME_NET any -> [147.124.213.188] 8008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241006; rev:1;)
alert tcp $HOME_NET any -> [207.231.111.88] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241004; rev:1;)
alert tcp $HOME_NET any -> [147.124.213.188] 6006  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241005; rev:1;)
alert tcp $HOME_NET any -> [207.231.111.88] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241003; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.42] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241002; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.42] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241001; rev:1;)
alert tcp $HOME_NET any -> [186.170.98.239] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240999; rev:1;)
alert tcp $HOME_NET any -> [186.170.98.239] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1241000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91241000; rev:1;)
alert tcp $HOME_NET any -> [89.117.21.203] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240998; rev:1;)
alert tcp $HOME_NET any -> [38.242.236.116] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240996; rev:1;)
alert tcp $HOME_NET any -> [34.176.21.185] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240997; rev:1;)
alert tcp $HOME_NET any -> [186.112.207.226] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240995; rev:1;)
alert tcp $HOME_NET any -> [186.112.207.226] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240994; rev:1;)
alert tcp $HOME_NET any -> [207.32.217.170] 2004  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240993; rev:1;)
alert tcp $HOME_NET any -> [172.94.111.213] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240992; rev:1;)
alert tcp $HOME_NET any -> [136.243.179.5] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240990; rev:1;)
alert tcp $HOME_NET any -> [88.214.59.174] 9090  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240991; rev:1;)
alert tcp $HOME_NET any -> [204.12.229.169] 5600  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240989; rev:1;)
alert tcp $HOME_NET any -> [123.249.35.1] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240988; rev:1;)
alert tcp $HOME_NET any -> [43.229.115.108] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240987; rev:1;)
alert tcp $HOME_NET any -> [50.78.185.152] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240986/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240986; rev:1;)
alert tcp $HOME_NET any -> [143.198.214.96] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240985/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240985; rev:1;)
alert tcp $HOME_NET any -> [34.162.114.31] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240984/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240984; rev:1;)
alert tcp $HOME_NET any -> [20.115.68.15] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240983/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240983; rev:1;)
alert tcp $HOME_NET any -> [98.71.17.145] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240982/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_19; classtype:trojan-activity; sid:91240982; rev:1;)
alert tcp $HOME_NET any -> [175.178.103.238] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240981; rev:1;)
alert tcp $HOME_NET any -> [8.219.54.123] 5060  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240980; rev:1;)
alert tcp $HOME_NET any -> [8.219.54.123] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240979; rev:1;)
alert tcp $HOME_NET any -> [47.101.181.195] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240978; rev:1;)
alert tcp $HOME_NET any -> [101.201.81.175] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240977; rev:1;)
alert tcp $HOME_NET any -> [43.143.169.86] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240976; rev:1;)
alert tcp $HOME_NET any -> [47.115.206.4] 53080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240975; rev:1;)
alert tcp $HOME_NET any -> [150.107.201.170] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240974; rev:1;)
alert tcp $HOME_NET any -> [150.107.201.170] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240973; rev:1;)
alert tcp $HOME_NET any -> [152.136.55.237] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240972; rev:1;)
alert tcp $HOME_NET any -> [154.12.29.22] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240971; rev:1;)
alert tcp $HOME_NET any -> [206.237.7.51] 6000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240970; rev:1;)
alert tcp $HOME_NET any -> [47.108.145.250] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240969; rev:1;)
alert tcp $HOME_NET any -> [47.92.80.115] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240968; rev:1;)
alert tcp $HOME_NET any -> [34.168.39.155] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240967; rev:1;)
alert tcp $HOME_NET any -> [45.95.174.47] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240966; rev:1;)
alert tcp $HOME_NET any -> [123.60.60.29] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240965; rev:1;)
alert tcp $HOME_NET any -> [42.193.16.213] 9981  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240964; rev:1;)
alert tcp $HOME_NET any -> [5.78.103.127] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240963; rev:1;)
alert tcp $HOME_NET any -> [103.146.179.104] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240962; rev:1;)
alert tcp $HOME_NET any -> [93.177.75.125] 12121  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240960; rev:1;)
alert tcp $HOME_NET any -> [8.130.130.59] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240961; rev:1;)
alert tcp $HOME_NET any -> [124.221.133.199] 33891  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240959; rev:1;)
alert tcp $HOME_NET any -> [109.205.61.95] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240958; rev:1;)
alert tcp $HOME_NET any -> [115.159.195.80] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240956; rev:1;)
alert tcp $HOME_NET any -> [152.42.134.17] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240957; rev:1;)
alert tcp $HOME_NET any -> [43.135.34.148] 17843  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240955; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blissful-jackson.216-238-76-219.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240954; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"155.39.168.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240952; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.86.70.78.5.clients.your-server.de"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240953; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-123-60-57-13.compute.hwclouds-dns.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240951; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ninhobaby.com.br"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240950; rev:1;)
alert tcp $HOME_NET any -> [95.179.137.233] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240948; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.209.12"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199642171824"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hypergog"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240945; rev:1;)
alert tcp $HOME_NET any -> [5.75.209.12] 9001  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240943; rev:1;)
alert tcp $HOME_NET any -> [95.217.31.198] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240944; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 16904  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240935/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"jimissupercool.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ezrgqnaww.php"; depth:20; nocase; http.host; content:"jimissupercool.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"myclubpicks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"104.234.240.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"vamknigi.mcdir.me"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240936; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 16904  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240934; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 16904  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240933; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 16904  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240932; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.191] 1290  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240931; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lkasjdfhsdag.servebeer.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240930; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"61.170.88.228"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"45.93.20.242"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240927; rev:1;)
alert tcp $HOME_NET any -> [106.54.202.74] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"106.54.202.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240925; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.40] 1990  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240924; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.73] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240922/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240922; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.141] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240923/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240923; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.16] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240921/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"cn.bing.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"abillioncoin.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240917; rev:1;)
alert tcp $HOME_NET any -> [159.223.196.192] 56999  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240916; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.layer4.bf"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.31.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.237.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"23.88.117.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240908; rev:1;)
alert tcp $HOME_NET any -> [95.217.31.190] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240905; rev:1;)
alert tcp $HOME_NET any -> [95.217.31.190] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240906; rev:1;)
alert tcp $HOME_NET any -> [95.217.243.152] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240907; rev:1;)
alert tcp $HOME_NET any -> [23.88.117.132] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240901; rev:1;)
alert tcp $HOME_NET any -> [95.217.237.91] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240902; rev:1;)
alert tcp $HOME_NET any -> [65.109.241.164] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240903; rev:1;)
alert tcp $HOME_NET any -> [65.109.241.164] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240904; rev:1;)
alert tcp $HOME_NET any -> [109.107.181.83] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240900; rev:1;)
alert tcp $HOME_NET any -> [104.233.187.165] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240899; rev:1;)
alert tcp $HOME_NET any -> [104.233.187.164] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240898; rev:1;)
alert tcp $HOME_NET any -> [104.233.244.97] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240897; rev:1;)
alert tcp $HOME_NET any -> [20.26.126.28] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240896; rev:1;)
alert tcp $HOME_NET any -> [20.117.169.244] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240895; rev:1;)
alert tcp $HOME_NET any -> [167.56.71.240] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240894; rev:1;)
alert tcp $HOME_NET any -> [79.131.125.30] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240893; rev:1;)
alert tcp $HOME_NET any -> [189.177.0.136] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240892; rev:1;)
alert tcp $HOME_NET any -> [72.27.101.0] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240891; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elccorp-net.ntc-telecomcorporation.workers.dev"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240879; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.100] 24854  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240870; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwadarportt.workers.dev"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240877; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gwadarport-gov-pk.gwadarportt.workers.dev"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240878; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-ecp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240880; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-gwadarport-gov-pk.ntc-telecomcorporation.workers.dev"; depth:57; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240881; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-sco-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240882; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 13627  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240847; rev:1;)
alert tcp $HOME_NET any -> [207.246.120.23] 8140  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240861; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 13406  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240868/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240868; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 13406  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240869/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_19; classtype:trojan-activity; sid:91240869; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.33] 8970  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240848; rev:1;)
alert tcp $HOME_NET any -> [87.3.215.35] 65199  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240855; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ihateciroparisi.serveminecraft.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240856; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"foodmattkent.live"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240857; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"day.50adayplan.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240859; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 50%)"; dns_query; content:"winvipbonus.life"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240860/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240860; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news.ntc-telecomcorporation.workers.dev"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240883; rev:1;)
alert tcp $HOME_NET any -> [94.103.87.88] 3306  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240890; rev:1;)
alert tcp $HOME_NET any -> [94.103.87.88] 465  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240889/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240889; rev:1;)
alert tcp $HOME_NET any -> [43.198.89.50] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240888/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240888; rev:1;)
alert tcp $HOME_NET any -> [74.48.56.81] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240887/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240887; rev:1;)
alert tcp $HOME_NET any -> [13.113.86.16] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240886/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240886; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.132] 9231  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mc341/index.php"; depth:16; nocase; http.host; content:"mhlc.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240884; rev:1;)
alert tcp $HOME_NET any -> [172.94.111.9] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240876; rev:1;)
alert tcp $HOME_NET any -> [144.76.184.11] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_19; classtype:trojan-activity; sid:91240875; rev:1;)
alert tcp $HOME_NET any -> [144.76.184.11] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240874; rev:1;)
alert tcp $HOME_NET any -> [196.112.147.229] 5577  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240873; rev:1;)
alert tcp $HOME_NET any -> [196.112.147.229] 5588  (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240872; rev:1;)
alert tcp $HOME_NET any -> [196.112.147.229] 5566  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0916796.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240867; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 13406  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240866; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 13406  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_19; classtype:trojan-activity; sid:91240865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9bc7b45d.php"; depth:13; nocase; http.host; content:"a0919334.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240864; rev:1;)
alert tcp $HOME_NET any -> [116.203.63.87] 9216  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240863; rev:1;)
alert tcp $HOME_NET any -> [46.183.220.203] 35966  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0916462.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"110.41.134.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0913701.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240846; rev:1;)
alert tcp $HOME_NET any -> [65.21.212.74] 7800  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"88.214.27.74"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"88.214.27.74"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240843; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.16] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240842; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aquabotnet.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240839; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.zapto.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240840; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bulldognet.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240841; rev:1;)
alert tcp $HOME_NET any -> [104.233.244.98] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240838; rev:1;)
alert tcp $HOME_NET any -> [102.113.143.173] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240837; rev:1;)
alert tcp $HOME_NET any -> [77.49.51.87] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240836; rev:1;)
alert tcp $HOME_NET any -> [142.247.95.55] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240835; rev:1;)
alert tcp $HOME_NET any -> [45.245.101.32] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240834; rev:1;)
alert tcp $HOME_NET any -> [66.187.7.174] 3074  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240833; rev:1;)
alert tcp $HOME_NET any -> [20.212.217.245] 10002  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240832; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"discounts-ptclnetpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240827; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveftp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240828; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rewards-ptclnetpk.viewdns.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240829; rev:1;)
alert tcp $HOME_NET any -> [51.159.167.215] 34241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240830/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240830; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"visualstudiomacupdate.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240831; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nanoudu30-31620.portmap.host"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240826/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240826; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 31620  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240825/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240825; rev:1;)
alert tcp $HOME_NET any -> [129.159.55.240] 56636  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240816; rev:1;)
alert tcp $HOME_NET any -> [149.50.209.216] 43957  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240818; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.72] 56537  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240819; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"plus-subcommittee.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240824/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240824; rev:1;)
alert tcp $HOME_NET any -> [141.98.11.208] 16837  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240817; rev:1;)
alert tcp $HOME_NET any -> [1.162.151.116] 39167  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240813; rev:1;)
alert tcp $HOME_NET any -> [103.106.228.99] 11259  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240814; rev:1;)
alert tcp $HOME_NET any -> [111.243.109.76] 41465  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240815; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weilaibot.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240811; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zunbot.awuam.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirailovers.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240808; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nw.awuam.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240809; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qwerty.awuam.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bots.awuam.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240804; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"feckoffbr0.sbs"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240807; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddns.awuam.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240805; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ddos.sdxpay.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240806; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ackcm.awuam.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240801; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awuam.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240802; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.awuam.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240803; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.72] 62452  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240820; rev:1;)
alert tcp $HOME_NET any -> [199.195.249.78] 13145  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240821; rev:1;)
alert tcp $HOME_NET any -> [46.3.113.170] 8778  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240822; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.174] 9931  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240823; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"714745cm.nyashland.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240795; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"finance-govnp.servehalflife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240796; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mail-ntcgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240797/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240797; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mail-scogovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240798/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240798; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"mof-govnp.servehttp.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240799/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240799; rev:1;)
alert tcp $HOME_NET any -> [18.134.234.207] 3306  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240800; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240792; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.serveblog.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240793; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"net-killer.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240794; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mostnet.servegame.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240791; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"net-killer.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240790/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"152.136.55.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"213.109.202.222"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"139.155.127.233"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/azure/api/v2/userinfo/get"; depth:26; nocase; http.host; content:"106.12.124.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.9.255.31"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240785; rev:1;)
alert tcp $HOME_NET any -> [45.86.86.60] 3912  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240784/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240784; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.138] 2023  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240779; rev:1;)
alert tcp $HOME_NET any -> [154.82.81.136] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gv"; depth:3; nocase; http.host; content:"154.82.81.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240782; rev:1;)
alert tcp $HOME_NET any -> [5.78.70.86] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"5.78.103.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240780; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.138] 56999  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240778/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240778; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.networkbotbet.top"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240776; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"networkbotbet.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"antyparkov.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"saicetyapy.space"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240774; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saicetyapy.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240772; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"antyparkov.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240773; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 35017  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240730; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"content-royal.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240731; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 10540  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240732/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240732; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 10540  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240733/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240733; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mary-cottage.gl.at.ply.gg"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240747/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240747; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 18563  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240748/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_18; classtype:trojan-activity; sid:91240748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gemcreedarticulateod.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"secretionsuitcasenioise.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"claimconcessionrebe.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"liabilityarrangemenyit.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240755; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gemcreedarticulateod.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240756; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"claimconcessionrebe.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240757; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liabilityarrangemenyit.shop"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"129.211.211.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_18; classtype:trojan-activity; sid:91240771; rev:1;)
alert tcp $HOME_NET any -> [14.202.148.249] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240770/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240770; rev:1;)
alert tcp $HOME_NET any -> [41.98.29.102] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240769/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240769; rev:1;)
alert tcp $HOME_NET any -> [175.10.222.136] 4432  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240768; rev:1;)
alert tcp $HOME_NET any -> [94.237.54.16] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240767; rev:1;)
alert tcp $HOME_NET any -> [24.199.107.91] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240766/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240766; rev:1;)
alert tcp $HOME_NET any -> [191.96.53.132] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240765/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240765; rev:1;)
alert tcp $HOME_NET any -> [185.83.113.126] 32004  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240764/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240764; rev:1;)
alert tcp $HOME_NET any -> [37.120.239.146] 8085  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240763/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240763; rev:1;)
alert tcp $HOME_NET any -> [43.198.108.245] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240762/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240762; rev:1;)
alert tcp $HOME_NET any -> [2.34.147.152] 9002  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240761/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_18; classtype:trojan-activity; sid:91240761; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 29182  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240760; rev:1;)
alert tcp $HOME_NET any -> [49.13.194.252] 10919  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240759; rev:1;)
alert tcp $HOME_NET any -> [193.233.21.140] 4001  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/requesthttpupdategamebigloadasyncuploads.php"; depth:45; nocase; http.host; content:"chromestartup.top"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"parals.ac.ug"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f95721327cee196f.php"; depth:21; nocase; http.host; content:"193.163.7.160"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240746; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 10652  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240745; rev:1;)
alert tcp $HOME_NET any -> [3.6.98.232] 17383  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240744; rev:1;)
alert tcp $HOME_NET any -> [3.6.122.107] 17383  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240743; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 18563  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240742; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 18563  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240741; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 18563  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240740; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 18563  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240739; rev:1;)
alert tcp $HOME_NET any -> [113.141.94.195] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240738; rev:1;)
alert tcp $HOME_NET any -> [79.130.49.211] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240737; rev:1;)
alert tcp $HOME_NET any -> [51.210.244.254] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"117.252.165.6"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240735; rev:1;)
alert tcp $HOME_NET any -> [193.178.172.180] 16346  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240734; rev:1;)
alert tcp $HOME_NET any -> [147.45.40.62] 9931  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240727/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_17; classtype:trojan-activity; sid:91240727; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"software.dth.wtf"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240728; rev:1;)
alert tcp $HOME_NET any -> [82.117.230.122] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240729; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.21] 40096  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240726; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cholin777.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240712; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elgigante.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240713; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elgrande.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240714; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gomelo.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240715; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hebreo.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240716; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jerusalen.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240717; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lesbiano.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240718; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ruby.con-ip.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240719; rev:1;)
alert tcp $HOME_NET any -> [194.110.247.222] 59666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240725/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_17; classtype:trojan-activity; sid:91240725; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fucktheccp.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240720; rev:1;)
alert tcp $HOME_NET any -> [43.139.177.244] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"1.94.110.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240709; rev:1;)
alert tcp $HOME_NET any -> [1.94.110.130] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240710; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"abundancia777.con-ip.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240681; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caramelo.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240682; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mazaltov.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240683; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"krater1.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240684; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"graciasdiosito.con-ip.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240685; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deusdsfduhfdjisjdfasaxc.con-ip.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240686; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sssssssdhhdiodhuhdisdisgi.con-ip.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240687; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamin.con-ip.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240688; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redentor.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240689; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salud77.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240690; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yahweh.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240691; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anguila.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240692; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jireh.con-ip.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240693; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farsante9.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240694; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matusalen77.con-ip.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240695; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anhelo.con-ip.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240696; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bendecidos.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240697; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dsfkdsvnlsnvklvdsnvodv.con-ip.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240698; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"edden.con-ip.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240699; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enticonfio.con-ip.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240700; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ergdsbsicshdfsijfsiudhf.con-ip.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240701; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"galaxia.con-ip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240702; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"memorias.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240703; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nuevocomienzo777.con-ip.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240704; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ostentar.con-ip.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240705; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"persistencia.con-ip.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240706; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"salomon77.con-ip.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240707; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sion.con-ip.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240708; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.usaglobalnews.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240674; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waltontechnical.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240675; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.waltontechnical.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240676; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myinternationalsolutions.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240677; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.myinternationalsolutions.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240678; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.topglobaltv.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240679; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.southernlandmortgage.cloud"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/processtestpublic.php"; depth:22; nocase; http.host; content:"514885cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"2.57.149.104"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240646; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"abc.anti-ddos.io.vn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240575/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_17; classtype:trojan-activity; sid:91240575; rev:1;)
alert tcp $HOME_NET any -> [81.94.150.21] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240572; rev:1;)
alert tcp $HOME_NET any -> [103.47.195.200] 42597  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_17; classtype:trojan-activity; sid:91240574; rev:1;)
alert tcp $HOME_NET any -> [172.232.190.57] 2224  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240672; rev:1;)
alert tcp $HOME_NET any -> [88.153.94.39] 4444  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240671; rev:1;)
alert tcp $HOME_NET any -> [160.176.70.45] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240670; rev:1;)
alert tcp $HOME_NET any -> [72.27.104.149] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240669; rev:1;)
alert tcp $HOME_NET any -> [141.164.161.19] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240668; rev:1;)
alert tcp $HOME_NET any -> [146.190.165.243] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240667; rev:1;)
alert tcp $HOME_NET any -> [185.83.113.126] 32023  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240665; rev:1;)
alert tcp $HOME_NET any -> [185.11.61.124] 20000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240666; rev:1;)
alert tcp $HOME_NET any -> [185.83.113.126] 32012  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240664; rev:1;)
alert tcp $HOME_NET any -> [185.83.113.126] 32005  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240663; rev:1;)
alert tcp $HOME_NET any -> [185.83.113.126] 32031  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240662; rev:1;)
alert tcp $HOME_NET any -> [45.61.138.43] 20000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_17; classtype:trojan-activity; sid:91240661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/17303af8450cc290.php"; depth:21; nocase; http.host; content:"37.28.157.3"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"8.222.165.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_17; classtype:trojan-activity; sid:91240659; rev:1;)
alert tcp $HOME_NET any -> [162.244.80.14] 17124  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240658/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240658; rev:1;)
alert tcp $HOME_NET any -> [43.156.108.42] 32323  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240657/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240657; rev:1;)
alert tcp $HOME_NET any -> [157.245.78.225] 42718  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240656; rev:1;)
alert tcp $HOME_NET any -> [154.92.14.41] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240655; rev:1;)
alert tcp $HOME_NET any -> [36.111.166.231] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240654; rev:1;)
alert tcp $HOME_NET any -> [114.115.159.80] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240653; rev:1;)
alert tcp $HOME_NET any -> [124.121.18.177] 8080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240652/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240652; rev:1;)
alert tcp $HOME_NET any -> [34.125.32.157] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240651/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240651; rev:1;)
alert tcp $HOME_NET any -> [40.113.117.114] 1337  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240650; rev:1;)
alert tcp $HOME_NET any -> [46.151.31.26] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240649/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240649; rev:1;)
alert tcp $HOME_NET any -> [116.203.165.197] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240648/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240648; rev:1;)
alert tcp $HOME_NET any -> [45.148.4.76] 8888  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240647/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_17; classtype:trojan-activity; sid:91240647; rev:1;)
alert tcp $HOME_NET any -> [5.252.176.25] 3306  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240645; rev:1;)
alert tcp $HOME_NET any -> [109.200.24.62] 443  (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240644/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240644; rev:1;)
alert tcp $HOME_NET any -> [171.41.251.198] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240643/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240643; rev:1;)
alert tcp $HOME_NET any -> [171.41.197.221] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240642/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240642; rev:1;)
alert tcp $HOME_NET any -> [45.78.32.214] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240641/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240641; rev:1;)
alert tcp $HOME_NET any -> [45.59.118.25] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240640/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240640; rev:1;)
alert tcp $HOME_NET any -> [35.178.199.78] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240639/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_16; classtype:trojan-activity; sid:91240639; rev:1;)
alert tcp $HOME_NET any -> [104.243.46.129] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240638; rev:1;)
alert tcp $HOME_NET any -> [60.50.255.168] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240637/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240637; rev:1;)
alert tcp $HOME_NET any -> [197.83.246.32] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240636/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240636; rev:1;)
alert tcp $HOME_NET any -> [168.119.96.5] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240635/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240635; rev:1;)
alert tcp $HOME_NET any -> [174.138.6.9] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240634/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240634; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providervmto.php"; depth:17; nocase; http.host; content:"gafisezs.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240633; rev:1;)
alert tcp $HOME_NET any -> [185.83.113.126] 32017  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240632; rev:1;)
alert tcp $HOME_NET any -> [167.71.231.122] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240631; rev:1;)
alert tcp $HOME_NET any -> [35.157.195.58] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240629; rev:1;)
alert tcp $HOME_NET any -> [3.85.194.45] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240630; rev:1;)
alert tcp $HOME_NET any -> [20.117.112.154] 52525  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240628; rev:1;)
alert tcp $HOME_NET any -> [18.202.134.235] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240626; rev:1;)
alert tcp $HOME_NET any -> [35.208.245.146] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240627; rev:1;)
alert tcp $HOME_NET any -> [3.120.71.192] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240625; rev:1;)
alert tcp $HOME_NET any -> [34.101.86.127] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240624; rev:1;)
alert tcp $HOME_NET any -> [34.123.222.44] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240623; rev:1;)
alert tcp $HOME_NET any -> [13.127.226.130] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240622; rev:1;)
alert tcp $HOME_NET any -> [135.181.20.182] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240621; rev:1;)
alert tcp $HOME_NET any -> [146.190.9.102] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240620; rev:1;)
alert tcp $HOME_NET any -> [3.250.162.249] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240619; rev:1;)
alert tcp $HOME_NET any -> [44.218.45.27] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240618; rev:1;)
alert tcp $HOME_NET any -> [18.118.138.192] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240617; rev:1;)
alert tcp $HOME_NET any -> [14.225.19.116] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240616; rev:1;)
alert tcp $HOME_NET any -> [47.242.21.119] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240615; rev:1;)
alert tcp $HOME_NET any -> [103.47.195.200] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240614; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip136.ip-51-195-83.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240613; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epsilon1337.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240612; rev:1;)
alert tcp $HOME_NET any -> [185.249.227.27] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240611; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.77] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240610; rev:1;)
alert tcp $HOME_NET any -> [159.223.52.78] 9782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240609; rev:1;)
alert tcp $HOME_NET any -> [5.189.175.70] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240608; rev:1;)
alert tcp $HOME_NET any -> [181.162.178.142] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240606; rev:1;)
alert tcp $HOME_NET any -> [107.148.237.29] 8088  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240607; rev:1;)
alert tcp $HOME_NET any -> [209.126.7.24] 4444  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240605; rev:1;)
alert tcp $HOME_NET any -> [185.146.156.85] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240604; rev:1;)
alert tcp $HOME_NET any -> [45.83.31.204] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240603; rev:1;)
alert tcp $HOME_NET any -> [51.81.90.181] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240602; rev:1;)
alert tcp $HOME_NET any -> [23.101.226.140] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240601; rev:1;)
alert tcp $HOME_NET any -> [13.237.100.49] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240600; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.221] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240599; rev:1;)
alert tcp $HOME_NET any -> [186.112.206.181] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240598; rev:1;)
alert tcp $HOME_NET any -> [147.135.97.94] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240597; rev:1;)
alert tcp $HOME_NET any -> [45.134.83.162] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240596; rev:1;)
alert tcp $HOME_NET any -> [216.245.181.92] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240595/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_16; classtype:trojan-activity; sid:91240595; rev:1;)
alert tcp $HOME_NET any -> [5.250.189.135] 40750  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240594/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_16; classtype:trojan-activity; sid:91240594; rev:1;)
alert tcp $HOME_NET any -> [4.145.90.29] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240593/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_16; classtype:trojan-activity; sid:91240593; rev:1;)
alert tcp $HOME_NET any -> [187.135.86.23] 2271  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240592; rev:1;)
alert tcp $HOME_NET any -> [187.135.86.23] 2082  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240590; rev:1;)
alert tcp $HOME_NET any -> [187.135.86.23] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240591; rev:1;)
alert tcp $HOME_NET any -> [187.135.86.23] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240589; rev:1;)
alert tcp $HOME_NET any -> [187.135.86.23] 1899  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240588; rev:1;)
alert tcp $HOME_NET any -> [187.135.86.23] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240587; rev:1;)
alert tcp $HOME_NET any -> [187.135.86.23] 2281  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240585; rev:1;)
alert tcp $HOME_NET any -> [187.135.86.23] 1656  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240586; rev:1;)
alert tcp $HOME_NET any -> [45.131.132.55] 5520  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240584; rev:1;)
alert tcp $HOME_NET any -> [45.131.132.55] 9995  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240583; rev:1;)
alert tcp $HOME_NET any -> [118.193.62.169] 3026  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240582; rev:1;)
alert tcp $HOME_NET any -> [167.99.112.140] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240581; rev:1;)
alert tcp $HOME_NET any -> [120.27.132.223] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240580; rev:1;)
alert tcp $HOME_NET any -> [120.78.83.129] 52120  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240579; rev:1;)
alert tcp $HOME_NET any -> [60.204.249.34] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240578; rev:1;)
alert tcp $HOME_NET any -> [185.193.126.187] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240577; rev:1;)
alert tcp $HOME_NET any -> [8.222.184.154] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vre"; depth:4; nocase; http.host; content:"newyear7250.duckdns.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gka/index.php"; depth:14; nocase; http.host; content:"185.79.156.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/austino/index.php"; depth:18; nocase; http.host; content:"45.95.147.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"i42325.hostru2.fornex.org"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"bruxara.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sm.jrworcester.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240571; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"absolutecache.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240565; rev:1;)
alert tcp $HOME_NET any -> [179.43.175.207] 809  (msg:"ThreatFox Cobalt Strike payload delivery (ip:port - confidence level: 25%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240394/; target:src_ip; metadata: confidence_level 25, first_seen 2024_02_16; classtype:trojan-activity; sid:91240394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"poseidon99.duckdns.org"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1240562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"trabajovalle2019.duckdns.org"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1240563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"harold.jetos.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1240564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240564; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fokuti41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240556; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haiwpj11.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240557; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasbrq34.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240558; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xokecn54.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240559; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewamcd41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240560; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nekyil22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240561; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saas01.pro"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240539; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewabpl55.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240540; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasrzh25.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240541; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knudqw18.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240542; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewafal62.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240543; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewawtm26.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240544; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dyxlx33.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240545; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moraku02.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240546; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morhas01.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240547; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haijwd23.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240548; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaunl38.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240549; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaosm65.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240550; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morfiw05.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240551; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasctx32.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240552; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewadgz11.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240553; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raspdh35.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240554; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hairdx22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240555; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befrgv71.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240521; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"chuawt52.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240522; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befixc63.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240523; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moryei03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240524; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"knurxh28.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240525; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewavmp35.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240526; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beflku61.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240527; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haiezf32.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240528; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morcgu03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240529; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewafxq25.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240530; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pacter42.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240531; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewauhc58.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240532; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mortiq04.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240533; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaumk24.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240534; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fokacv34.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240535; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaymo21.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240536; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mortbo03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240537; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befuwa51.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240538; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewayky18.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240503; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morcyr03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240504; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rasqdc22.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240505; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaisb31.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240506; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lyswug41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240507; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smajug75.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240508; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smainz71.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240509; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befuak48.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240510; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befkap57.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240511; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewadmw53.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240512; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fokfgl36.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240513; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morsyr05.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240514; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smadyi56.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240515; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morsuq02.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240516; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morwiv04.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240517; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewasic56.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240518; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morekt05.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240519; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewaqfe45.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240520; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morqoi02.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240493; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morhaq06.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240494; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuytee11.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240495; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lysayu42.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240496; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"marjkc03.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240497; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haiolr12.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240498; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"befzco47.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240499; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morbyn04.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240500; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"morups07.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240501; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haizul15.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cdn-uk.widgetsfordeploy.com"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1240492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240492; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lovuterry.best"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240491; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jazzcity.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240484; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"merknegrok.me"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240485; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warrioruno.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240486; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loadkanoe.casa"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240487; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"puppybloder.pw"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240488; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bloadypupper.best"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240489; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"warriordos.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240490; rev:1;)
alert tcp $HOME_NET any -> [91.241.19.100] 80  (msg:"ThreatFox Ficker Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240483; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adverting-cdn.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240481; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"441autoparts.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240482; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xiaoyuwudi.e3.luyouxia.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240474; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.996m2m2.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240475; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"54412.e3.luyouxia.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240476; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad2916985983.e2.luyouxia.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"free.idcfengye.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gx121.e1.luyouxia.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xc091221.e2.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240480; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zxyhwww.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240465; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cn-he-plc-2.openfrp.top"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240466; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"66ddjkr.e3.luyouxia.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kx5555.e3.luyouxia.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240468; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"p.f2pool.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240469; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hfs666.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240470; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"latiao.ddns.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asjidoaiosdjo.e3.luyouxia.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240472; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fdsfhkjf.e3.luyouxia.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bubbebottle.xyz"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1240463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.66.36"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.244.48.135"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"176.124.198.17"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.17.40.133"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ffud666.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1240460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.242.229.100"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"193.163.7.111"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"80.89.239.178"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"95.216.72.17"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1240456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.132.229"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.64.41"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.91.123.99"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1240454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"92.246.138.149"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"104.245.33.157"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"194.120.116.120"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1240449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"138.201.196.248"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1240447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"florianhabeler.icu"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1240448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.75.177.20"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1240444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"phoenixexec.icu"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1240445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.66.57"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.87.153.135"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.91.76.36"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1240443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"109.107.181.33"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"82.115.223.88"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"80.66.85.128"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1240438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.66.58"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"janmorath.icu"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"82.115.223.87"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1240437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"149.255.35.132"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"dskflherlkhopihsf.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1240435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"116.203.180.34"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.42.65.54"; depth:10; nocase; reference:url, threatfox.abuse.ch/ioc/1240432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ettoregiardina.icu"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1240433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"109.107.182.60"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"77.105.132.216"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"finnmanninger.icu"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1240428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"raphaelbischoff.icu"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1240429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.24"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"giveapp.pro"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1240426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.172.128.79"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1240424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check/safe"; depth:11; nocase; http.host; content:"app.alie3ksgaa.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240423; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carvewomanflavourwop.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240414; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"negliganceassumeruew.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240415; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crisisestimatehealtwh.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240416; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayleafletcamerakwov.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240417; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"brickabsorptiondullyi.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240418; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"assaultseekwoodywod.pw"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240419; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"retainfactorypunishjkw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240420; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"communicationinchoicer.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240421; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"braidfadefriendklypk.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240422; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fleetconsciousnessjuiw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240395; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oluaskaz.pw"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240396; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"contextsuffreintymore.fun"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240397; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"joystickempiricalhirpw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240398; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"makeexpectentrypon.pw"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240399; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"attachmentartikidw.fun"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240400; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"willpoweragreebokkskiew.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240401; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"racerecessionrestrai.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240402; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vesselspeedcrosswakew.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240403; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goddirtybrilliancece.fun"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240404; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"consciouosoepewmausj.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240405; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beaturifuelministyuowwas.site"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240406; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conferenctdressingshrw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240407; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cooperatecliqueobstac.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240408; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tvoikcloud.pw"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240409; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gearboomchocolateowfs.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240410; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"radicalleafletmissfoxw.pw"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240411; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evokenumberpottruckere.fun"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240412; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doonwload.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"communicationinchoicer.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"retainfactorypunishjkw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"assaultseekwoodywod.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"brickabsorptiondullyi.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sayleafletcamerakwov.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"crisisestimatehealtwh.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"carvewomanflavourwop.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"doonwload.fun"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"radicalleafletmissfoxw.pw"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gearboomchocolateowfs.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tvoikcloud.pw"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cooperatecliqueobstac.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"beaturifuelministyuowwas.site"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"consciouosoepewmausj.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"vesselspeedcrosswakew.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"pavementpreferencewjiao.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"racerecessionrestrai.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"willpoweragreebokkskiew.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"joystickempiricalhirpw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"contextsuffreintymore.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fleetconsciousnessjuiw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"152.136.100.26"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"141.98.81.98"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"52.91.67.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240370; rev:1;)
alert tcp $HOME_NET any -> [185.179.217.216] 9785  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240368/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240368; rev:1;)
alert tcp $HOME_NET any -> [172.232.174.6] 5242  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240369/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"152.136.55.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240366; rev:1;)
alert tcp $HOME_NET any -> [103.178.235.32] 19990  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240365/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240365; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qiefuwuqi.20242525.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240364; rev:1;)
alert tcp $HOME_NET any -> [175.24.197.196] 888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240363/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240363; rev:1;)
alert tcp $HOME_NET any -> [52.91.67.138] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"52.91.67.138"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240361; rev:1;)
alert tcp $HOME_NET any -> [130.185.249.90] 6667  (msg:"ThreatFox Tsunami botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240360/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.182.244"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.234.146"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.24.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240357; rev:1;)
alert tcp $HOME_NET any -> [95.217.24.13] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240354; rev:1;)
alert tcp $HOME_NET any -> [78.46.234.146] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240355; rev:1;)
alert tcp $HOME_NET any -> [95.216.182.244] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240356; rev:1;)
alert tcp $HOME_NET any -> [1.14.206.144] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240353/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240353; rev:1;)
alert tcp $HOME_NET any -> [193.233.255.127] 36579  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240352; rev:1;)
alert tcp $HOME_NET any -> [143.198.95.76] 42061  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240351/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240351; rev:1;)
alert tcp $HOME_NET any -> [147.45.42.25] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240350/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240350; rev:1;)
alert tcp $HOME_NET any -> [122.10.49.62] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240349/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240349; rev:1;)
alert tcp $HOME_NET any -> [122.10.27.225] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240348/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240348; rev:1;)
alert tcp $HOME_NET any -> [122.10.110.233] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240347/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240347; rev:1;)
alert tcp $HOME_NET any -> [86.121.139.203] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240346/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240346; rev:1;)
alert tcp $HOME_NET any -> [189.140.70.226] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240345/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240345; rev:1;)
alert tcp $HOME_NET any -> [75.173.26.183] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240344; rev:1;)
alert tcp $HOME_NET any -> [72.27.169.43] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240343/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240343; rev:1;)
alert tcp $HOME_NET any -> [50.35.143.32] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240342/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240342; rev:1;)
alert tcp $HOME_NET any -> [189.253.230.198] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240341/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240341; rev:1;)
alert tcp $HOME_NET any -> [41.147.196.189] 80  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240340/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240340; rev:1;)
alert tcp $HOME_NET any -> [107.189.31.164] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240339/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240339; rev:1;)
alert tcp $HOME_NET any -> [173.237.206.178] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240338/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240338; rev:1;)
alert tcp $HOME_NET any -> [47.232.161.146] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240337; rev:1;)
alert tcp $HOME_NET any -> [89.147.111.163] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240336; rev:1;)
alert tcp $HOME_NET any -> [34.141.124.126] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240335; rev:1;)
alert tcp $HOME_NET any -> [95.217.6.101] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240334; rev:1;)
alert tcp $HOME_NET any -> [20.41.216.145] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240333; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.217] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240332; rev:1;)
alert tcp $HOME_NET any -> [137.184.96.202] 22  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240331/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_16; classtype:trojan-activity; sid:91240331; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"basenetgear.world"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240304; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"eeatgoodx.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240305; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"frenchpies.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240306; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tnoodlezy.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"31.41.244.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"194.26.135.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240320; rev:1;)
alert tcp $HOME_NET any -> [103.195.236.98] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240321/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"persikmonkiey7drone.com"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1240322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240322; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"persikmonkiey7drone.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240323; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 15020  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240324/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240324; rev:1;)
alert tcp $HOME_NET any -> [3.126.37.18] 15020  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240325/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240325; rev:1;)
alert tcp $HOME_NET any -> [172.67.167.246] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240328/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_16; classtype:trojan-activity; sid:91240328; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.133] 2025  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cy58784.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0919167.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmdlecentral.php"; depth:17; nocase; http.host; content:"386958cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_16; classtype:trojan-activity; sid:91240326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/polltrack2/traffic3/6datalife9/line0api/privatevmapi/wpwindows6/server3image/flowerwindowswindows/wordpresspublictest/mariadbasyncwordpress/1sql/phptracktesttemporary/http/8eternal0/httpapidefaultcdn.php"; depth:204; nocase; http.host; content:"159.89.17.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240318; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.122] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"41.216.183.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240316; rev:1;)
alert tcp $HOME_NET any -> [93.177.75.98] 56816  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240315; rev:1;)
alert tcp $HOME_NET any -> [179.60.149.220] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/produce/editorial/ydpobkjg"; depth:27; nocase; http.host; content:"saturnexa.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot/regex"; depth:10; nocase; http.host; content:"ww25.searchseedphase.online"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240308; rev:1;)
alert tcp $HOME_NET any -> [35.157.111.131] 15119  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240302/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240302; rev:1;)
alert tcp $HOME_NET any -> [3.124.67.191] 15119  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240303/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0918108.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240301; rev:1;)
alert tcp $HOME_NET any -> [86.98.19.74] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240300; rev:1;)
alert tcp $HOME_NET any -> [197.204.24.19] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240299/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240299; rev:1;)
alert tcp $HOME_NET any -> [31.117.25.91] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240298/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240298; rev:1;)
alert tcp $HOME_NET any -> [124.149.139.54] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240297/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240297; rev:1;)
alert tcp $HOME_NET any -> [95.7.52.25] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240296/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240296; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.111] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240295/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240295; rev:1;)
alert tcp $HOME_NET any -> [145.82.207.217] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240294/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240294; rev:1;)
alert tcp $HOME_NET any -> [128.199.116.190] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240293/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240293; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yuya0415.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/tb9ayt.php"; depth:45; nocase; http.host; content:"www.itechatglance.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/sfodyf.php"; depth:45; nocase; http.host; content:"wiseloose.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/dyyxgt.php"; depth:45; nocase; http.host; content:"www.bianca-maria-roth.de"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/elperiodico/wp-content/themes/twentytwentyfour/ahkmwa.php"; depth:58; nocase; http.host; content:"elperiodicopanama.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/hub/bbpress/ny9jlw.php"; depth:41; nocase; http.host; content:"aquatest.it"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"88888cl.nyashtyan.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240292; rev:1;)
alert tcp $HOME_NET any -> [95.217.244.208] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240285; rev:1;)
alert tcp $HOME_NET any -> [95.217.244.208] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.244.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240283; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.20] 415  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wnx/fgb"; depth:8; nocase; http.host; content:"globalpanelinc.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wfe/sdq"; depth:8; nocase; http.host; content:"realponti.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1063900897270304770/1207265114458161172/4_npp.8.6.portable.x64.zip"; depth:79; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/additional_details"; depth:19; nocase; http.host; content:"miosecurezza.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/financial_access"; depth:17; nocase; http.host; content:"miosecurezza.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/u7arje.php"; depth:42; nocase; http.host; content:"www.joannamalecka.pl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentythirteen/hcslmt.php"; depth:44; nocase; http.host; content:"mediterraneaclean.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/nhdxtk.php"; depth:45; nocase; http.host; content:"mesabierta.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/web/wp-content/themes/twentytwenty/ayboiw.php"; depth:46; nocase; http.host; content:"miguelkhoury.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"watermjx.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240271; rev:1;)
alert tcp $HOME_NET any -> [46.183.223.29] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240270; rev:1;)
alert tcp $HOME_NET any -> [172.96.14.33] 6789  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240267/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"feeeleen.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240268/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.info"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240265/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240266/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240264/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240264; rev:1;)
alert tcp $HOME_NET any -> [193.233.255.60] 15666  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"mine-495834.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240263/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240263; rev:1;)
alert tcp $HOME_NET any -> [20.218.68.91] 9552  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240212; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.14] 1995  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240211; rev:1;)
alert tcp $HOME_NET any -> [207.246.74.189] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240262; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.freshstartupusa.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240261; rev:1;)
alert tcp $HOME_NET any -> [3.224.37.105] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240259; rev:1;)
alert tcp $HOME_NET any -> [20.235.118.171] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240258; rev:1;)
alert tcp $HOME_NET any -> [175.24.133.171] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240257; rev:1;)
alert tcp $HOME_NET any -> [54.92.160.242] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240256; rev:1;)
alert tcp $HOME_NET any -> [165.227.95.225] 1724  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240254; rev:1;)
alert tcp $HOME_NET any -> [51.81.237.25] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240255; rev:1;)
alert tcp $HOME_NET any -> [16.170.251.183] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240253; rev:1;)
alert tcp $HOME_NET any -> [13.50.203.223] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240252; rev:1;)
alert tcp $HOME_NET any -> [170.64.157.219] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240251; rev:1;)
alert tcp $HOME_NET any -> [139.59.19.90] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240250; rev:1;)
alert tcp $HOME_NET any -> [18.210.152.248] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240249; rev:1;)
alert tcp $HOME_NET any -> [165.227.68.176] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240248; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"play.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240247; rev:1;)
alert tcp $HOME_NET any -> [49.12.123.28] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240245; rev:1;)
alert tcp $HOME_NET any -> [106.15.234.107] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240246; rev:1;)
alert tcp $HOME_NET any -> [43.131.253.190] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240244; rev:1;)
alert tcp $HOME_NET any -> [39.109.86.101] 34013  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240243; rev:1;)
alert tcp $HOME_NET any -> [128.199.116.190] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240242; rev:1;)
alert tcp $HOME_NET any -> [74.234.3.141] 8080  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240241; rev:1;)
alert tcp $HOME_NET any -> [154.82.85.78] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240240; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"l3mon.emilemilchen.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240239; rev:1;)
alert tcp $HOME_NET any -> [115.74.30.127] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240238; rev:1;)
alert tcp $HOME_NET any -> [178.62.57.69] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240237; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.181.200.107.91.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240236; rev:1;)
alert tcp $HOME_NET any -> [188.166.194.125] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240235; rev:1;)
alert tcp $HOME_NET any -> [82.146.52.203] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240234; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.161] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240233; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qq00.cc"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240232; rev:1;)
alert tcp $HOME_NET any -> [45.14.247.89] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240231; rev:1;)
alert tcp $HOME_NET any -> [164.92.238.134] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240230; rev:1;)
alert tcp $HOME_NET any -> [192.250.225.3] 8000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240229; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.18] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240228; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.221] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240227; rev:1;)
alert tcp $HOME_NET any -> [45.40.96.97] 9441  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240226; rev:1;)
alert tcp $HOME_NET any -> [45.134.83.165] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240224; rev:1;)
alert tcp $HOME_NET any -> [147.189.172.2] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240225; rev:1;)
alert tcp $HOME_NET any -> [132.145.209.99] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240223/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_15; classtype:trojan-activity; sid:91240223; rev:1;)
alert tcp $HOME_NET any -> [4.157.160.27] 8444  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240222/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_15; classtype:trojan-activity; sid:91240222; rev:1;)
alert tcp $HOME_NET any -> [35.208.198.77] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240221; rev:1;)
alert tcp $HOME_NET any -> [35.208.198.77] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240220; rev:1;)
alert tcp $HOME_NET any -> [172.233.67.44] 1433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240219; rev:1;)
alert tcp $HOME_NET any -> [104.168.173.70] 20000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240218; rev:1;)
alert tcp $HOME_NET any -> [106.54.227.54] 6655  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240217; rev:1;)
alert tcp $HOME_NET any -> [8.148.10.39] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240216; rev:1;)
alert tcp $HOME_NET any -> [210.114.11.173] 806  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240215; rev:1;)
alert tcp $HOME_NET any -> [47.92.27.147] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240214; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-124-71-158-221.compute.hwclouds-dns.com"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bot5358754228:aae42hagw1bzipxu7ivrc_96iduhcwsjjvo/sendmessage"; depth:62; nocase; http.host; content:"api.telegram.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240209; rev:1;)
alert tcp $HOME_NET any -> [154.197.124.161] 1111  (msg:"ThreatFox DBatLoader botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abotihy.exe"; depth:12; nocase; http.host; content:"llllllllllllllllllllllllllll.site"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/client.exe"; depth:11; nocase; http.host; content:"llllllllllllllllllllllllllll.site"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/build.exe"; depth:10; nocase; http.host; content:"llllllllllllllllllllllllllll.site"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240208; rev:1;)
alert tcp $HOME_NET any -> [192.177.98.104] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240205/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240205; rev:1;)
alert tcp $HOME_NET any -> [154.197.124.161] 2222  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240203/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"llllllllllllllllllllllllllll.site"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240204/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"42.193.16.213"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240202; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.192] 38241  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240198; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.173] 38241  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240199; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.175] 38241  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240200; rev:1;)
alert tcp $HOME_NET any -> [45.156.21.39] 3443  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240201/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240201; rev:1;)
alert tcp $HOME_NET any -> [194.169.175.233] 3608  (msg:"ThreatFox STRRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240197; rev:1;)
alert tcp $HOME_NET any -> [5.252.176.25] 443  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geolongpollbaselinuxtraffictrackdatalifetemporary.php"; depth:54; nocase; http.host; content:"372451cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaaad/httppacketcpubigloadgeneratorwordpressprivatetemporary.php"; depth:65; nocase; http.host; content:"109.107.182.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"164.155.206.126"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"8.134.166.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"180.76.179.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"134.122.132.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"134.122.132.23"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"82.157.154.37"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login/index"; depth:12; nocase; http.host; content:"116.204.110.99"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.162.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.87.145"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.75.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"2.56.109.134"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.73.251"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.40.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"147.45.40.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.86.194"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"212.113.116.110"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"103.241.72.56"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"139.180.191.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240179; rev:1;)
alert tcp $HOME_NET any -> [45.93.9.119] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240180; rev:1;)
alert tcp $HOME_NET any -> [45.93.9.98] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240181; rev:1;)
alert tcp $HOME_NET any -> [45.93.9.108] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240182; rev:1;)
alert tcp $HOME_NET any -> [87.121.112.29] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240162; rev:1;)
alert tcp $HOME_NET any -> [87.121.112.41] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240163; rev:1;)
alert tcp $HOME_NET any -> [94.131.13.80] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240164; rev:1;)
alert tcp $HOME_NET any -> [20.187.91.63] 59413  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240165; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.230] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240166; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.231] 1288  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240167; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.128] 1287  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"120.24.179.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"42.3.121.142"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240191; rev:1;)
alert tcp $HOME_NET any -> [212.193.11.40] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240190; rev:1;)
alert tcp $HOME_NET any -> [195.133.88.98] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 99%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240155/; target:src_ip; metadata: confidence_level 99, first_seen 2024_02_15; classtype:trojan-activity; sid:91240155; rev:1;)
alert tcp $HOME_NET any -> [91.201.67.85] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 99%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240156/; target:src_ip; metadata: confidence_level 99, first_seen 2024_02_15; classtype:trojan-activity; sid:91240156; rev:1;)
alert tcp $HOME_NET any -> [161.35.88.106] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240157; rev:1;)
alert tcp $HOME_NET any -> [161.35.89.255] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240158; rev:1;)
alert tcp $HOME_NET any -> [161.35.90.184] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240159; rev:1;)
alert tcp $HOME_NET any -> [165.22.201.172] 1288  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240160; rev:1;)
alert tcp $HOME_NET any -> [24.144.81.7] 1302  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240161; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.34] 6667  (msg:"ThreatFox Tsunami botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240154/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_15; classtype:trojan-activity; sid:91240154; rev:1;)
alert tcp $HOME_NET any -> [172.232.186.100] 2083  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240153/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240153; rev:1;)
alert tcp $HOME_NET any -> [41.96.151.65] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240152/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240152; rev:1;)
alert tcp $HOME_NET any -> [79.107.137.189] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240151/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240151; rev:1;)
alert tcp $HOME_NET any -> [197.204.251.116] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240150/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240150; rev:1;)
alert tcp $HOME_NET any -> [68.56.172.196] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240149/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240149; rev:1;)
alert tcp $HOME_NET any -> [78.101.28.103] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240148/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240148; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.111] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240147/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240147; rev:1;)
alert tcp $HOME_NET any -> [2.49.60.224] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240146/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240146; rev:1;)
alert tcp $HOME_NET any -> [118.38.132.38] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240145/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240145; rev:1;)
alert tcp $HOME_NET any -> [209.94.58.96] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240144/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240144; rev:1;)
alert tcp $HOME_NET any -> [34.76.179.109] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240143/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240143; rev:1;)
alert tcp $HOME_NET any -> [13.233.144.170] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240142/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240142; rev:1;)
alert tcp $HOME_NET any -> [88.214.25.240] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240141/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240141; rev:1;)
alert tcp $HOME_NET any -> [45.55.200.153] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240140/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240140; rev:1;)
alert tcp $HOME_NET any -> [34.138.61.159] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240139/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240139; rev:1;)
alert tcp $HOME_NET any -> [157.90.120.132] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240138/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240138; rev:1;)
alert tcp $HOME_NET any -> [34.82.156.114] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240137/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240137; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.214] 445  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240136/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_15; classtype:trojan-activity; sid:91240136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/poll8trafficcpu/gameflowerlocal/update/cpugeneratortotrack/testpipe/secure/datalifecpu/uploads5/93image0/downloadsproton6/providercpusqlflowerasynclocaluploads.php"; depth:164; nocase; http.host; content:"80.66.89.102"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywrmzmu3odrmy2q4/"; depth:18; nocase; http.host; content:"185.11.61.219"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mgq4mde1zdk3nzc1/"; depth:18; nocase; http.host; content:"usdtzshlavkovavolvo.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"grantallardserver.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"casinovipclubs.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ezrgqnaww.php"; depth:20; nocase; http.host; content:"casinovipclubs.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240109; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saturnexa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gdl7ghmq"; depth:9; nocase; http.host; content:"snackfunp.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240089; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"snackfunp.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hh3w6zc6"; depth:9; nocase; http.host; content:"gspiceyl.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240087; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gspiceyl.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240086; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"usaglobalnews.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240082; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"topglobaltv.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240083; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"startupmartec.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"domnicaa.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240085/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240085; rev:1;)
alert tcp $HOME_NET any -> [49.13.89.187] 443  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240134; rev:1;)
alert tcp $HOME_NET any -> [103.114.104.158] 1663  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_15; classtype:trojan-activity; sid:91240133; rev:1;)
alert tcp $HOME_NET any -> [101.200.172.125] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240132/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240132; rev:1;)
alert tcp $HOME_NET any -> [115.159.102.112] 8778  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240131/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240131; rev:1;)
alert tcp $HOME_NET any -> [192.3.189.182] 51938  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240130/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240130; rev:1;)
alert tcp $HOME_NET any -> [114.115.210.125] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240129/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240129; rev:1;)
alert tcp $HOME_NET any -> [124.223.62.233] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240128/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240128; rev:1;)
alert tcp $HOME_NET any -> [198.244.144.231] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240127/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240127; rev:1;)
alert tcp $HOME_NET any -> [193.17.92.248] 45451  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240126/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240126; rev:1;)
alert tcp $HOME_NET any -> [43.129.239.195] 61111  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240125/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240125; rev:1;)
alert tcp $HOME_NET any -> [47.94.120.34] 65521  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240124/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240124; rev:1;)
alert tcp $HOME_NET any -> [47.93.254.171] 5470  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240123/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240123; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2281  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240122; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240121; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240120/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240120; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240119; rev:1;)
alert tcp $HOME_NET any -> [154.91.83.163] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240118; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.193] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240117/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240117; rev:1;)
alert tcp $HOME_NET any -> [194.116.173.154] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240116/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240116; rev:1;)
alert tcp $HOME_NET any -> [45.14.244.72] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240115/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240115; rev:1;)
alert tcp $HOME_NET any -> [95.216.177.94] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240114/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240114; rev:1;)
alert tcp $HOME_NET any -> [88.198.108.242] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240113/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_15; classtype:trojan-activity; sid:91240113; rev:1;)
alert tcp $HOME_NET any -> [20.226.21.146] 53092  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240107; rev:1;)
alert tcp $HOME_NET any -> [159.112.177.137] 53092  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"teamsupd.azurewebsites.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240104; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teamsupd.azurewebsites.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"23.101.122.219"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"13.82.186.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240103; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.itaberabanoticias.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"40.86.174.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"www.itaberabanoticias.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"www2.itaberabanoticias.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240097; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.itaberabanoticias.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pkg/b/"; depth:7; nocase; http.host; content:"msupdate.brazilsouth.cloudapp.azure.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240096; rev:1;)
alert tcp $HOME_NET any -> [138.68.40.6] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/accounts/v1/basic-accounts/pinned"; depth:38; nocase; http.host; content:"cb.1ancast3r.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240092; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cb.1ancast3r.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240093; rev:1;)
alert tcp $HOME_NET any -> [49.13.89.187] 3306  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xwork/panel/five/fre.php"; depth:25; nocase; http.host; content:"www.makeyourbrandz.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240090; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.233] 2897  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240081; rev:1;)
alert tcp $HOME_NET any -> [175.110.115.65] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240080/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240080; rev:1;)
alert tcp $HOME_NET any -> [139.198.160.133] 59900  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240079/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240079; rev:1;)
alert tcp $HOME_NET any -> [31.117.122.184] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240078/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240078; rev:1;)
alert tcp $HOME_NET any -> [45.59.118.25] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240077/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qltuh.thunderdepthsforger.top"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"new-bestfortunes.life"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"canopusacrux.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"thunderdepthsforger.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"cdnstatic.thunderdepthsforger.top"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"tnoodlezy.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y562rjrt"; depth:9; nocase; http.host; content:"tnoodlezy.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240075; rev:1;)
alert tcp $HOME_NET any -> [172.212.163.113] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240076/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91240076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alert/welcome/qj81aiz9qhk"; depth:26; nocase; http.host; content:"saturnreviews.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240068; rev:1;)
alert tcp $HOME_NET any -> [179.60.149.231] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alert/welcome/qj81aiz9qhk"; depth:26; nocase; http.host; content:"saturnreviews.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saturnreviews.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240063; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.48] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240062; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.48] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240061; rev:1;)
alert tcp $HOME_NET any -> [185.99.133.77] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240058/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91240058; rev:1;)
alert tcp $HOME_NET any -> [5.255.116.158] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240059/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91240059; rev:1;)
alert tcp $HOME_NET any -> [85.239.34.138] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240060/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91240060; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ebnsina.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240057/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91240057; rev:1;)
alert tcp $HOME_NET any -> [95.179.189.177] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240056; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.artstrailman.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unitylibrarymanager.exe"; depth:24; nocase; http.host; content:"3psilonapi.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kelvin/five/fre.php"; depth:20; nocase; http.host; content:"ebnsina.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1240053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240053; rev:1;)
alert tcp $HOME_NET any -> [188.116.23.142] 23033  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240052; rev:1;)
alert tcp $HOME_NET any -> [5.39.43.50] 1050  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240051/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91240051; rev:1;)
alert tcp $HOME_NET any -> [86.38.225.109] 13724  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240045; rev:1;)
alert tcp $HOME_NET any -> [172.232.189.219] 2224  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240046; rev:1;)
alert tcp $HOME_NET any -> [198.44.187.12] 2224  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240047; rev:1;)
alert tcp $HOME_NET any -> [45.32.21.184] 5242  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240048; rev:1;)
alert tcp $HOME_NET any -> [172.232.189.10] 1194  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240049; rev:1;)
alert tcp $HOME_NET any -> [172.232.162.97] 13783  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240050; rev:1;)
alert tcp $HOME_NET any -> [131.153.231.178] 2221  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240042; rev:1;)
alert tcp $HOME_NET any -> [95.179.135.3] 2225  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240043; rev:1;)
alert tcp $HOME_NET any -> [155.138.147.62] 2223  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/"; depth:4; nocase; http.host; content:"grpt.ca"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239949; rev:1;)
alert tcp $HOME_NET any -> [190.135.174.163] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240041; rev:1;)
alert tcp $HOME_NET any -> [185.83.113.126] 32009  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240040; rev:1;)
alert tcp $HOME_NET any -> [51.15.220.70] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240039; rev:1;)
alert tcp $HOME_NET any -> [139.59.3.90] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240038; rev:1;)
alert tcp $HOME_NET any -> [185.88.196.130] 4433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240037; rev:1;)
alert tcp $HOME_NET any -> [202.83.25.9] 4433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240036; rev:1;)
alert tcp $HOME_NET any -> [1.12.221.30] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240035; rev:1;)
alert tcp $HOME_NET any -> [198.199.121.71] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240034; rev:1;)
alert tcp $HOME_NET any -> [5.9.185.124] 2083  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240033; rev:1;)
alert tcp $HOME_NET any -> [20.211.122.42] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240032; rev:1;)
alert tcp $HOME_NET any -> [138.91.109.82] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240031; rev:1;)
alert tcp $HOME_NET any -> [110.42.163.130] 36699  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240030; rev:1;)
alert tcp $HOME_NET any -> [20.105.186.218] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240029; rev:1;)
alert tcp $HOME_NET any -> [35.233.72.158] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240028; rev:1;)
alert tcp $HOME_NET any -> [99.81.225.111] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240027; rev:1;)
alert tcp $HOME_NET any -> [4.175.95.128] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240026; rev:1;)
alert tcp $HOME_NET any -> [172.234.228.130] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240025; rev:1;)
alert tcp $HOME_NET any -> [45.61.158.17] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240023; rev:1;)
alert tcp $HOME_NET any -> [20.54.117.62] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240024; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"142-11-199-59.plesk.page"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240022; rev:1;)
alert tcp $HOME_NET any -> [104.225.235.101] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240021; rev:1;)
alert tcp $HOME_NET any -> [123.206.227.241] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240020; rev:1;)
alert tcp $HOME_NET any -> [79.137.207.38] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240019; rev:1;)
alert tcp $HOME_NET any -> [109.107.181.93] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240018; rev:1;)
alert tcp $HOME_NET any -> [52.20.229.84] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240017; rev:1;)
alert tcp $HOME_NET any -> [129.152.4.113] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240016; rev:1;)
alert tcp $HOME_NET any -> [51.107.41.155] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240015; rev:1;)
alert tcp $HOME_NET any -> [95.214.177.31] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240014; rev:1;)
alert tcp $HOME_NET any -> [195.206.235.241] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240012; rev:1;)
alert tcp $HOME_NET any -> [74.234.3.141] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240013; rev:1;)
alert tcp $HOME_NET any -> [115.74.30.127] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240011; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wapt.dgcs.cloud"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240009; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imperiummalczyc.pl"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240010; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.214] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240008; rev:1;)
alert tcp $HOME_NET any -> [167.235.136.41] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240007; rev:1;)
alert tcp $HOME_NET any -> [185.209.30.141] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240006; rev:1;)
alert tcp $HOME_NET any -> [64.226.76.253] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240005; rev:1;)
alert tcp $HOME_NET any -> [45.138.16.161] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240004; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin6.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240002; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jovial-wescoff.45-138-16-161.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1240003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240003; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.209] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240000; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.219] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1240001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91240001; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"238.200.202.35.bc.googleusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239999; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.210] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239998; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.103] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239997; rev:1;)
alert tcp $HOME_NET any -> [192.250.225.3] 6000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239996; rev:1;)
alert tcp $HOME_NET any -> [154.212.146.81] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239994; rev:1;)
alert tcp $HOME_NET any -> [154.212.146.81] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239995; rev:1;)
alert tcp $HOME_NET any -> [186.170.96.237] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239993; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.106] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239991; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.16] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239992; rev:1;)
alert tcp $HOME_NET any -> [178.33.203.39] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239990; rev:1;)
alert tcp $HOME_NET any -> [5.252.74.133] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239988; rev:1;)
alert tcp $HOME_NET any -> [178.33.203.39] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239989; rev:1;)
alert tcp $HOME_NET any -> [5.252.74.133] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239987; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.221] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239986; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.21] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239984; rev:1;)
alert tcp $HOME_NET any -> [186.112.206.181] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239985; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.21] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239983; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.5] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239982; rev:1;)
alert tcp $HOME_NET any -> [209.141.54.92] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239981/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91239981; rev:1;)
alert tcp $HOME_NET any -> [78.129.165.233] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239980/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_14; classtype:trojan-activity; sid:91239980; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239978; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239979; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239977; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239976; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239974; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239975; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 1672  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239973; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 1666  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239972; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239970; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2082  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239971; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239969; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239968; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.245] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239967; rev:1;)
alert tcp $HOME_NET any -> [86.107.199.30] 10101  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239966; rev:1;)
alert tcp $HOME_NET any -> [45.134.225.245] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239965; rev:1;)
alert tcp $HOME_NET any -> [146.70.149.184] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239964; rev:1;)
alert tcp $HOME_NET any -> [106.75.240.189] 4090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239963; rev:1;)
alert tcp $HOME_NET any -> [117.50.178.197] 33221  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239962; rev:1;)
alert tcp $HOME_NET any -> [5.161.85.189] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239961; rev:1;)
alert tcp $HOME_NET any -> [185.158.248.34] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239960; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eganet.linkpc.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239959; rev:1;)
alert tcp $HOME_NET any -> [154.44.10.51] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239957; rev:1;)
alert tcp $HOME_NET any -> [103.146.179.72] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239958; rev:1;)
alert tcp $HOME_NET any -> [23.160.193.182] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239956; rev:1;)
alert tcp $HOME_NET any -> [42.186.17.183] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239955; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.hg23jh4gk234gjhk2j3g4h2kjh3g4.xyz"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239954; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77.198.208.35.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239953; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.dadadsadaccsoong.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/js/index.php"; depth:13; nocase; http.host; content:"grpt.ca"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documents/build-x64.zip/build-x64.msi"; depth:38; nocase; http.host; content:"95.164.63.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239945; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/documents/build-x64.zip"; depth:24; nocase; http.host; content:"95.164.63.54"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239946; rev:1;)
alert tcp $HOME_NET any -> [95.164.63.54] 80  (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239947; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"103.150.10.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239943; rev:1;)
alert tcp $HOME_NET any -> [68.183.111.170] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239941; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"45.134.225.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239940; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"43.139.177.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239939; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.dadadsadaccsoong.top"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239937; rev:1;)
alert tcp $HOME_NET any -> [43.139.177.77] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239938; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cdn.dadadsadaccsoong.top"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"20.163.176.140"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.2.n2cq4mxdz4nio9xihttp.min.js"; depth:41; nocase; http.host; content:"47.123.4.117"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239934; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.92] 80  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239932/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239932; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.92] 81  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239933; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.92] 60989  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239931/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239931; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.92] 465  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239929; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.92] 4899  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239930/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239930; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.92] 463  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239928; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.92] 21  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239926/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239926; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.92] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239927/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239927; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qrchq.vrhoeas.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239925; rev:1;)
alert tcp $HOME_NET any -> [8.222.251.253] 43001  (msg:"ThreatFox Triada botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239924/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239924; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qrchq.vrhoeas.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239923; rev:1;)
alert tcp $HOME_NET any -> [43.229.78.74] 2226  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239919; rev:1;)
alert tcp $HOME_NET any -> [154.201.81.8] 2967  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239920; rev:1;)
alert tcp $HOME_NET any -> [108.61.78.17] 13783  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239921; rev:1;)
alert tcp $HOME_NET any -> [104.156.233.235] 2226  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0919021.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239918; rev:1;)
alert tcp $HOME_NET any -> [141.98.10.72] 1024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239916/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239915; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"116.198.46.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"139.9.41.156"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239912; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dadadsadaccsoong.top"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239911; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"dadadsadaccsoong.top"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"92.118.36.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogyyzmmyzmvlmgi0/"; depth:18; nocase; http.host; content:"4232fdnsjds.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239908/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_14; classtype:trojan-activity; sid:91239908; rev:1;)
alert tcp $HOME_NET any -> [95.216.177.94] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239906; rev:1;)
alert tcp $HOME_NET any -> [78.47.117.126] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.177.94"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.117.126"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239904; rev:1;)
alert tcp $HOME_NET any -> [103.155.81.228] 1234  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239903/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239903; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"botnet.nguyennghi.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239902; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.140] 9932  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239901/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_14; classtype:trojan-activity; sid:91239901; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.202] 2024  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239900; rev:1;)
alert tcp $HOME_NET any -> [101.34.243.60] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239899; rev:1;)
alert tcp $HOME_NET any -> [47.236.115.26] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239898; rev:1;)
alert tcp $HOME_NET any -> [41.96.83.214] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239897; rev:1;)
alert tcp $HOME_NET any -> [72.27.170.157] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239896/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239896; rev:1;)
alert tcp $HOME_NET any -> [38.142.20.186] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239895/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239895; rev:1;)
alert tcp $HOME_NET any -> [158.101.163.23] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239894/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239894; rev:1;)
alert tcp $HOME_NET any -> [45.45.219.118] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239893/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239893; rev:1;)
alert tcp $HOME_NET any -> [218.28.172.11] 80  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239892/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239892; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.210] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239891/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239891; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.216] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239890; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.220] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239889/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_14; classtype:trojan-activity; sid:91239889; rev:1;)
alert tcp $HOME_NET any -> [5.39.43.50] 3456  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239869; rev:1;)
alert tcp $HOME_NET any -> [188.116.21.141] 20213  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"frightyserver.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bgkc244p"; depth:9; nocase; http.host; content:"frightyserver.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"winvipbonus.life"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"weapkd4.jarteaused.live"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239887; rev:1;)
alert tcp $HOME_NET any -> [191.248.177.208] 15833  (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"45.14.244.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linewindowstrack.php"; depth:21; nocase; http.host; content:"81.200.146.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_14; classtype:trojan-activity; sid:91239882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/proton/cdndump/0pipe4/processtemp0/generator304/requestcdn/2baseasyncauth/flower/8mariadbbetter/2wp/eternalcpubigloadtemporary.php"; depth:131; nocase; http.host; content:"45.9.73.82"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239881; rev:1;)
alert tcp $HOME_NET any -> [68.183.111.170] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"68.183.111.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/videovmsecureupdateauthserverbasepublic.php"; depth:44; nocase; http.host; content:"209374cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239878; rev:1;)
alert tcp $HOME_NET any -> [104.129.55.106] 13783  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239873; rev:1;)
alert tcp $HOME_NET any -> [45.32.248.100] 2226  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239874; rev:1;)
alert tcp $HOME_NET any -> [45.76.251.190] 5631  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239875; rev:1;)
alert tcp $HOME_NET any -> [103.82.243.5] 13785  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239876; rev:1;)
alert tcp $HOME_NET any -> [104.129.55.105] 2223  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239877; rev:1;)
alert tcp $HOME_NET any -> [94.103.94.25] 13581  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure/gametemporaryvoiddb7/3protonpythongame/publicprotonsecure0/updateto/7vm/update5processor3/dlewindowsrequest/low6proton/servereternal/geo/vm_updategeneratordatalife.php"; depth:175; nocase; http.host; content:"195.43.142.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239870; rev:1;)
alert tcp $HOME_NET any -> [149.248.3.194] 443  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239868; rev:1;)
alert tcp $HOME_NET any -> [111.67.195.90] 6000  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239867; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prodomainnameeforappru.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"prodomainnameeforappru.com"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1239855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"plwskoret.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/live/"; depth:6; nocase; http.host; content:"miistoria.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239857; rev:1;)
alert tcp $HOME_NET any -> [87.11.7.161] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239866; rev:1;)
alert tcp $HOME_NET any -> [31.117.164.92] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239865; rev:1;)
alert tcp $HOME_NET any -> [77.0.149.167] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239864; rev:1;)
alert tcp $HOME_NET any -> [71.250.202.197] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239863; rev:1;)
alert tcp $HOME_NET any -> [188.54.71.27] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239862/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239862; rev:1;)
alert tcp $HOME_NET any -> [154.13.28.16] 46321  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239861/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239861; rev:1;)
alert tcp $HOME_NET any -> [185.209.30.112] 9202  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rf/imagevideo_securesqlasynctrackuploads.php"; depth:45; nocase; http.host; content:"109.107.182.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/chunky/"; depth:19; nocase; http.host; content:"horseridinghotel.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239858/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239858; rev:1;)
alert tcp $HOME_NET any -> [95.20.241.72] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239853; rev:1;)
alert tcp $HOME_NET any -> [172.205.219.119] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239852; rev:1;)
alert tcp $HOME_NET any -> [5.249.160.250] 80  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239851; rev:1;)
alert tcp $HOME_NET any -> [119.91.248.126] 8421  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239850; rev:1;)
alert tcp $HOME_NET any -> [44.213.214.182] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239849; rev:1;)
alert tcp $HOME_NET any -> [64.176.169.200] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239848; rev:1;)
alert tcp $HOME_NET any -> [52.188.58.183] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239847; rev:1;)
alert tcp $HOME_NET any -> [176.53.182.97] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239846; rev:1;)
alert tcp $HOME_NET any -> [34.121.174.173] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239845; rev:1;)
alert tcp $HOME_NET any -> [185.199.52.140] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239844; rev:1;)
alert tcp $HOME_NET any -> [3.12.9.12] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239843; rev:1;)
alert tcp $HOME_NET any -> [87.106.121.244] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239842; rev:1;)
alert tcp $HOME_NET any -> [147.45.106.5] 1234  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239841; rev:1;)
alert tcp $HOME_NET any -> [64.225.28.1] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239840; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cranky-easley.142-11-199-59.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239839; rev:1;)
alert tcp $HOME_NET any -> [137.184.234.102] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239838; rev:1;)
alert tcp $HOME_NET any -> [24.199.69.112] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239837; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"static.156.235.21.65.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239836; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.miner.bitron-mining.online"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239834; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"miner.bitron-mining.online"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239835; rev:1;)
alert tcp $HOME_NET any -> [188.116.24.193] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239833; rev:1;)
alert tcp $HOME_NET any -> [188.116.24.193] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239832; rev:1;)
alert tcp $HOME_NET any -> [147.45.45.0] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239831; rev:1;)
alert tcp $HOME_NET any -> [34.116.204.231] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239830; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.7] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239829; rev:1;)
alert tcp $HOME_NET any -> [85.202.160.45] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239828; rev:1;)
alert tcp $HOME_NET any -> [3.68.135.109] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239827; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.glptestasets.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239826; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap477067-1.zap-srv.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239825; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"161-35-239-147.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239823; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glptestasets.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239824; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.16] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239822; rev:1;)
alert tcp $HOME_NET any -> [51.159.175.8] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239820; rev:1;)
alert tcp $HOME_NET any -> [185.236.234.129] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239821; rev:1;)
alert tcp $HOME_NET any -> [27.124.46.142] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239819; rev:1;)
alert tcp $HOME_NET any -> [88.184.9.216] 4444  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239818; rev:1;)
alert tcp $HOME_NET any -> [27.124.46.236] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239816; rev:1;)
alert tcp $HOME_NET any -> [27.124.46.227] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239817; rev:1;)
alert tcp $HOME_NET any -> [181.161.13.84] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239815; rev:1;)
alert tcp $HOME_NET any -> [172.207.72.220] 80  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239814; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.14] 1994  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239751/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239751; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.176] 2222  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239813; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"funny-kirch.62-210-130-233.plesk.page"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239812; rev:1;)
alert tcp $HOME_NET any -> [146.190.36.87] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239811; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.107] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239809; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"great-burnell.62-210-130-233.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239810; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.198] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239808; rev:1;)
alert tcp $HOME_NET any -> [176.123.168.157] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239807; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.218] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"townsfolkhiwoeko.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239804; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.218] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239805; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.211] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"hunterstrawmersp.homes"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mercyaloofprincipleo.pics"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239802; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.211] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239803; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gymlog.de"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"lawwormroleveinn.mom"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"developmentalveiop.homes"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239795; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.208] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"baketransparentadw.pics"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"brakesummitfiightre.pics"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239791; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.219] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"legislationdictater.mom"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239793; rev:1;)
alert tcp $HOME_NET any -> [134.255.233.199] 63443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239794; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.217] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"bleednumberrottern.homes"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239790; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.216] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239788; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.220] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239787; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.209] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239786; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.215] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239785; rev:1;)
alert tcp $HOME_NET any -> [37.1.214.209] 1111  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239784; rev:1;)
alert tcp $HOME_NET any -> [138.201.176.60] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239783; rev:1;)
alert tcp $HOME_NET any -> [138.201.176.60] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239782; rev:1;)
alert tcp $HOME_NET any -> [178.73.218.5] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239781; rev:1;)
alert tcp $HOME_NET any -> [192.250.225.3] 8088  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239779; rev:1;)
alert tcp $HOME_NET any -> [186.170.96.237] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239780; rev:1;)
alert tcp $HOME_NET any -> [51.89.199.122] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239778; rev:1;)
alert tcp $HOME_NET any -> [103.66.59.20] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239777; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239776; rev:1;)
alert tcp $HOME_NET any -> [119.91.200.209] 24443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239775; rev:1;)
alert tcp $HOME_NET any -> [68.183.111.170] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239773; rev:1;)
alert tcp $HOME_NET any -> [139.9.62.69] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239774; rev:1;)
alert tcp $HOME_NET any -> [43.251.159.58] 8637  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239772; rev:1;)
alert tcp $HOME_NET any -> [110.40.168.108] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239771; rev:1;)
alert tcp $HOME_NET any -> [139.9.41.156] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239770; rev:1;)
alert tcp $HOME_NET any -> [39.104.230.184] 6667  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239768; rev:1;)
alert tcp $HOME_NET any -> [167.235.58.45] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239769; rev:1;)
alert tcp $HOME_NET any -> [108.165.106.7] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239767; rev:1;)
alert tcp $HOME_NET any -> [43.139.177.77] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239766; rev:1;)
alert tcp $HOME_NET any -> [185.233.203.43] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239765; rev:1;)
alert tcp $HOME_NET any -> [185.165.169.113] 34443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239763; rev:1;)
alert tcp $HOME_NET any -> [84.46.79.30] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239764; rev:1;)
alert tcp $HOME_NET any -> [42.193.10.78] 48086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239762; rev:1;)
alert tcp $HOME_NET any -> [45.148.244.206] 18443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239761; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-214-29-253.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/refqdk/"; depth:8; nocase; http.host; content:"qxjjj.j7ute.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rdsrmpgsqf/"; depth:12; nocase; http.host; content:"is5jg.3zweuj.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239758; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"is5jg.3zweuj.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239756; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qxjjj.j7ute.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239757; rev:1;)
alert tcp $HOME_NET any -> [8.222.251.253] 32091  (msg:"ThreatFox Triada botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239754; rev:1;)
alert tcp $HOME_NET any -> [8.219.196.124] 18038  (msg:"ThreatFox Triada botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239755/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239755; rev:1;)
alert tcp $HOME_NET any -> [45.140.147.91] 4001  (msg:"ThreatFox SystemBC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239753; rev:1;)
alert tcp $HOME_NET any -> [181.71.216.30] 4040  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239752; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.94] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239750/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239750; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.94] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239749/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239749; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.94] 465  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239748/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239748; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.94] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239747/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239747; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.qichen.fun"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239745; rev:1;)
alert tcp $HOME_NET any -> [125.70.238.9] 8123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"www.qichen.fun"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239744; rev:1;)
alert tcp $HOME_NET any -> [42.3.121.142] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.207.35"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239738; rev:1;)
alert tcp $HOME_NET any -> [79.137.207.35] 15666  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"39.104.230.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/adcac1e6.php"; depth:13; nocase; http.host; content:"vilon.000webhostapp.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239740; rev:1;)
alert tcp $HOME_NET any -> [154.12.84.6] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239737; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigballz.bounceme.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239732; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.129] 7645  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"138.201.119.252"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.27.143"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239729; rev:1;)
alert tcp $HOME_NET any -> [95.217.27.143] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239727; rev:1;)
alert tcp $HOME_NET any -> [138.201.119.252] 3000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"hk-49847.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239673/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"hk-49847.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"hk-49847.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionksla.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionalsk.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionpskl.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionctfm.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239679/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditiontsma.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239680/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditiontols.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"asamanaproductioneditionkdna.net"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239682/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239682; rev:1;)
alert tcp $HOME_NET any -> [103.28.32.56] 2023  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239685/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239685; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"net-killer.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239686/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_13; classtype:trojan-activity; sid:91239686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nme4nzy2mmizmtm2/"; depth:18; nocase; http.host; content:"hk-49847.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239672/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239655; rev:1;)
alert tcp $HOME_NET any -> [213.248.43.58] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239656; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cheatlab.live"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/microsoft/vcpkg/files/14125503/cheat.lab.2.7.2.zip"; depth:51; nocase; http.host; content:"github.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239668; rev:1;)
alert tcp $HOME_NET any -> [216.118.230.115] 33452  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239726/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239726; rev:1;)
alert tcp $HOME_NET any -> [181.141.40.47] 4433  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239725/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239725; rev:1;)
alert tcp $HOME_NET any -> [41.99.82.76] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239724/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239724; rev:1;)
alert tcp $HOME_NET any -> [95.20.17.129] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239723/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239723; rev:1;)
alert tcp $HOME_NET any -> [105.102.99.5] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239722/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239722; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.60] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239721/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239721; rev:1;)
alert tcp $HOME_NET any -> [92.97.115.164] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239720; rev:1;)
alert tcp $HOME_NET any -> [138.197.56.161] 9001  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239719; rev:1;)
alert tcp $HOME_NET any -> [203.41.157.230] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239718; rev:1;)
alert tcp $HOME_NET any -> [159.253.120.2] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239717; rev:1;)
alert tcp $HOME_NET any -> [192.109.241.139] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239716; rev:1;)
alert tcp $HOME_NET any -> [23.229.31.21] 39561  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239715; rev:1;)
alert tcp $HOME_NET any -> [37.128.207.56] 53  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239714; rev:1;)
alert tcp $HOME_NET any -> [157.230.175.190] 6534  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmmultiwordpress.php"; depth:21; nocase; http.host; content:"91.107.121.93"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/021322b478b21e87.php"; depth:21; nocase; http.host; content:"77.105.132.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_13; classtype:trojan-activity; sid:91239711; rev:1;)
alert tcp $HOME_NET any -> [45.227.255.164] 58888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239710/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239710; rev:1;)
alert tcp $HOME_NET any -> [101.132.192.106] 60010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239709/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239709; rev:1;)
alert tcp $HOME_NET any -> [43.138.128.109] 12345  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239708/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239708; rev:1;)
alert tcp $HOME_NET any -> [42.194.210.177] 50040  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239707/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239707; rev:1;)
alert tcp $HOME_NET any -> [47.113.147.154] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239706/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239706; rev:1;)
alert tcp $HOME_NET any -> [139.224.194.38] 50005  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239705/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239705; rev:1;)
alert tcp $HOME_NET any -> [140.143.142.107] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239704/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239704; rev:1;)
alert tcp $HOME_NET any -> [121.37.11.148] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239703/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239703; rev:1;)
alert tcp $HOME_NET any -> [122.51.243.31] 50266  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239702/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239702; rev:1;)
alert tcp $HOME_NET any -> [110.41.4.168] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239701/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239701; rev:1;)
alert tcp $HOME_NET any -> [62.234.46.238] 6543  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239700/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239700; rev:1;)
alert tcp $HOME_NET any -> [91.103.253.227] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239699/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239699; rev:1;)
alert tcp $HOME_NET any -> [107.189.14.144] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239698/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239698; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 1981  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239697; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2045  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239696/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239696; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239695/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239695; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239694; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239693; rev:1;)
alert tcp $HOME_NET any -> [20.7.67.78] 443  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239692; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.11] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239691/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239691; rev:1;)
alert tcp $HOME_NET any -> [194.116.173.129] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239690/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239690; rev:1;)
alert tcp $HOME_NET any -> [116.202.0.229] 2271  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239689/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239689; rev:1;)
alert tcp $HOME_NET any -> [116.202.0.229] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_13; classtype:trojan-activity; sid:91239688; rev:1;)
alert tcp $HOME_NET any -> [147.45.75.185] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_13; classtype:trojan-activity; sid:91239687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"134.122.52.228"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239683; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"janxworm9090.duckdns.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239671; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.138] 9090  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239670; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.7] 6000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239666; rev:1;)
alert tcp $HOME_NET any -> [187.170.239.221] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239665; rev:1;)
alert tcp $HOME_NET any -> [41.96.177.159] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239664; rev:1;)
alert tcp $HOME_NET any -> [121.121.101.183] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239663; rev:1;)
alert tcp $HOME_NET any -> [41.136.51.241] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239662; rev:1;)
alert tcp $HOME_NET any -> [197.14.148.208] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239661/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239661; rev:1;)
alert tcp $HOME_NET any -> [70.31.125.60] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239660/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239660; rev:1;)
alert tcp $HOME_NET any -> [170.187.207.78] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239659/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239659; rev:1;)
alert tcp $HOME_NET any -> [170.187.207.78] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239658/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239658; rev:1;)
alert tcp $HOME_NET any -> [5.75.211.197] 3306  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239657; rev:1;)
alert tcp $HOME_NET any -> [5.39.43.50] 1610  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239652/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239652; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.226] 3787  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239653; rev:1;)
alert tcp $HOME_NET any -> [45.155.91.135] 21425  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239651/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.6.77"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.165.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/karl3on"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239648; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.101.193"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199637071579"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239645; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.25] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239641; rev:1;)
alert tcp $HOME_NET any -> [159.69.101.193] 5432  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239642; rev:1;)
alert tcp $HOME_NET any -> [116.203.6.77] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239643; rev:1;)
alert tcp $HOME_NET any -> [116.203.165.197] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239644; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.9] 1995  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239640/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239640; rev:1;)
alert tcp $HOME_NET any -> [5.39.43.50] 1609  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239639/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239639; rev:1;)
alert tcp $HOME_NET any -> [194.38.20.230] 6666  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239638; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"file.fmwhat.download"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fmwhatsapp_v9.98.apk"; depth:21; nocase; http.host; content:"file.fmwhat.download"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239636; rev:1;)
alert tcp $HOME_NET any -> [95.20.241.182] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239634; rev:1;)
alert tcp $HOME_NET any -> [46.232.249.112] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239633; rev:1;)
alert tcp $HOME_NET any -> [135.148.115.76] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239632; rev:1;)
alert tcp $HOME_NET any -> [128.199.65.13] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239631; rev:1;)
alert tcp $HOME_NET any -> [116.118.49.164] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239630; rev:1;)
alert tcp $HOME_NET any -> [45.153.229.71] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239629; rev:1;)
alert tcp $HOME_NET any -> [34.116.253.50] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239628; rev:1;)
alert tcp $HOME_NET any -> [5.206.224.7] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239627; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23-26-55-9.cprapid.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239626; rev:1;)
alert tcp $HOME_NET any -> [185.16.39.253] 8888  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239625; rev:1;)
alert tcp $HOME_NET any -> [177.138.248.251] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239624; rev:1;)
alert tcp $HOME_NET any -> [204.44.124.8] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239623; rev:1;)
alert tcp $HOME_NET any -> [62.210.130.233] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239622; rev:1;)
alert tcp $HOME_NET any -> [69.46.36.208] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239621; rev:1;)
alert tcp $HOME_NET any -> [154.212.146.81] 8008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239620; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.16] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239619; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.6] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239618; rev:1;)
alert tcp $HOME_NET any -> [139.9.62.69] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239617; rev:1;)
alert tcp $HOME_NET any -> [37.32.13.166] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239616; rev:1;)
alert tcp $HOME_NET any -> [148.72.132.181] 43255  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239615; rev:1;)
alert tcp $HOME_NET any -> [185.229.225.190] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239614; rev:1;)
alert tcp $HOME_NET any -> [54.169.210.113] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239613; rev:1;)
alert tcp $HOME_NET any -> [143.110.176.113] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239612; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.127.103.78.5.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239611; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"199.60.149.34.bc.googleusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/500ae1b3.php"; depth:13; nocase; http.host; content:"lilbabyfan.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zmd/0.015044926305028627.dat"; depth:29; nocase; http.host; content:"musicclubcompany.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cvv/0.7619553765651503.dat"; depth:27; nocase; http.host; content:"finderunion.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0bvkz/0.16410464051883017.dat"; depth:30; nocase; http.host; content:"berringtonnews.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239606; rev:1;)
alert tcp $HOME_NET any -> [86.38.225.108] 2226  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239603; rev:1;)
alert tcp $HOME_NET any -> [86.38.225.106] 2221  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239604; rev:1;)
alert tcp $HOME_NET any -> [86.38.225.105] 13721  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"108.165.106.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239602; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"13.36.225.33"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"117.50.185.133"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"185.216.70.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239599; rev:1;)
alert tcp $HOME_NET any -> [13.36.225.33] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"13.36.225.33"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"175.24.130.231"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239596; rev:1;)
alert tcp $HOME_NET any -> [3.127.181.115] 19920  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239595; rev:1;)
alert tcp $HOME_NET any -> [3.67.161.133] 19920  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239594; rev:1;)
alert tcp $HOME_NET any -> [3.67.62.142] 19920  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239592; rev:1;)
alert tcp $HOME_NET any -> [18.158.58.205] 19920  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239591; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haha.skyljne.click"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239590; rev:1;)
alert tcp $HOME_NET any -> [103.174.73.85] 19990  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239589/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239589; rev:1;)
alert tcp $HOME_NET any -> [146.190.244.20] 9932  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239588/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239588; rev:1;)
alert tcp $HOME_NET any -> [108.165.106.7] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"108.165.106.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239586; rev:1;)
alert tcp $HOME_NET any -> [159.100.30.156] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css"; depth:4; nocase; http.host; content:"sbdatabase.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239584; rev:1;)
alert tcp $HOME_NET any -> [95.217.209.180] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239582; rev:1;)
alert tcp $HOME_NET any -> [95.217.243.137] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.118.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239578; rev:1;)
alert tcp $HOME_NET any -> [78.47.174.101] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239579; rev:1;)
alert tcp $HOME_NET any -> [78.47.191.114] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239580; rev:1;)
alert tcp $HOME_NET any -> [49.12.101.249] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.174.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.191.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.209.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.101.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pipetopythonjsrequesthttpwordpress.php"; depth:39; nocase; http.host; content:"bobrcurw.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0914338.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239571; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mb-testing.azureedge.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239565; rev:1;)
alert tcp $HOME_NET any -> [216.118.230.114] 33452  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239570; rev:1;)
alert tcp $HOME_NET any -> [216.118.230.116] 33452  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239569/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239569; rev:1;)
alert tcp $HOME_NET any -> [79.107.157.38] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239568/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239568; rev:1;)
alert tcp $HOME_NET any -> [5.194.147.107] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239567/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239567; rev:1;)
alert tcp $HOME_NET any -> [72.27.164.56] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239566/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_12; classtype:trojan-activity; sid:91239566; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.103] 2545  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239564/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239564; rev:1;)
alert tcp $HOME_NET any -> [188.127.235.191] 59666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239563/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239563; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.5] 7771  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239473/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239473; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"berlyndnero.duckdns.org"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239474/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239474; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.12] 1995  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239560/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_12; classtype:trojan-activity; sid:91239560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsprocessflowertrafficdownloads.php"; depth:36; nocase; http.host; content:"685938cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/privateto_/universaldownloads/better/publichttpwindows9/request2/serverdownloads6sql/936/httphttplocalsql/31/cpu0temppublic/requestwordpressgametest/linux5dlegame/wordpress2privatedump/imagegame_protect/vmprotect.php"; depth:217; nocase; http.host; content:"62.109.13.250"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239561; rev:1;)
alert tcp $HOME_NET any -> [142.154.95.21] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239559; rev:1;)
alert tcp $HOME_NET any -> [13.246.66.162] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239558; rev:1;)
alert tcp $HOME_NET any -> [43.139.43.200] 31220  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239557; rev:1;)
alert tcp $HOME_NET any -> [194.163.154.118] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239556; rev:1;)
alert tcp $HOME_NET any -> [137.184.108.32] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239555; rev:1;)
alert tcp $HOME_NET any -> [185.7.52.219] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239554; rev:1;)
alert tcp $HOME_NET any -> [49.13.48.92] 53721  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239553; rev:1;)
alert tcp $HOME_NET any -> [54.155.137.99] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239552; rev:1;)
alert tcp $HOME_NET any -> [31.223.68.157] 2223  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239551; rev:1;)
alert tcp $HOME_NET any -> [159.146.122.238] 2223  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239550; rev:1;)
alert tcp $HOME_NET any -> [34.230.194.184] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239549; rev:1;)
alert tcp $HOME_NET any -> [195.35.52.127] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239548; rev:1;)
alert tcp $HOME_NET any -> [185.247.224.35] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239547; rev:1;)
alert tcp $HOME_NET any -> [35.200.164.35] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239546; rev:1;)
alert tcp $HOME_NET any -> [51.68.175.177] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239545; rev:1;)
alert tcp $HOME_NET any -> [34.130.87.37] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239544; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linkerjeki.fun"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239543; rev:1;)
alert tcp $HOME_NET any -> [212.64.217.73] 8686  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239542; rev:1;)
alert tcp $HOME_NET any -> [204.216.223.114] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239541; rev:1;)
alert tcp $HOME_NET any -> [42.96.2.220] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239539; rev:1;)
alert tcp $HOME_NET any -> [42.119.113.85] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239540; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-86-17-63.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239538; rev:1;)
alert tcp $HOME_NET any -> [54.88.105.125] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239537; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.246] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239536; rev:1;)
alert tcp $HOME_NET any -> [83.97.73.229] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239535; rev:1;)
alert tcp $HOME_NET any -> [77.232.130.4] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239534; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.184] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239533; rev:1;)
alert tcp $HOME_NET any -> [197.119.85.192] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239532; rev:1;)
alert tcp $HOME_NET any -> [123.206.29.183] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239531; rev:1;)
alert tcp $HOME_NET any -> [86.126.4.236] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239530; rev:1;)
alert tcp $HOME_NET any -> [154.245.89.99] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239529; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reporttest.rubecon.co.za"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239528; rev:1;)
alert tcp $HOME_NET any -> [45.79.196.203] 4443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239527; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"45-79-196-203.ip.linodeusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239526; rev:1;)
alert tcp $HOME_NET any -> [51.120.7.94] 1337  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239525; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.203] 9090  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239523; rev:1;)
alert tcp $HOME_NET any -> [82.102.23.170] 8081  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239524; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.211] 9191  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239522; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.197.203.76.144.clients.your-server.de"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239521; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"883217.cc"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239520; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dgaf.catboy.me"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239518; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grinevitchnicolas.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239519; rev:1;)
alert tcp $HOME_NET any -> [89.23.103.187] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239516; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.152] 50555  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239517; rev:1;)
alert tcp $HOME_NET any -> [95.216.123.85] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239515; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.148] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239514; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ansible-tower-pocket-node1.validatorsheaven.network"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239513; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"64-225-100-2.cprapid.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239512; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.10] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239510; rev:1;)
alert tcp $HOME_NET any -> [46.101.195.151] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239511; rev:1;)
alert tcp $HOME_NET any -> [35.202.200.238] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239509; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.64] 8000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239507; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.64] 8088  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239508; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.64] 6000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239506; rev:1;)
alert tcp $HOME_NET any -> [78.161.49.74] 3003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239504; rev:1;)
alert tcp $HOME_NET any -> [78.161.49.74] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239505; rev:1;)
alert tcp $HOME_NET any -> [20.81.43.192] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239503; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srxy123.is-a-geek.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239502; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.106] 777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239500; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.183] 9696  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239501; rev:1;)
alert tcp $HOME_NET any -> [216.118.230.117] 33452  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239499; rev:1;)
alert tcp $HOME_NET any -> [20.52.118.210] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239498/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_12; classtype:trojan-activity; sid:91239498; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239497; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239496; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239495; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 1628  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239493; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239494; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2280  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239492; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2082  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239490; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239491; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239489; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239488; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239486; rev:1;)
alert tcp $HOME_NET any -> [187.135.95.35] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239487; rev:1;)
alert tcp $HOME_NET any -> [177.222.224.56] 8080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239485; rev:1;)
alert tcp $HOME_NET any -> [31.43.159.234] 1605  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239484; rev:1;)
alert tcp $HOME_NET any -> [42.192.45.240] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239482; rev:1;)
alert tcp $HOME_NET any -> [51.38.226.86] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239483; rev:1;)
alert tcp $HOME_NET any -> [83.97.20.183] 48080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239481; rev:1;)
alert tcp $HOME_NET any -> [86.107.199.30] 11011  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239480; rev:1;)
alert tcp $HOME_NET any -> [8.137.50.92] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239479; rev:1;)
alert tcp $HOME_NET any -> [108.165.106.7] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239478; rev:1;)
alert tcp $HOME_NET any -> [111.90.150.185] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smtp.pioneerprinters.co.uk"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn/9/9/windowspublic/5voiddb/6process3/8/serverdbdatalifedle.php"; depth:66; nocase; http.host; content:"91.107.121.253"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_12; classtype:trojan-activity; sid:91239475; rev:1;)
alert tcp $HOME_NET any -> [173.212.224.123] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239472; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hom.cabul.bbtecno.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.cabul.bbtecno.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239470; rev:1;)
alert tcp $HOME_NET any -> [64.225.111.119] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239469; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.mb-testing.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239468; rev:1;)
alert tcp $HOME_NET any -> [103.186.215.56] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239462; rev:1;)
alert tcp $HOME_NET any -> [5.182.87.145] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239461/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239461; rev:1;)
alert tcp $HOME_NET any -> [78.19.61.12] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239460/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239460; rev:1;)
alert tcp $HOME_NET any -> [157.254.20.34] 6607  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"61.163.138.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239458; rev:1;)
alert tcp $HOME_NET any -> [193.242.211.154] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239457; rev:1;)
alert tcp $HOME_NET any -> [91.211.247.89] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239456; rev:1;)
alert tcp $HOME_NET any -> [185.237.206.77] 80  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239455; rev:1;)
alert tcp $HOME_NET any -> [117.50.162.183] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239453; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ccuk.edenexit.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239449; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.147] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239451; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"winkimedia.it"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239450; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.221] 1291  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239452; rev:1;)
alert tcp $HOME_NET any -> [5.39.43.50] 7777  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239448; rev:1;)
alert tcp $HOME_NET any -> [45.153.230.56] 7777  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239446/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239446; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 14114  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239447/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239447; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"53d5-66-154-102-195.ngrok-free.app"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"43.251.159.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"81.68.248.191"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"139.196.191.50"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/0linuxcdnpipe/windowsto/providerproton/347/auth5dumpjs/84geotemporary/vmto_processauthlongpolltraffictrackcdn.php"; depth:114; nocase; http.host; content:"217.25.94.158"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239441; rev:1;)
alert tcp $HOME_NET any -> [85.192.32.83] 1194  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cr13705.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239439; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sbdatabase.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239438; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 17032  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239073/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239073; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 17032  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239074/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239074; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"teaigame.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game/teai_demo.exe"; depth:19; nocase; http.host; content:"teaigame.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"78.85.17.88"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239072; rev:1;)
alert tcp $HOME_NET any -> [104.236.71.61] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/926-87643065-0301867/field-keywords=time"; depth:60; nocase; http.host; content:"104.236.71.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239068; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.167] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239067/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239067; rev:1;)
alert tcp $HOME_NET any -> [185.215.113.32] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239066/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239066; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support-ntc.servehttp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238934; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdmx-financegovpk.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238932; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sharepakistan-mofa.viewdns.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238933; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogdcl.servehttp.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238929; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"portal-ptclnetpk.servehttp.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238931; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"piac-compk.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238930; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveirc.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238928; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveblog.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offers-ptclnetpk.serveftp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238927; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"news-ptvcompk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238924; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"offer-ptclnetpk.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238925; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newmail-armymilbd.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238923; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navy-govbd.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238922; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailhitgovpk.servehalflife.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238920; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanfung.servehttp.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238921; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-scogovpk.servehalflife.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238919; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.myddns.me"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238917; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofapk.servehttp.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238918; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238915; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-mofagovpk.gotdns.ch"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238916; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modgovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238914; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depogovpk.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238912; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-dgdpgovpk.servehalflife.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238913; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hrmis-financegovpk.serveftp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238910; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-bafmilbd.servequake.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238911; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govpk.serveblog.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238907; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"finance-govpk.serveftp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238908; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"financegovpk.servehttp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238909; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"circular-financegov.servehalflife.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238905; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eservice-ptclnetpk.servehttp.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238906; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap-mofapk.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238904; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awards-piacaero.servehalflife.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238901; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awards-piacaero.servehttp.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238902; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cap-mofagovpk.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238903; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"advisory-cabinetgpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238900; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"peces.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238884/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91238884; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.15] 1995  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238802/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91238802; rev:1;)
alert tcp $HOME_NET any -> [171.228.211.109] 56999  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238805/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91238805; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"kami.shopkami.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238806/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91238806; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibe-ptclnetpk.servehttp.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91238935; rev:1;)
alert tcp $HOME_NET any -> [3.67.161.133] 13977  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239002/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239002; rev:1;)
alert tcp $HOME_NET any -> [45.95.146.13] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239003/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239003; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"win32avemaria.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239006; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serenys.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/enigma/index.php"; depth:17; nocase; http.host; content:"193.233.132.167"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yandex/index.php"; depth:17; nocase; http.host; content:"185.215.113.32"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239013; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"junio2023.duckdns.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239017/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239017; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 16992  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239046; rev:1;)
alert tcp $HOME_NET any -> [3.68.171.119] 16992  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239047/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_11; classtype:trojan-activity; sid:91239047; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibe-ptclnetpk.viewdns.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1239065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239065; rev:1;)
alert tcp $HOME_NET any -> [216.118.230.118] 33452  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239064/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239064; rev:1;)
alert tcp $HOME_NET any -> [154.9.249.116] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239063/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239063; rev:1;)
alert tcp $HOME_NET any -> [185.193.126.155] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239062/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239062; rev:1;)
alert tcp $HOME_NET any -> [124.220.0.201] 4849  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239061/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239061; rev:1;)
alert tcp $HOME_NET any -> [41.98.245.251] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239060/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239060; rev:1;)
alert tcp $HOME_NET any -> [160.176.66.130] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239059/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239059; rev:1;)
alert tcp $HOME_NET any -> [151.30.51.255] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239058/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239058; rev:1;)
alert tcp $HOME_NET any -> [84.155.10.84] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239057/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239057; rev:1;)
alert tcp $HOME_NET any -> [117.200.61.202] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239056/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239056; rev:1;)
alert tcp $HOME_NET any -> [5.182.36.131] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239055/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239055; rev:1;)
alert tcp $HOME_NET any -> [121.127.33.246] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239054/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239054; rev:1;)
alert tcp $HOME_NET any -> [43.132.212.200] 22694  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239053; rev:1;)
alert tcp $HOME_NET any -> [45.61.159.30] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239052; rev:1;)
alert tcp $HOME_NET any -> [159.69.207.158] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239051; rev:1;)
alert tcp $HOME_NET any -> [193.178.147.164] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239050; rev:1;)
alert tcp $HOME_NET any -> [91.238.181.248] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_11; classtype:trojan-activity; sid:91239049; rev:1;)
alert tcp $HOME_NET any -> [45.76.46.64] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239048; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 16992  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239045; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 16992  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239044; rev:1;)
alert tcp $HOME_NET any -> [132.226.123.210] 1337  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239043; rev:1;)
alert tcp $HOME_NET any -> [47.120.50.234] 35550  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239042/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239042; rev:1;)
alert tcp $HOME_NET any -> [43.154.39.87] 28080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239041/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239041; rev:1;)
alert tcp $HOME_NET any -> [149.50.211.216] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239040/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239040; rev:1;)
alert tcp $HOME_NET any -> [106.52.244.189] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239039/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239039; rev:1;)
alert tcp $HOME_NET any -> [8.218.137.213] 50017  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239038/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239038; rev:1;)
alert tcp $HOME_NET any -> [31.192.235.73] 48126  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239037/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239037; rev:1;)
alert tcp $HOME_NET any -> [101.43.2.243] 26356  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239036/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239036; rev:1;)
alert tcp $HOME_NET any -> [175.178.83.204] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239035/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239035; rev:1;)
alert tcp $HOME_NET any -> [208.68.36.130] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239034/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239034; rev:1;)
alert tcp $HOME_NET any -> [120.79.154.38] 55667  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239033/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239033; rev:1;)
alert tcp $HOME_NET any -> [1.117.117.147] 2020  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239032/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239032; rev:1;)
alert tcp $HOME_NET any -> [74.48.158.197] 30080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239031/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239031; rev:1;)
alert tcp $HOME_NET any -> [1.15.248.225] 38248  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239030/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239030; rev:1;)
alert tcp $HOME_NET any -> [124.222.234.106] 12345  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239029/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239029; rev:1;)
alert tcp $HOME_NET any -> [20.231.208.182] 7788  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239028/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239028; rev:1;)
alert tcp $HOME_NET any -> [101.201.224.75] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239027/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239027; rev:1;)
alert tcp $HOME_NET any -> [159.223.77.150] 58393  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239026/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239026; rev:1;)
alert tcp $HOME_NET any -> [117.72.35.189] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239025/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239025; rev:1;)
alert tcp $HOME_NET any -> [120.48.101.89] 37128  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239024/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239024; rev:1;)
alert tcp $HOME_NET any -> [68.183.86.25] 49492  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239023/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239023; rev:1;)
alert tcp $HOME_NET any -> [78.40.116.82] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239022/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239022; rev:1;)
alert tcp $HOME_NET any -> [78.47.191.114] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239020/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239020; rev:1;)
alert tcp $HOME_NET any -> [78.47.191.114] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239019/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_11; classtype:trojan-activity; sid:91239019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0905554.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_11; classtype:trojan-activity; sid:91239018; rev:1;)
alert tcp $HOME_NET any -> [167.86.86.15] 3333  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"23.94.202.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"23.94.202.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"45.90.217.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239010; rev:1;)
alert tcp $HOME_NET any -> [20.226.21.146] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239009; rev:1;)
alert tcp $HOME_NET any -> [5.42.64.44] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239008/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91239008; rev:1;)
alert tcp $HOME_NET any -> [45.77.240.40] 25887  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blsswk93ex/index.php"; depth:21; nocase; http.host; content:"5.42.64.44"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1239005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239005; rev:1;)
alert tcp $HOME_NET any -> [185.103.100.197] 19049  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91239004; rev:1;)
alert tcp $HOME_NET any -> [67.71.30.57] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239001/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91239001; rev:1;)
alert tcp $HOME_NET any -> [149.109.109.136] 2087  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1239000/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91239000; rev:1;)
alert tcp $HOME_NET any -> [78.18.250.125] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238999/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238999; rev:1;)
alert tcp $HOME_NET any -> [39.40.155.114] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238998/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238998; rev:1;)
alert tcp $HOME_NET any -> [45.66.248.84] 42282  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238997/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238997; rev:1;)
alert tcp $HOME_NET any -> [163.197.247.155] 8889  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238996; rev:1;)
alert tcp $HOME_NET any -> [40.87.135.62] 443  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238995; rev:1;)
alert tcp $HOME_NET any -> [65.21.64.132] 34779  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"23.94.202.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238993; rev:1;)
alert tcp $HOME_NET any -> [34.34.10.37] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238992; rev:1;)
alert tcp $HOME_NET any -> [3.75.189.17] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238991; rev:1;)
alert tcp $HOME_NET any -> [165.232.179.158] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238990; rev:1;)
alert tcp $HOME_NET any -> [181.32.143.15] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238989; rev:1;)
alert tcp $HOME_NET any -> [13.49.116.113] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238988; rev:1;)
alert tcp $HOME_NET any -> [122.150.85.11] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238987; rev:1;)
alert tcp $HOME_NET any -> [173.212.228.153] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238986; rev:1;)
alert tcp $HOME_NET any -> [41.78.73.219] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238985; rev:1;)
alert tcp $HOME_NET any -> [78.186.239.172] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238984; rev:1;)
alert tcp $HOME_NET any -> [172.174.245.183] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238983; rev:1;)
alert tcp $HOME_NET any -> [54.198.97.186] 5432  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238982; rev:1;)
alert tcp $HOME_NET any -> [118.31.49.59] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238981; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blogger.deenpel.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238980; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eco-academy.virtualidevs.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238979; rev:1;)
alert tcp $HOME_NET any -> [49.51.69.128] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238978; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nanasuuakiaa.host"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238977; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.x3qc.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238976; rev:1;)
alert tcp $HOME_NET any -> [103.65.235.21] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238975; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.165] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238974; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-175-203-218.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238973; rev:1;)
alert tcp $HOME_NET any -> [23.94.66.115] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238972; rev:1;)
alert tcp $HOME_NET any -> [185.194.216.22] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238970; rev:1;)
alert tcp $HOME_NET any -> [87.98.147.251] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238971; rev:1;)
alert tcp $HOME_NET any -> [4.178.96.222] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238969; rev:1;)
alert tcp $HOME_NET any -> [113.30.191.40] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238968; rev:1;)
alert tcp $HOME_NET any -> [176.113.115.243] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238967; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.48] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238966; rev:1;)
alert tcp $HOME_NET any -> [178.33.57.149] 5000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238965; rev:1;)
alert tcp $HOME_NET any -> [178.33.57.149] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238964; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"staging.recruitis.josefbenjac.cz"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238963; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.dalkson.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238962; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-244-129-215.eu-west-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238960; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zqpvr01.sandcats.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238961; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-199-117-47.ap-northeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238959; rev:1;)
alert tcp $HOME_NET any -> [159.100.13.218] 1606  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238958; rev:1;)
alert tcp $HOME_NET any -> [37.120.237.196] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238957; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.225] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238956; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.224] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238955; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"056hg568786.f4r5t5y8hh8.click"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238954; rev:1;)
alert tcp $HOME_NET any -> [92.63.104.174] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238952; rev:1;)
alert tcp $HOME_NET any -> [77.73.129.77] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238953; rev:1;)
alert tcp $HOME_NET any -> [185.189.196.191] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238950; rev:1;)
alert tcp $HOME_NET any -> [34.72.157.21] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238951; rev:1;)
alert tcp $HOME_NET any -> [40.66.42.165] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238949; rev:1;)
alert tcp $HOME_NET any -> [104.156.247.38] 8000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238948; rev:1;)
alert tcp $HOME_NET any -> [114.116.231.53] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238947; rev:1;)
alert tcp $HOME_NET any -> [163.197.247.155] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238946/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_10; classtype:trojan-activity; sid:91238946; rev:1;)
alert tcp $HOME_NET any -> [119.91.77.189] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238945/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_10; classtype:trojan-activity; sid:91238945; rev:1;)
alert tcp $HOME_NET any -> [5.45.111.146] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238943; rev:1;)
alert tcp $HOME_NET any -> [5.45.111.146] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238944; rev:1;)
alert tcp $HOME_NET any -> [78.40.116.82] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238942; rev:1;)
alert tcp $HOME_NET any -> [124.220.53.223] 4543  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238941; rev:1;)
alert tcp $HOME_NET any -> [134.122.164.195] 5566  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238940; rev:1;)
alert tcp $HOME_NET any -> [51.38.226.86] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238939; rev:1;)
alert tcp $HOME_NET any -> [201.27.182.215] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238937; rev:1;)
alert tcp $HOME_NET any -> [196.235.228.141] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238938; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2202305171327228750.powersrv.de"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238936; rev:1;)
alert tcp $HOME_NET any -> [147.45.47.96] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238899/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238899; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.128] 2023  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238898/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238898; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.2] 2121  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238897/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238897; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.121] 2023  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238896; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.39] 2023  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238895/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238895; rev:1;)
alert tcp $HOME_NET any -> [150.143.137.163] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238894/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238894; rev:1;)
alert tcp $HOME_NET any -> [54.169.174.23] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238893/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238893; rev:1;)
alert tcp $HOME_NET any -> [45.79.196.203] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238892/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238892; rev:1;)
alert tcp $HOME_NET any -> [61.19.254.6] 2123  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238891; rev:1;)
alert tcp $HOME_NET any -> [165.154.132.129] 50013  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238890/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238890; rev:1;)
alert tcp $HOME_NET any -> [18.117.144.139] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238889; rev:1;)
alert tcp $HOME_NET any -> [40.90.255.165] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238888; rev:1;)
alert tcp $HOME_NET any -> [136.54.125.106] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238887; rev:1;)
alert tcp $HOME_NET any -> [43.132.212.200] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238886; rev:1;)
alert tcp $HOME_NET any -> [185.119.118.59] 8080  (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238885; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.3] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/05b89c2203fb7bde.php"; depth:21; nocase; http.host; content:"77.105.132.197"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonjavascriptjsdownloads.php"; depth:32; nocase; http.host; content:"007017cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238876; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238874; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0916186.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238872; rev:1;)
alert tcp $HOME_NET any -> [5.42.66.25] 3000  (msg:"ThreatFox ObserverStealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238871; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.nsgocus.cn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238869; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.0-2.pw"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238858; rev:1;)
alert tcp $HOME_NET any -> [178.128.229.91] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238859; rev:1;)
alert tcp $HOME_NET any -> [154.22.123.68] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238857; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.theasiagroupai.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238856; rev:1;)
alert tcp $HOME_NET any -> [45.77.116.186] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238855; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.startupmartec.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238854; rev:1;)
alert tcp $HOME_NET any -> [199.247.30.209] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238853; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.thenewbees.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238852; rev:1;)
alert tcp $HOME_NET any -> [18.222.142.217] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238851; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.sstr.com.br"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238850; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.pwd-reset.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238848; rev:1;)
alert tcp $HOME_NET any -> [63.34.195.83] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238849; rev:1;)
alert tcp $HOME_NET any -> [173.212.224.123] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238847; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cupdater.bbtecno.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"cupdater.bbtecno.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"94.156.65.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238844; rev:1;)
alert tcp $HOME_NET any -> [146.235.52.69] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238843; rev:1;)
alert tcp $HOME_NET any -> [13.82.186.9] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238842; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.217] 3162  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238841; rev:1;)
alert tcp $HOME_NET any -> [31.117.188.253] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238840; rev:1;)
alert tcp $HOME_NET any -> [105.155.185.229] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238839; rev:1;)
alert tcp $HOME_NET any -> [50.35.141.245] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238838; rev:1;)
alert tcp $HOME_NET any -> [109.154.155.130] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238837; rev:1;)
alert tcp $HOME_NET any -> [117.200.61.203] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238836; rev:1;)
alert tcp $HOME_NET any -> [117.200.61.205] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238835; rev:1;)
alert tcp $HOME_NET any -> [5.182.36.131] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238834; rev:1;)
alert tcp $HOME_NET any -> [185.189.196.191] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238833; rev:1;)
alert tcp $HOME_NET any -> [114.29.237.119] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238832; rev:1;)
alert tcp $HOME_NET any -> [172.202.30.12] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238831; rev:1;)
alert tcp $HOME_NET any -> [104.238.60.87] 2696  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238830; rev:1;)
alert tcp $HOME_NET any -> [45.148.132.134] 12345  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238829; rev:1;)
alert tcp $HOME_NET any -> [167.86.85.34] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238828; rev:1;)
alert tcp $HOME_NET any -> [5.189.152.51] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238827; rev:1;)
alert tcp $HOME_NET any -> [13.52.244.83] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238826/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0909872.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/db059622.php"; depth:13; nocase; http.host; content:"a0916535.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238824; rev:1;)
alert tcp $HOME_NET any -> [124.71.84.65] 8062  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238823/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238823; rev:1;)
alert tcp $HOME_NET any -> [111.92.240.246] 50550  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238822/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238822; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.103] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238821; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.103] 1710  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238820/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238820; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.103] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238819/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238819; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.103] 2082  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238818; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.103] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238817/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238817; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.103] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238816/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238816; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.103] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238815/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238815; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.103] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238814/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238814; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.103] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238813/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238813; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.103] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238812/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238812; rev:1;)
alert tcp $HOME_NET any -> [34.141.15.123] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238811/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238811; rev:1;)
alert tcp $HOME_NET any -> [35.246.183.49] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238810/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238810; rev:1;)
alert tcp $HOME_NET any -> [154.245.7.231] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238809/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238809; rev:1;)
alert tcp $HOME_NET any -> [92.246.136.161] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238808/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_10; classtype:trojan-activity; sid:91238808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"192.3.101.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"workonz7.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238804; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.55] 13002  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_10; classtype:trojan-activity; sid:91238803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"123.234.75.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238801/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_10; classtype:trojan-activity; sid:91238801; rev:1;)
alert tcp $HOME_NET any -> [3.6.98.232] 15032  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238800; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.182] 15032  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238798; rev:1;)
alert tcp $HOME_NET any -> [3.6.122.107] 15032  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238799; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.64] 15032  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238797; rev:1;)
alert tcp $HOME_NET any -> [38.255.33.106] 7896  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238796; rev:1;)
alert tcp $HOME_NET any -> [8.213.208.58] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238795/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238795; rev:1;)
alert tcp $HOME_NET any -> [8.134.69.22] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238794/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238794; rev:1;)
alert tcp $HOME_NET any -> [41.96.89.253] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238793; rev:1;)
alert tcp $HOME_NET any -> [78.167.158.62] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238792/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238792; rev:1;)
alert tcp $HOME_NET any -> [109.145.252.188] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238791/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238791; rev:1;)
alert tcp $HOME_NET any -> [31.53.190.47] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238790; rev:1;)
alert tcp $HOME_NET any -> [216.137.205.249] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238789; rev:1;)
alert tcp $HOME_NET any -> [117.200.61.201] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238788; rev:1;)
alert tcp $HOME_NET any -> [165.227.122.136] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238787; rev:1;)
alert tcp $HOME_NET any -> [108.181.0.232] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238786; rev:1;)
alert tcp $HOME_NET any -> [143.110.192.8] 58637  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238785; rev:1;)
alert tcp $HOME_NET any -> [178.189.215.120] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238784; rev:1;)
alert tcp $HOME_NET any -> [168.100.8.112] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238783; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.195] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238782; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serviceicloud.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visualstudioupdater"; depth:20; nocase; http.host; content:"linksammosupply.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/data.php"; depth:15; nocase; http.host; content:"mysticselect.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238709; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maconlineoffice.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zshrc2"; depth:7; nocase; http.host; content:"linksammosupply.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visualstudioupdaterls2"; depth:23; nocase; http.host; content:"linksammosupply.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zshrc"; depth:6; nocase; http.host; content:"sarkerrentacars.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/previewers"; depth:11; nocase; http.host; content:"turkishfurniture.blog"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238719; rev:1;)
alert tcp $HOME_NET any -> [193.29.13.167] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238720; rev:1;)
alert tcp $HOME_NET any -> [88.214.26.22] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238721; rev:1;)
alert tcp $HOME_NET any -> [193.29.13.167] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238722; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-uk.widgetsfordeploy.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238779; rev:1;)
alert tcp $HOME_NET any -> [88.214.26.22] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238723; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trans1ategooglecom.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238780; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saintelzearlava.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238781; rev:1;)
alert tcp $HOME_NET any -> [80.66.85.145] 27441  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238704; rev:1;)
alert tcp $HOME_NET any -> [5.231.1.213] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238706/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_09; classtype:trojan-activity; sid:91238706; rev:1;)
alert tcp $HOME_NET any -> [5.181.202.164] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238707/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_09; classtype:trojan-activity; sid:91238707; rev:1;)
alert tcp $HOME_NET any -> [45.129.199.163] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238708/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_09; classtype:trojan-activity; sid:91238708; rev:1;)
alert tcp $HOME_NET any -> [47.115.206.4] 54321  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238778/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238778; rev:1;)
alert tcp $HOME_NET any -> [54.169.49.63] 10080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238777/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238777; rev:1;)
alert tcp $HOME_NET any -> [163.5.169.23] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238776/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238776; rev:1;)
alert tcp $HOME_NET any -> [86.107.199.30] 14014  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238775/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238775; rev:1;)
alert tcp $HOME_NET any -> [58.53.128.67] 40000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238774/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238774; rev:1;)
alert tcp $HOME_NET any -> [74.48.164.62] 8040  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238773/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238773; rev:1;)
alert tcp $HOME_NET any -> [108.160.135.65] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238772/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238772; rev:1;)
alert tcp $HOME_NET any -> [154.223.17.64] 3306  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238771/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238771; rev:1;)
alert tcp $HOME_NET any -> [47.104.179.218] 65534  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238770; rev:1;)
alert tcp $HOME_NET any -> [82.117.255.175] 51150  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238769; rev:1;)
alert tcp $HOME_NET any -> [111.231.22.61] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238768/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238768; rev:1;)
alert tcp $HOME_NET any -> [8.140.147.193] 55555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238767/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238767; rev:1;)
alert tcp $HOME_NET any -> [91.245.253.68] 37982  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238766/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238766; rev:1;)
alert tcp $HOME_NET any -> [194.26.135.115] 11699  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238765/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238765; rev:1;)
alert tcp $HOME_NET any -> [43.132.175.126] 60666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238764/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238764; rev:1;)
alert tcp $HOME_NET any -> [208.83.237.247] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238763; rev:1;)
alert tcp $HOME_NET any -> [124.220.185.197] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238762; rev:1;)
alert tcp $HOME_NET any -> [43.139.189.54] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238761; rev:1;)
alert tcp $HOME_NET any -> [101.43.127.45] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238760/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238760; rev:1;)
alert tcp $HOME_NET any -> [47.99.151.68] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238759/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238759; rev:1;)
alert tcp $HOME_NET any -> [8.219.228.210] 50010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238758/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238758; rev:1;)
alert tcp $HOME_NET any -> [5.255.124.188] 33136  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238757/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238757; rev:1;)
alert tcp $HOME_NET any -> [61.75.17.84] 59991  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238756/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238756; rev:1;)
alert tcp $HOME_NET any -> [176.97.73.6] 443  (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238755/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238755; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.195] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238754; rev:1;)
alert tcp $HOME_NET any -> [195.2.76.141] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238753/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238753; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.152] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238752/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238752; rev:1;)
alert tcp $HOME_NET any -> [45.15.156.161] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238751/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238751; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.225] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238750/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238750; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.87] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238749/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238749; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.127] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238748/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238748; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.226] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238747/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238747; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.227] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238746/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238746; rev:1;)
alert tcp $HOME_NET any -> [116.202.3.242] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238745/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238745; rev:1;)
alert tcp $HOME_NET any -> [88.198.107.6] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238744/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238744; rev:1;)
alert tcp $HOME_NET any -> [95.217.215.24] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238743/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238743; rev:1;)
alert tcp $HOME_NET any -> [78.46.251.181] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238742/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238742; rev:1;)
alert tcp $HOME_NET any -> [88.99.38.67] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238741/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238741; rev:1;)
alert tcp $HOME_NET any -> [5.75.209.125] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238740/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238740; rev:1;)
alert tcp $HOME_NET any -> [5.75.215.113] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238739/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238739; rev:1;)
alert tcp $HOME_NET any -> [49.12.118.45] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238738/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238738; rev:1;)
alert tcp $HOME_NET any -> [49.12.118.45] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238737/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238737; rev:1;)
alert tcp $HOME_NET any -> [5.75.211.127] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238736/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238736; rev:1;)
alert tcp $HOME_NET any -> [94.158.247.56] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238735/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.130.79.120"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"129.226.154.245"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp.css"; depth:7; nocase; http.host; content:"78.128.112.205"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"111.230.12.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238731; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-lnk-075.epsonupdate.uk"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"cdn-lnk-075.epsonupdate.uk"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"43.153.34.124"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"192.3.101.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2022/11/lvjh6wkebixyop5aqcjtb"; depth:57; nocase; http.host; content:"aws-apps.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238725; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aws-apps.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ydr/1337.dat"; depth:13; nocase; http.host; content:"allstocksinc.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vno/1337.dat"; depth:13; nocase; http.host; content:"muellerinfo.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vuihcgp/1337.dat"; depth:17; nocase; http.host; content:"toptrinityblog.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagetodle.php"; depth:15; nocase; http.host; content:"lest1kkror.ru.swtest.ru"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238705; rev:1;)
alert tcp $HOME_NET any -> [107.148.1.41] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238703; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.nsfocus.cn.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238702; rev:1;)
alert tcp $HOME_NET any -> [94.20.88.63] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238701; rev:1;)
alert tcp $HOME_NET any -> [23.226.138.161] 5242  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238699; rev:1;)
alert tcp $HOME_NET any -> [37.60.242.86] 2967  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/t6f5gi/1337.dat"; depth:16; nocase; http.host; content:"professionalficars.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ts5/1337.dat"; depth:13; nocase; http.host; content:"wealthygradi.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"120.48.96.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238696; rev:1;)
alert tcp $HOME_NET any -> [129.151.142.36] 8080  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"219.151.137.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"120.222.152.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"1.62.64.108"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"120.222.152.85"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"124.225.14.210"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"rw1.dbgblack.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238686; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"23.94.202.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"120.48.96.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"64.226.76.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238678; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 13056  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238676/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238676; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.5] 13056  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238677/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238677; rev:1;)
alert tcp $HOME_NET any -> [3.70.168.173] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238675; rev:1;)
alert tcp $HOME_NET any -> [23.226.138.143] 2083  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238674/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238674; rev:1;)
alert tcp $HOME_NET any -> [46.151.214.122] 9090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238673; rev:1;)
alert tcp $HOME_NET any -> [47.99.188.195] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238672; rev:1;)
alert tcp $HOME_NET any -> [128.199.20.195] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238671; rev:1;)
alert tcp $HOME_NET any -> [157.245.104.17] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238670; rev:1;)
alert tcp $HOME_NET any -> [159.69.179.190] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238669; rev:1;)
alert tcp $HOME_NET any -> [172.105.90.105] 81  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238667; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webdisk.dnl-l.ooguy.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238665; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"notifications.deenpel.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238666; rev:1;)
alert tcp $HOME_NET any -> [124.222.21.138] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238663; rev:1;)
alert tcp $HOME_NET any -> [180.140.153.238] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238664; rev:1;)
alert tcp $HOME_NET any -> [103.16.224.239] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238662; rev:1;)
alert tcp $HOME_NET any -> [147.45.45.131] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238660; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"x3qc.com"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238661; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-200-22-116.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238659; rev:1;)
alert tcp $HOME_NET any -> [54.175.203.218] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238658; rev:1;)
alert tcp $HOME_NET any -> [2.36.57.107] 8000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238657; rev:1;)
alert tcp $HOME_NET any -> [185.250.45.130] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238656; rev:1;)
alert tcp $HOME_NET any -> [20.241.69.111] 8080  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238655; rev:1;)
alert tcp $HOME_NET any -> [5.42.92.165] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238653; rev:1;)
alert tcp $HOME_NET any -> [20.241.69.111] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238654; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.66] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238652; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moodle1.feja111.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238651; rev:1;)
alert tcp $HOME_NET any -> [93.177.100.138] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238650; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.220] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238649; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.129.149.13.49.clients.your-server.de"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238648; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.161-35-239-147.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238646; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-153-179-54.eu-central-1.compute.amazonaws.com"; depth:52; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238647; rev:1;)
alert tcp $HOME_NET any -> [51.103.213.14] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238644; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qa-dhs.wavenet-solutions.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238645; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159-203-167-57.ipv4.staticdns2.io"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238642; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"healthpips.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"172-105-14-104.ip.linodeusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238641; rev:1;)
alert tcp $HOME_NET any -> [162.55.40.203] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238640; rev:1;)
alert tcp $HOME_NET any -> [73.186.83.59] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238639; rev:1;)
alert tcp $HOME_NET any -> [103.120.201.75] 2222  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238638; rev:1;)
alert tcp $HOME_NET any -> [147.45.45.67] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238637; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.225] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238636; rev:1;)
alert tcp $HOME_NET any -> [150.107.201.68] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-79-194-172.eu-central-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238633; rev:1;)
alert tcp $HOME_NET any -> [95.181.173.164] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238634; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"android.l3harris.pro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238632; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.225] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238631; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.224] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238630; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kitrknis.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238629; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"21.157.72.34.bc.googleusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238628; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.196] 8000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238627; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.196] 6000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238626; rev:1;)
alert tcp $HOME_NET any -> [206.123.132.240] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238625; rev:1;)
alert tcp $HOME_NET any -> [138.201.176.60] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238624; rev:1;)
alert tcp $HOME_NET any -> [20.15.234.170] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238623/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_09; classtype:trojan-activity; sid:91238623; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238621; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2143  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238622; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238620; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238619; rev:1;)
alert tcp $HOME_NET any -> [47.97.37.19] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238618; rev:1;)
alert tcp $HOME_NET any -> [62.133.60.192] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238617; rev:1;)
alert tcp $HOME_NET any -> [134.175.236.110] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238616; rev:1;)
alert tcp $HOME_NET any -> [93.33.203.219] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238615; rev:1;)
alert tcp $HOME_NET any -> [192.3.98.165] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238614; rev:1;)
alert tcp $HOME_NET any -> [196.235.2.142] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238613; rev:1;)
alert tcp $HOME_NET any -> [141.98.81.98] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238612; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rw1.dbgblack.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238611; rev:1;)
alert tcp $HOME_NET any -> [172.245.208.5] 2060  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238609; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"merckllc.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/11da1c02f1899731.php"; depth:21; nocase; http.host; content:"217.196.98.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238608; rev:1;)
alert tcp $HOME_NET any -> [47.88.53.49] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238607/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238607; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ee48257d.php"; depth:13; nocase; http.host; content:"a0905211.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238606; rev:1;)
alert tcp $HOME_NET any -> [88.214.25.254] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v10.6/w2ge3sc8"; depth:24; nocase; http.host; content:"192.0.2.30"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238604; rev:1;)
alert tcp $HOME_NET any -> [34.79.80.97] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238603/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238603; rev:1;)
alert tcp $HOME_NET any -> [84.38.132.126] 61445  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238602/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238602; rev:1;)
alert tcp $HOME_NET any -> [66.204.14.174] 4506  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238601/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238601; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.101] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238600/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238600; rev:1;)
alert tcp $HOME_NET any -> [164.92.225.82] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238599/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238599; rev:1;)
alert tcp $HOME_NET any -> [178.18.246.136] 2078  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238598/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238598; rev:1;)
alert tcp $HOME_NET any -> [40.66.42.165] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238597/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238597; rev:1;)
alert tcp $HOME_NET any -> [20.117.106.245] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238596/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238596; rev:1;)
alert tcp $HOME_NET any -> [97.118.34.90] 993  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238595/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238595; rev:1;)
alert tcp $HOME_NET any -> [67.71.30.57] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238594/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238594; rev:1;)
alert tcp $HOME_NET any -> [12.22.160.81] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238593/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238593; rev:1;)
alert tcp $HOME_NET any -> [79.113.86.126] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238592/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238592; rev:1;)
alert tcp $HOME_NET any -> [104.236.67.20] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238591/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238591; rev:1;)
alert tcp $HOME_NET any -> [159.203.167.57] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238590/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238590; rev:1;)
alert tcp $HOME_NET any -> [91.107.200.181] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238589/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238589; rev:1;)
alert tcp $HOME_NET any -> [15.235.167.60] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238588/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_09; classtype:trojan-activity; sid:91238588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"selebration17io.io"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vacantion18ffeu.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"valarioulinity1.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"buriatiarutuhuob.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"cassiosssionunu.me"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sulugilioiu19.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"goodfooggooftool.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"sjyey.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"babonwo.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"mth.com.ua"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238053; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"piratia.pw"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238054; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238057; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"go-piratia.ru"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njqyndcymje3zwu3/"; depth:18; nocase; http.host; content:"91.240.118.224"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238104; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 17888  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238097/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238097; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 5204  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238075/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_09; classtype:trojan-activity; sid:91238075; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 85%)"; dns_query; content:"microbanafler.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238066/; target:src_ip; metadata: confidence_level 85, first_seen 2024_02_09; classtype:trojan-activity; sid:91238066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonlowdbtrafficpublic.php"; depth:29; nocase; http.host; content:"837376cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"exhaustless-bracket.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238586; rev:1;)
alert tcp $HOME_NET any -> [101.201.46.105] 8989  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238585/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/servmask.php"; depth:76; nocase; http.host; content:"takartboutique.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/litespeed-cache/lib/css-min/css-min.php"; depth:59; nocase; http.host; content:"nctest.syndicatedcapitalgh.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"cafemocha.thehostmandu.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/ectoplasm/ectoplasm/ectoplasm.php"; depth:54; nocase; http.host; content:"thegardengasteiz.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modules/9abb03e812/includes/functions/functions.php"; depth:52; nocase; http.host; content:"tneacounseling.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/3d-development.com/santacon/santacon.php"; depth:68; nocase; http.host; content:"thesantacon.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"new.usmortgage.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2_backup/wp-content/plugins/all-in-one-wp-migration/lib/controller/controller.php"; depth:83; nocase; http.host; content:"uhappyevents.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/images/images.php"; depth:27; nocase; http.host; content:"v775136o.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-product-search-for-woo/lib/predic-widget/assets/sass/sass.php"; depth:90; nocase; http.host; content:"ventasdetodoloqueseteocurra.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/elementor/app/assets/styles/styles.php"; depth:58; nocase; http.host; content:"w3qualitytime.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.php"; depth:86; nocase; http.host; content:"mytrucknow.volomoso.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ad-inserter/includes/google-api/vendor/firebase/php-jwt/php-jwt.php"; depth:87; nocase; http.host; content:"altcoin-cryptocurrency-trading-platform.what-todo.com"; depth:53; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app_templates/web/up_codelogin_old/documentation/assets/blueprint-css/plugins/buttons/buttons.php"; depth:98; nocase; http.host; content:"wanimation.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"www.autojaro.sk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin.php"; depth:52; nocase; http.host; content:"wynton45.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup/skyjumpertrampolinepark_20190301/skyjumpertrampolinepark_20190301.php"; depth:77; nocase; http.host; content:"youlovesports.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guestregsystem/wp-content/plugins/all-in-one-wp-migration-with-import-master/lib/view/assets/css/css.php"; depth:105; nocase; http.host; content:"aridient.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awlandsafaris.com.php"; depth:22; nocase; http.host; content:"awlandsafaris.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"zado-shoes.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bulksmspull/assets/plugins/datatables-fixedheader/css/css.php"; depth:62; nocase; http.host; content:"staging.secuodsoft.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"lms.tonalismo.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/affiliate-wp/includes/admin/payouts/payouts.js"; depth:66; nocase; http.host; content:"student.simplelifestrategies.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/themes/twentyfifteen/genericons/genericons/genericons.php"; depth:79; nocase; http.host; content:"www.darskhososy.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/amp/assets/images/reader-themes/reader-themes.php"; depth:69; nocase; http.host; content:"noticiaseh.com.ar"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/netzheft/wp-admin/css/colors/blue/blue.php"; depth:43; nocase; http.host; content:"netzheft.frnrw.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"employee1.1ummah.org.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro-master/assets/js/js.php"; depth:70; nocase; http.host; content:"staging.aspectuw.com.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bakup4_21_2021/wp-content/cache/page_enhanced/www.yourchoiceplumbers.com.au/2017/06/06.php"; depth:91; nocase; http.host; content:"www.yourchoiceplumbers.com.au"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cf7-conditional-fields/jsdoc-out/scripts/prettify/prettify.php"; depth:82; nocase; http.host; content:"assuredtreecare.com.au"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/cache.php"; depth:16; nocase; http.host; content:"dreclass.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238553; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.noels.be"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/plugin_epayco_woocommerce/includes/admin/admin.php"; depth:70; nocase; http.host; content:"tcmtecnologia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"nimbroeducation.000webhostapp.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238552; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/mu-plugins/acf-medium-editor-field/assets/vendor/medium-editor/css/themes/themes.php"; depth:89; nocase; http.host; content:"dev.edades-west.make.technology"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/a/a/a.php"; depth:40; nocase; http.host; content:"formulario1.frontec.cl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"druck.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/old/wp-content/plugins/contact-form-7/includes/js/jquery-ui/jquery-ui.php"; depth:74; nocase; http.host; content:"jac.b-a.group"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-security-and-firewall/all-in-one-wp-security-and-firewall.php"; depth:95; nocase; http.host; content:"vselectrics.gr"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iraq/wp-content/plugins/accesspress-social-counter/inc/backend/boards/boards.php"; depth:81; nocase; http.host; content:"nidaagroup.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar/wp-content/plugins/dopts/libraries/gui/images/colorpicker/colorpicker.js"; depth:76; nocase; http.host; content:"drsohrabi.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/code-snippets/css/min/editor-themes/editor-themes.php"; depth:73; nocase; http.host; content:"car.hapeye.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"new.mullicatownship.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/newfold-page-cache/unpicturesquely9lbcy/2f56bactos463103/2f56bactos463103.php"; depth:89; nocase; http.host; content:"danieltravels.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"lawconsult.pe"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/2022/01/138-student-living-uwi-agree-new-concession-terms-business/138-student-living-uwi-agree-new-concession-terms-business.php"; depth:162; nocase; http.host; content:"bellejamaica.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyseventeen/assets/fonts/libre-franklin/libre-franklin.js"; depth:80; nocase; http.host; content:"www.fbstapes.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"serwis-impacto.pl"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/jquery-ui.php"; depth:70; nocase; http.host; content:"crossco.semseo3.beget.tech"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/builderall-cheetah-for-wp/extensions/ba-cheetah-cache-helper/classes/classes.php"; depth:100; nocase; http.host; content:"idt.builderallwppro.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/images/field-states/field-states.php"; depth:90; nocase; http.host; content:"demo3.itaoda.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"demo31.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/timepicker.php"; depth:83; nocase; http.host; content:"demo56.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/timepicker.php"; depth:83; nocase; http.host; content:"demo21.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/adminify-pro/inc/modules/admincolumns/assets/css/css.php"; depth:76; nocase; http.host; content:"demo40.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/timepicker.php"; depth:83; nocase; http.host; content:"demo5.itaoda.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-addon/addons/advanced-headers/assets/js/minified/minified.php"; depth:87; nocase; http.host; content:"demo1.itaoda.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"test.bigbeautifulbuys.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/adminify-pro/inc/modules/admincolumns/assets/assets.php"; depth:75; nocase; http.host; content:"demo46.itaoda.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"progeturepublica.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/042/9f1/9f1.php"; depth:40; nocase; http.host; content:"sakarealestate.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wp-statistics/assets/dev/sass/component/placeholder/placeholder.php"; depth:87; nocase; http.host; content:"regaloscaos.es.ht"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.php"; depth:86; nocase; http.host; content:"tsc.signalovernoise.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"florquedafulgor.000webhostapp.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"alyamama78.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/view/assets/css/css.js"; depth:70; nocase; http.host; content:"bhawpals.000webhostapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"moveterramogi.000webhostapp.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"merelio.000webhostapp.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"computerteknik.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"latinate-matters.000webhostapp.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"ygbrandmaker.000webhostapp.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"ybc77.000webhostapp.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baystate/wp-content/plugins/cherry-plugin/lib/js/flexslider/fonts/fonts.php"; depth:76; nocase; http.host; content:"aclarilari.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/wp-admin.php"; depth:22; nocase; http.host; content:"medisur-rgl.com.ar"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/distant/jpg/jpg.php"; depth:24; nocase; http.host; content:"www.ccfg-conakry.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/core/languages/plugins/plugins.php"; depth:35; nocase; http.host; content:"szerviz.microstore.hu"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/xml/declaration/declaration.php"; depth:54; nocase; http.host; content:"store.powermatic.co.th"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ajax-search-lite/backend/settings/assets/icons/icons.php"; depth:76; nocase; http.host; content:"annybrenn.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"rashidaljabrigroup.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/css.php"; depth:21; nocase; http.host; content:"shrachirealty.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"emvision.com.my"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/track.dioslogistics.com/category/uncategorized/uncategorized.php"; depth:96; nocase; http.host; content:"track.dioslogistics.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/themes/twentytwenty/assets/images/images.php"; depth:59; nocase; http.host; content:"roughdiamond.jp"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/languages.php"; depth:35; nocase; http.host; content:"xbaseweb.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"femza.org.ar"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.php"; depth:98; nocase; http.host; content:"www.7-dots.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"relacion.traxxcp.com.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/supercache/pharmahome.ae/ar/comments/feed/feed.php"; depth:68; nocase; http.host; content:"pharmahome.ae"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bluehost-wordpress-plugin/vendor/doctrine/inflector/lib/doctrine/common/common.php"; depth:102; nocase; http.host; content:"matesonthemove.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/blog-manager-wp/assets/images/arrow/arrow.php"; depth:65; nocase; http.host; content:"ssl.news"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ebor-framework-master/metaboxes/css/sass/partials/partials.php"; depth:82; nocase; http.host; content:"interplast.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/037/b5a/b5a.js"; depth:39; nocase; http.host; content:"english.cabrerallamas.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/category/uncategorized/uncategorized.php"; depth:73; nocase; http.host; content:"wheelsonthedanforth.ca"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/css/css.php"; depth:65; nocase; http.host; content:"balangabriel.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"sanicorpec.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bodycenter-extra/lib/scssphp/compass/stylesheets/compass/utilities/color/color.php"; depth:102; nocase; http.host; content:"www.comunidadfit.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"bp8k4k.serveravatartmp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/classic-editor/classic-editor.js"; depth:52; nocase; http.host; content:"cvts.rut.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/duplicator-pro/assets/css/images/images.php"; depth:63; nocase; http.host; content:"giraganaceuti.compradondevives.es"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"mercadochubut.gob.ar"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-iframe/css/css.php"; depth:47; nocase; http.host; content:"appercity.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/api/integrations/integrations.php"; depth:84; nocase; http.host; content:"e-tirechains.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/010/449/449.php"; depth:40; nocase; http.host; content:"mobile.wisechoicesupplements.ph"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/images.js"; depth:91; nocase; http.host; content:"www.jrun.com.hk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/wordpress/wp-content/themes/twentynineteen/template-parts/content/content.js"; depth:82; nocase; http.host; content:"blog.learningpie.in"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"1storiginal.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1tambon1school/schsurvey/core/core.php"; depth:39; nocase; http.host; content:"inno.obec.go.th"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"www.bericht.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/coming-soon/languages/languages.php"; depth:55; nocase; http.host; content:"iscrizione.handmadecampania.it"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/burst-statistics/assets/css/admin/modules/dashboard/dashboard.php"; depth:85; nocase; http.host; content:"archiwummuzeumziemizbaszynskiej.zck.org.pl"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__macosx/img/portfolio/fullsize/fullsize.php"; depth:45; nocase; http.host; content:"lisbonvinylcutters.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/api/integrations/integrations.php"; depth:84; nocase; http.host; content:"job-test.ifrigate.ru"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor/modules/access-editor/access-editor.php"; depth:77; nocase; http.host; content:"noonanwaste.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/datepicker/images/images.php"; depth:82; nocase; http.host; content:"abrito.wecreateyou.pt"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"legrainparis.fr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/counter/change_images/logo/logo.php"; depth:42; nocase; http.host; content:"teamvedika.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demos/1stbeauty/wp-content/plugins/better-search-replace/assets/img/img.php"; depth:76; nocase; http.host; content:"cactusgroupwebtest.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"a-onevacuums.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/tool/availabilityconditions/tests/behat/behat.php"; depth:56; nocase; http.host; content:"hlcelms-new.herminahospitals.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-sites/inc/classes/compatibility/astra-pro/astra-pro.php"; depth:81; nocase; http.host; content:"insureafrica.co.za"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/inc/timepicker/timepicker.php"; depth:83; nocase; http.host; content:"ec2-175-41-161-53.ap-southeast-1.compute.amazonaws.com"; depth:54; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demo/wp-content/plugins/elementor/assets/images/app/site-editor/site-editor.php"; depth:80; nocase; http.host; content:"cxosnextgen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/endurance-page-cache.php"; depth:57; nocase; http.host; content:"dental.simptomi.rs"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"garage.the-namers.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/elementor/app/modules/kit-library/data/kits/endpoints/endpoints.php"; depth:87; nocase; http.host; content:"sosiologi.fisip.unpad.ac.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/social-feed-widgets-for-elementor-using-smash-balloon/assets/css/css.php"; depth:115; nocase; http.host; content:"uat.zeroowatch.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/financials/unaud30092007_files/sheet001_files/sheet001_files.php"; depth:65; nocase; http.host; content:"jkagri.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpmyadmin/js/vendor/jqplot/plugins/plugins.php"; depth:48; nocase; http.host; content:"proxyknow.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/b/a/a.php"; depth:40; nocase; http.host; content:"www.xinyizhou0310.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/plugins/layerslider/static/codemirror/codemirror.php"; depth:74; nocase; http.host; content:"ade.tw"; depth:6; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/wp-content.php"; depth:26; nocase; http.host; content:"plazanorte.pe"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/plugins/attachments/deprecated/css/css.php"; depth:57; nocase; http.host; content:"rossanalabs.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238454; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/_ithemes-security-pro/core/lib/lockout/execute-lock/execute-lock.php"; depth:88; nocase; http.host; content:"anfal.com.pk"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/traits/traits.php"; depth:82; nocase; http.host; content:"blog.qrstaff.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"hamza738.000webhostapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"trialstaging.trialrun.us"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"go4clinic.000webhostapp.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"savemuch.000webhostapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"firdesktop.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"congregacionkoinonia.000webhostapp.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.js"; depth:79; nocase; http.host; content:"jenniferhallasi652005.000webhostapp.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"gtaonlinestore.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"0777arsy.000webhostapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"cartwheels.000webhostapp.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/searchstatistics/searchstatistics.js"; depth:87; nocase; http.host; content:"battological-envelo.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/view/assets/img/whats-new/whats-new.js"; depth:86; nocase; http.host; content:"lonuestrogsm.000webhostapp.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"paperbound-bulk.000webhostapp.com"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"swedenborgian-gangw.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238436; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.js"; depth:84; nocase; http.host; content:"coccal-pocket.000webhostapp.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/modern/modern/modern/modern/modern/modern.php"; depth:66; nocase; http.host; content:"www.asterism.co.nz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/integrations/integrations.php"; depth:80; nocase; http.host; content:"nikesoccerbootoutletol.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"wp.korinek.link"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/2015inreview/especial2015/images/prettyphoto/dark_rounded/dark_rounded.js"; depth:74; nocase; http.host; content:"www.chequeado.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/framework/cache/cache.php"; depth:34; nocase; http.host; content:"version.urban-truth.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spero/vendor/automattic/woocommerce/tests/woocommerce/tests/tests.php"; depth:70; nocase; http.host; content:"www.kwik.tn"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"jaimefoxmusic.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/pro/admin/views/views.php"; depth:72; nocase; http.host; content:"clanped2025.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/graphs.php"; depth:75; nocase; http.host; content:"boomndeal.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/color-picker-alpha/color-picker-alpha.php"; depth:95; nocase; http.host; content:"bmn-es.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.php"; depth:44; nocase; http.host; content:"39.99.63.187"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"shgl.chao1227.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/erolsalcan.com/bilgilendirme-tesekkuru/bilgilendirme-tesekkuru.php"; depth:94; nocase; http.host; content:"erolsalcan.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/decode/html/html.php"; depth:43; nocase; http.host; content:"devsite.scarlettslandscaping.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paginaviejita/fancybox/recursos/nova-multipurpose-site-template/nova/images/sample/sample.php"; depth:94; nocase; http.host; content:"elparian.com.mx"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"mehryar.mazyar.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor/modules/access-editor/access-editor.php"; depth:77; nocase; http.host; content:"api.algoyab.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prod_link/wp-admin/css/colors/blue/blue.php"; depth:44; nocase; http.host; content:"topsportsteams.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fgs/vendor/bmwfont/specimen_files/specimen_files.php"; depth:53; nocase; http.host; content:"fixituae.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/build/css/css.php"; depth:67; nocase; http.host; content:"stage.idandigitali.co.il"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"cruxbd.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configofr/configofr.php"; depth:24; nocase; http.host; content:"139.99.50.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"www.atouchoflovechildrenscenter.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sky/wp-content/plugins/apollo13-framework-extensions/design_importer/a13-wordpress-importer/a13-wordpress-importer.php"; depth:119; nocase; http.host; content:"chatsky.club"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aroma/dark/assets/plugins/datatable/css/css.js"; depth:47; nocase; http.host; content:"projects.njgraphica.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"versitaopen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/layerslider/assets/static/admin/img/slider/slider.php"; depth:73; nocase; http.host; content:"dsefaywhq.preview.infomaniak.website"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/graphs.php"; depth:75; nocase; http.host; content:"3.110.136.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/acf-quickedit-fields/include/acfquickedit/acfquickedit.php"; depth:78; nocase; http.host; content:"shop.ggarabia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238408; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/backup/all-in-one-seo-pack-pro/app/common/importexport/rankmath/rankmath.js"; depth:95; nocase; http.host; content:"www.indian-designs.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238405; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"wholesaletoys.pk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ag-custom-admin/images/images.php"; depth:53; nocase; http.host; content:"juliem-ladeco.fr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238403; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.php"; depth:44; nocase; http.host; content:"burialinsurancepro.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/player-api-master/actionscript/deploy/assets/assets.php"; depth:56; nocase; http.host; content:"vidhionline.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238401; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/www.easisell.com/best-way-to-use-colour-wheel-for-website-design-2/best-way-to-use-colour-wheel-for-website-design-2.php"; depth:152; nocase; http.host; content:"www.easisell.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238402; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/impresistem/guzzlehttp/adapter/curl/curl.php"; depth:45; nocase; http.host; content:"digitalepartner.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"skincare.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"handy.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/www.cronoscapitalpartners.it/www.cronoscapitalpartners.it.php"; depth:93; nocase; http.host; content:"www.cronoscapitalpartners.it"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/datepicker/images/images.php"; depth:82; nocase; http.host; content:"iserveindia.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assinatura/wp-admin/css/colors/blue/blue.php"; depth:45; nocase; http.host; content:"petdelicia.com.br"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/home-elevators/images/authors/authors.php"; depth:42; nocase; http.host; content:"eliteelevators.in"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backups/wp-content/plugins/acf-extended/includes/admin/views/views.php"; depth:71; nocase; http.host; content:"brown1.ezmartech.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naacmodules/jquery-ui-1.12.1.custom/images/images.php"; depth:54; nocase; http.host; content:"skillhut.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238391; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atlas/mobile/javascript/javascript.php"; depth:39; nocase; http.host; content:"psiewdr.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"iustore.7uptheme.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"haustiere.7uptheme.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup29112022/wp-admin/css/colors/blue/blue.php"; depth:49; nocase; http.host; content:"futxtrm.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nseit/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.js"; depth:91; nocase; http.host; content:"www.nseituat.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/360/sap/sap_3data/cafe_2_105/html5/html5.php"; depth:45; nocase; http.host; content:"mmoseronelink.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/cache/db/singletables/3e7/d91/d91.php"; depth:59; nocase; http.host; content:"idiomas2.8belts.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.scatolificiosantanna.it"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/libarts.pnu.ac.th/all/1649/feed/feed.js"; depth:57; nocase; http.host; content:"libarts.pnu.ac.th"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/pressapps-login-access/includes/skelet/assets/assets.php"; depth:99; nocase; http.host; content:"www.buildingblocksacademy.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.buildingblocksacademyalvin.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jspdf/docs/scripts/prettify/prettify.php"; depth:41; nocase; http.host; content:"neicweb.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/page-scroll-to-id/includes/blocks/blocks.php"; depth:64; nocase; http.host; content:"cc.fenxiang.xyz"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/drag-and-drop-multiple-file-upload-contact-form-7/drag-and-drop-multiple-file-upload-contact-form-7.php"; depth:146; nocase; http.host; content:"ajustsolutions.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/creame-whatsapp-me/public/css/css.php"; depth:57; nocase; http.host; content:"conectadosradio.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tsure/wp-content/themes/twentytwentyone/assets/sass/06-components/06-components.php"; depth:84; nocase; http.host; content:"toyotamanilabay.com.ph"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/controller/extension/module/waclient/waclient.php"; depth:56; nocase; http.host; content:"goldenringsoman.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/themeisle-companion/obfx_modules/beaver-widgets/custom-fields/number-field/number-field.php"; depth:111; nocase; http.host; content:"49.232.231.163"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/view/view.php"; depth:61; nocase; http.host; content:"starzbus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/administrator/components/com_actionlogs/src/controller/controller.php"; depth:75; nocase; http.host; content:"uranustechnepal.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/litespeed-cache/lib/css-min/css-min.php"; depth:59; nocase; http.host; content:"nctest.syndicatedcapitalgh.com"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ad-ace/includes/plugins/visual-composer/elements/elements.php"; depth:81; nocase; http.host; content:"cleverthings.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/servmask.php"; depth:76; nocase; http.host; content:"takartboutique.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/ectoplasm/ectoplasm/ectoplasm.php"; depth:54; nocase; http.host; content:"thegardengasteiz.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/3d-development.com/santacon/santacon.php"; depth:68; nocase; http.host; content:"thesantacon.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"cafemocha.thehostmandu.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/astra-local-fonts/josefin-sans/josefin-sans.php"; depth:59; nocase; http.host; content:"cashoutphone.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/modules/9abb03e812/includes/functions/functions.php"; depth:52; nocase; http.host; content:"tneacounseling.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v2_backup/wp-content/plugins/all-in-one-wp-migration/lib/controller/controller.php"; depth:83; nocase; http.host; content:"uhappyevents.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.php"; depth:86; nocase; http.host; content:"mytrucknow.volomoso.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ad-inserter/includes/google-api/vendor/firebase/php-jwt/php-jwt.php"; depth:87; nocase; http.host; content:"altcoin-cryptocurrency-trading-platform.what-todo.com"; depth:53; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app_templates/web/up_codelogin_old/documentation/assets/blueprint-css/plugins/buttons/buttons.php"; depth:98; nocase; http.host; content:"wanimation.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin.php"; depth:52; nocase; http.host; content:"wynton45.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"www.autojaro.sk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238358; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/guestregsystem/wp-content/plugins/all-in-one-wp-migration-with-import-master/lib/view/assets/css/css.php"; depth:105; nocase; http.host; content:"aridient.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/anywhere-elementor/freemius/assets/css/admin/admin.php"; depth:74; nocase; http.host; content:"autoblazquez.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup/skyjumpertrampolinepark_20190301/skyjumpertrampolinepark_20190301.php"; depth:77; nocase; http.host; content:"youlovesports.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"zado-shoes.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/awlandsafaris.com.php"; depth:22; nocase; http.host; content:"awlandsafaris.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bulksmspull/assets/plugins/datatables-fixedheader/css/css.php"; depth:62; nocase; http.host; content:"staging.secuodsoft.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/themes/twentyfifteen/genericons/genericons/genericons.php"; depth:79; nocase; http.host; content:"www.darskhososy.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/netzheft/wp-admin/css/colors/blue/blue.php"; depth:43; nocase; http.host; content:"netzheft.frnrw.de"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/affiliate-wp/includes/admin/payouts/payouts.js"; depth:66; nocase; http.host; content:"student.simplelifestrategies.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/c/6.3.2/wp-includes/css/dist/dist.js"; depth:60; nocase; http.host; content:"urlaubspanda.at"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro-master/assets/js/js.php"; depth:70; nocase; http.host; content:"staging.aspectuw.com.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"employee1.1ummah.org.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/b/b.js"; depth:37; nocase; http.host; content:"backdr.com.au"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bakup4_21_2021/wp-content/cache/page_enhanced/www.yourchoiceplumbers.com.au/2017/06/06.php"; depth:91; nocase; http.host; content:"www.yourchoiceplumbers.com.au"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/cache.php"; depth:16; nocase; http.host; content:"dreclass.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/elementor/assets/lib/eicons/css/css.php"; depth:82; nocase; http.host; content:"enso.atrevia-dev.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"micar.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/plugin_epayco_woocommerce/includes/admin/admin.php"; depth:70; nocase; http.host; content:"tcmtecnologia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new-website/staging-ammartou/wp-content/plugins/acf-flexible-content/includes/5-0/5-0.php"; depth:90; nocase; http.host; content:"ammartours.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app/mu-plugins/acf-medium-editor-field/assets/vendor/medium-editor/css/themes/themes.php"; depth:89; nocase; http.host; content:"dev.edades-west.make.technology"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/a/a/a.php"; depth:40; nocase; http.host; content:"formulario1.frontec.cl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"fruitshop.7uptheme.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"garten.7uptheme.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"mmasport.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238334; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"macy.7uptheme.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/old/wp-content/plugins/contact-form-7/includes/js/jquery-ui/jquery-ui.php"; depth:74; nocase; http.host; content:"jac.b-a.group"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/rebelradio.cultnerds.io/2020/03/page/2/2.php"; depth:72; nocase; http.host; content:"rebelradio.cultnerds.io"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238330; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1/synergetic/wp-content/plugins/elementor/app/modules/import-export/compatibility/compatibility.php"; depth:101; nocase; http.host; content:"imsx7.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dup-installer/assets/font-awesome/css/css.php"; depth:46; nocase; http.host; content:"sebti.ir"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/bandar.php"; depth:79; nocase; http.host; content:"gmgfavvocati.it"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/admin/css/css.php"; depth:52; nocase; http.host; content:"airsoftgear.mx"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238326; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"refonte.notaire-reuter.lu"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/speedycache/consilior.com.mx/consilior.com.mx.php"; depth:67; nocase; http.host; content:"consilior.com.mx"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/iraq/wp-content/plugins/accesspress-social-counter/inc/backend/boards/boards.php"; depth:81; nocase; http.host; content:"nidaagroup.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"geschaft.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ar/wp-content/plugins/dopts/libraries/gui/images/colorpicker/colorpicker.js"; depth:76; nocase; http.host; content:"drsohrabi.net"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/backups-dup-lite/installer/installer.php"; depth:52; nocase; http.host; content:"www.gttours.co.ke"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/newfold-page-cache/unpicturesquely9lbcy/2f56bactos463103/2f56bactos463103.php"; depth:89; nocase; http.host; content:"danieltravels.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/booking.grimerud.no/wp-content/plugins/elementor/app/modules/import-export/runners/export/export.php"; depth:101; nocase; http.host; content:"grimerud.no"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/cf7-conditional-fields/jsdoc-out/scripts/prettify/prettify.php"; depth:82; nocase; http.host; content:"assuredtreecare.com.au"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bluehost-wordpress-plugin/inc/restapi/restapi.php"; depth:69; nocase; http.host; content:"aquaticasolutions.co.za"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/images/images.php"; depth:27; nocase; http.host; content:"www.redtbs.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/xml/declaration/declaration.php"; depth:54; nocase; http.host; content:"danza.lpgc.online"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bolsadetrabajo/wp-content/plugins/all-in-one-seo-pack/app/common/integrations/integrations.php"; depth:95; nocase; http.host; content:"liceodeartesyoficios.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"new.mullicatownship.org"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ays-popup-box/admin/partials/export-import/export-import.php"; depth:80; nocase; http.host; content:"dev.jobsacademy.co"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/blocks/archives/archives.js"; depth:40; nocase; http.host; content:"hama.7uptheme.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"isone.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"kuteshop.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"lamerfashion.7uptheme.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238309; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"larcorso.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238307; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/chat_server/node_modules/express/node_modules/accepts/node_modules/negotiator/lib/lib.php"; depth:90; nocase; http.host; content:"akastars.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/build/css/pro/pro.php"; depth:75; nocase; http.host; content:"marybanksconsult.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cms/assets/bootstrap/css/css.php"; depth:33; nocase; http.host; content:"knrpjatim.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/fastboss.ai/4677-2/automation/27/27.php"; depth:67; nocase; http.host; content:"fastboss.ai"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-sites/inc/classes/compatibility/astra-pro/astra-pro.php"; depth:81; nocase; http.host; content:"civicom.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/2022/01/138-student-living-uwi-agree-new-concession-terms-business/138-student-living-uwi-agree-new-concession-terms-business.php"; depth:162; nocase; http.host; content:"bellejamaica.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test11/wp-content/plugins/creative-mail-by-constant-contact/assets/images/admin-dashboard-widget/admin-dashboard-widget.php"; depth:124; nocase; http.host; content:"skingetsperfect.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/chaty/admin/assets/css/css.php"; depth:50; nocase; http.host; content:"conversemos.itaca.com.pe"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/abiitqx885984/abiitqx885984.php"; depth:64; nocase; http.host; content:"mortoncountyslc.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238299; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"lawconsult.pe"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backups/wp-admin/css/colors/blue/blue.php"; depth:42; nocase; http.host; content:"www.leroyschroeder.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"serwis-impacto.pl"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238294; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/087/c3e/c3e.php"; depth:40; nocase; http.host; content:"projekty-wloszczowa.pl"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/samsyssync_pluginwp/assets/css/css.php"; depth:58; nocase; http.host; content:"ambience.lab.webdados.pt"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/traits/traits.php"; depth:82; nocase; http.host; content:"heli-school.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/images.js"; depth:91; nocase; http.host; content:"www.jrun.com.hk"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/themes/twentytwentyone/assets/sass/06-components/06-components.php"; depth:88; nocase; http.host; content:"www.inovcargo.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"science-house.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238289; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"cki-company.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238288; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/www.femenino.mx/author/admin/page/page.php"; depth:70; nocase; http.host; content:"femenino.mx"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/xwp-includes/simplepie/xml/declaration/declaration.js"; depth:54; nocase; http.host; content:"reoninternational.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"newvivarch.cignature.com.sg"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/builderall-cheetah-for-wp/extensions/ba-cheetah-cache-helper/classes/classes.php"; depth:100; nocase; http.host; content:"idt.builderallwppro.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/addons-for-elementor/assets/css/fonts/fonts.php"; depth:67; nocase; http.host; content:"maternews.aprovar.site"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/elementor/app/modules/import-export/runners/export/export.php"; depth:81; nocase; http.host; content:"temp.4-b.site"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"clinicavale.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-cf7-db/admin/admin.php"; depth:51; nocase; http.host; content:"www.rivabeachbari.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor/modules/access-editor/access-editor.php"; depth:77; nocase; http.host; content:"api.algoyab.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/player-api-master/actionscript/deploy/assets/assets.php"; depth:56; nocase; http.host; content:"vidhionline.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/travis/deployment/ambidon/certifications/certifications.php"; depth:60; nocase; http.host; content:"blog.ambidon.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/configzei/jump/0-linkgwth/alfa_data/alfacgiapi/alfacgiapi.php"; depth:73; nocase; http.host; content:"linkgrowth.co.uk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/storage/framework/cache/cache.php"; depth:34; nocase; http.host; content:"version.urban-truth.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/042/9f1/9f1.php"; depth:40; nocase; http.host; content:"sakarealestate.co.uk"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.php"; depth:86; nocase; http.host; content:"tsc.signalovernoise.co.uk"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/wp-statistics/assets/dev/sass/component/placeholder/placeholder.php"; depth:87; nocase; http.host; content:"regaloscaos.es.ht"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/360/aviadores/tiles/node1/cf_0/l_1/c_0/c_0.php"; depth:47; nocase; http.host; content:"www.araguahost.com.ve"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/automatic-translator-addon-for-loco-translate/includes/feedback/feedback.php"; depth:96; nocase; http.host; content:"loja.billiecombina.com.vc"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"vv.zgwc.vip"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-uptime-monitor-extension/app/views/admin/admin.php"; depth:79; nocase; http.host; content:"www.arya.digidom.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.jelliemons.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/insert-headers-and-footers/includes/auto-insert/auto-insert.php"; depth:83; nocase; http.host; content:"006.qndxx.xyz"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/grade-system/grade-system.js"; depth:92; nocase; http.host; content:"phanergy.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/charitable/assets/images/campaign-builder/settings/payment/education/education.php"; depth:102; nocase; http.host; content:"orji.kalu.apc.com.ng"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238265; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/wp-admin.php"; depth:22; nocase; http.host; content:"medisur-rgl.com.ar"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/core/languages/plugins/plugins.php"; depth:35; nocase; http.host; content:"szerviz.microstore.hu"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/30anos/administrator/components/com_actionlogs/views/actionlogs/tmpl/tmpl.js"; depth:77; nocase; http.host; content:"apav.pt"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/new/wp-content/plugins/aislin-testimonials/src/compatibility/plugins/testimonial_rotator/testimonial_rotator.php"; depth:113; nocase; http.host; content:"flyholisticschools.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ajax-search-lite/backend/settings/assets/icons/icons.php"; depth:76; nocase; http.host; content:"annybrenn.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/img/distant/jpg/jpg.php"; depth:24; nocase; http.host; content:"www.ccfg-conakry.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/xml/declaration/declaration.php"; depth:54; nocase; http.host; content:"store.powermatic.co.th"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/themes/twentytwenty/assets/images/images.php"; depth:59; nocase; http.host; content:"roughdiamond.jp"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238256; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/142/4fb/4fb.php"; depth:40; nocase; http.host; content:"contrade-co.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"www.atouchoflovechildrenscenter.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/track.dioslogistics.com/category/uncategorized/uncategorized.php"; depth:96; nocase; http.host; content:"track.dioslogistics.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238253; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor/modules/access-editor/access-editor.php"; depth:77; nocase; http.host; content:"noonanwaste.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238251; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp/wp-content/plugins/autodescription/inc/classes/admin/seobar/builder/builder.php"; depth:83; nocase; http.host; content:"eautofsm.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/037/b5a/b5a.js"; depth:39; nocase; http.host; content:"english.cabrerallamas.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"relacion.traxxcp.com.au"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/languages.php"; depth:35; nocase; http.host; content:"xbaseweb.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238248; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.php"; depth:98; nocase; http.host; content:"www.7-dots.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238247; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/supercache/pharmahome.ae/ar/comments/feed/feed.php"; depth:68; nocase; http.host; content:"pharmahome.ae"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238246; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bluehost-wordpress-plugin/vendor/doctrine/inflector/lib/doctrine/common/common.php"; depth:102; nocase; http.host; content:"matesonthemove.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ebor-framework-master/metaboxes/css/sass/partials/partials.php"; depth:82; nocase; http.host; content:"interplast.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/assets/css/css.php"; depth:65; nocase; http.host; content:"balangabriel.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/blog-manager-wp/assets/images/arrow/arrow.php"; depth:65; nocase; http.host; content:"ssl.news"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238243; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/leos/public/app-assets/css/plugins/forms/pickers/pickers.php"; depth:61; nocase; http.host; content:"nisecurityservices.ae"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238241; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/category/uncategorized/uncategorized.php"; depth:73; nocase; http.host; content:"wheelsonthedanforth.ca"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/bodycenter-extra/lib/scssphp/compass/stylesheets/compass/utilities/color/color.php"; depth:102; nocase; http.host; content:"www.comunidadfit.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/classic-editor/classic-editor.js"; depth:52; nocase; http.host; content:"cvts.rut.digital"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ultimate_vc_addons/admin/bsf-core/assets/assets.php"; depth:71; nocase; http.host; content:"camtechuganda.must.ac.ug"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"mercadochubut.gob.ar"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ujian/assets/html2pdf/spipu/html2pdf/src/extension/core/core.php"; depth:65; nocase; http.host; content:"lsp.unisba.ac.id"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/duplicator-pro/assets/css/images/images.php"; depth:63; nocase; http.host; content:"giraganaceuti.compradondevives.es"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vendor/composer/composer/doc/fixtures/repo-composer-with-providers/p/bar/bar.js"; depth:80; nocase; http.host; content:"europeanplasticspact.org"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/object/010/449/449.php"; depth:40; nocase; http.host; content:"mobile.wisechoicesupplements.ph"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238231; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-iframe/css/css.php"; depth:47; nocase; http.host; content:"appercity.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__macosx/wp-includes/simplepie/xml/declaration/declaration.php"; depth:63; nocase; http.host; content:"zuarifarmhub.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/builderall-cheetah-for-wp/extensions/ba-cheetah-user-templates/classes/classes.php"; depth:102; nocase; http.host; content:"pizzaria.builderallwppro.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/images.php"; depth:92; nocase; http.host; content:"uptpkp.kaltimbkd.info"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238228; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/wordpress/wp-content/themes/twentynineteen/template-parts/content/content.js"; depth:82; nocase; http.host; content:"blog.learningpie.in"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238227; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"www.bericht.es"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238226; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1tambon1school/schsurvey/core/core.php"; depth:39; nocase; http.host; content:"inno.obec.go.th"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238225; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/burst-statistics/assets/css/admin/modules/dashboard/dashboard.php"; depth:85; nocase; http.host; content:"archiwummuzeumziemizbaszynskiej.zck.org.pl"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238224; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/coming-soon/languages/languages.php"; depth:55; nocase; http.host; content:"iscrizione.handmadecampania.it"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238223; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mainsite/wp-content/plugins/download-plugins-dashboard/langs/langs.php"; depth:71; nocase; http.host; content:"staging-wordpress.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238222; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__macosx/img/portfolio/fullsize/fullsize.php"; depth:45; nocase; http.host; content:"lisbonvinylcutters.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/datepicker/images/images.php"; depth:82; nocase; http.host; content:"abrito.wecreateyou.pt"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"lms.tonalismo.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/counter/change_images/logo/logo.php"; depth:42; nocase; http.host; content:"teamvedika.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gallery/backroom/imelda-cajipe-endaya/feed/feed.php"; depth:52; nocase; http.host; content:"www.hiraya.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238217; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"legrainparis.fr"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demos/1stbeauty/wp-content/plugins/better-search-replace/assets/img/img.php"; depth:76; nocase; http.host; content:"cactusgroupwebtest.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/smoothness.php"; depth:89; nocase; http.host; content:"a-onevacuums.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-sites/inc/classes/compatibility/astra-pro/astra-pro.php"; depth:81; nocase; http.host; content:"insureafrica.co.za"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238213; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/tool/availabilityconditions/tests/behat/behat.php"; depth:56; nocase; http.host; content:"hlcelms-new.herminahospitals.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/demo/wp-content/plugins/elementor/assets/images/app/site-editor/site-editor.php"; depth:80; nocase; http.host; content:"cxosnextgen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"garage.the-namers.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/endurance-page-cache/endurance-page-cache.php"; depth:57; nocase; http.host; content:"dental.simptomi.rs"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238209; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/social-feed-widgets-for-elementor-using-smash-balloon/assets/css/css.php"; depth:115; nocase; http.host; content:"uat.zeroowatch.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/elementor/app/modules/kit-library/data/kits/endpoints/endpoints.php"; depth:87; nocase; http.host; content:"sosiologi.fisip.unpad.ac.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpexcel/classes/phpexcel/shared/escher/dggcontainer/bstorecontainer/bstorecontainer.php"; depth:89; nocase; http.host; content:"lanchi.vn"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-security-and-firewall/classes/firewall/rule/rules/6g/6g.js"; depth:92; nocase; http.host; content:"athena.vm.cs.tcu.ac.jp"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpmyadmin/js/vendor/jqplot/plugins/plugins.php"; depth:48; nocase; http.host; content:"proxyknow.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/financials/unaud30092007_files/sheet001_files/sheet001_files.php"; depth:65; nocase; http.host; content:"jkagri.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238203; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/contact-form-7/includes/js/jquery-ui/themes/smoothness/images/images.js"; depth:91; nocase; http.host; content:"municipio-digital.silice.si"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/administrator/components/com_admin/views/sysinfo/tmpl/tmpl.php"; depth:63; nocase; http.host; content:"clear.community"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238201; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/well-known/acme-challenge/a/a/b/a/a.php"; depth:40; nocase; http.host; content:"www.xinyizhou0310.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/atlas/mobile/javascript/javascript.php"; depth:39; nocase; http.host; content:"psiewdr.org"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/wp-content.php"; depth:26; nocase; http.host; content:"plazanorte.pe"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/schema/graphs/traits/traits.php"; depth:82; nocase; http.host; content:"blog.qrstaff.in"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/_ithemes-security-pro/core/lib/lockout/execute-lock/execute-lock.php"; depth:88; nocase; http.host; content:"anfal.com.pk"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/exceptions/exceptions.js"; depth:97; nocase; http.host; content:"congregacionkoinonia.000webhostapp.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"trialstaging.trialrun.us"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/modern/modern/modern/modern/modern/modern.php"; depth:66; nocase; http.host; content:"www.asterism.co.nz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"wp.korinek.link"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/spero/vendor/automattic/woocommerce/tests/woocommerce/tests/tests.php"; depth:70; nocase; http.host; content:"www.kwik.tn"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/bootstrap-carousel-swipe/bootstrap-carousel-swipe.php"; depth:61; nocase; http.host; content:"intranet.solucionesbpo.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields-pro/pro/admin/views/views.php"; depth:72; nocase; http.host; content:"clanped2025.com.br"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/home-elevators/images/authors/authors.php"; depth:42; nocase; http.host; content:"eliteelevators.in"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/color-picker-alpha/color-picker-alpha.php"; depth:95; nocase; http.host; content:"bmn-es.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/cmmlconferences.us/author/cmmlconferences/cmmlconferences.php"; depth:89; nocase; http.host; content:"cmmlconferences.us"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-access-manager/application/backend/feature/main/main.php"; depth:85; nocase; http.host; content:"almacenesespana.com.ec"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"shgl.chao1227.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/decode/html/html.php"; depth:43; nocase; http.host; content:"devsite.scarlettslandscaping.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/paginaviejita/fancybox/recursos/nova-multipurpose-site-template/nova/images/sample/sample.php"; depth:94; nocase; http.host; content:"elparian.com.mx"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/wp-rocket/erolsalcan.com/bilgilendirme-tesekkuru/bilgilendirme-tesekkuru.php"; depth:94; nocase; http.host; content:"erolsalcan.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"mehryar.mazyar.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin-panel/js/pages/cards/cards.php"; depth:37; nocase; http.host; content:"robord.ir"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/configofr/configofr.php"; depth:24; nocase; http.host; content:"139.99.50.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/click-to-chat-for-whatsapp/new/admin/admin_assets/css/dev/dev.php"; depth:85; nocase; http.host; content:"puertovaras.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fgs/vendor/bmwfont/specimen_files/specimen_files.php"; depth:53; nocase; http.host; content:"fixituae.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prod_link/wp-admin/css/colors/blue/blue.php"; depth:44; nocase; http.host; content:"topsportsteams.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aab/wp-content/plugins/expandcollapse-funk/icon-font/icon-font.php"; depth:67; nocase; http.host; content:"biomechanik.pl"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-seo-pack/app/common/api/integrations/integrations.php"; depth:84; nocase; http.host; content:"fmtrack.cl"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/servmask/archiver/archiver.php"; depth:85; nocase; http.host; content:"cruxbd.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/languages/plugins/plugins.php"; depth:41; nocase; http.host; content:"design-panama.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238172; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/build/css/css.php"; depth:67; nocase; http.host; content:"stage.idandigitali.co.il"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/old/administrator/components/com_banners/views/banners/tmpl/tmpl.php"; depth:69; nocase; http.host; content:"marcelalobos.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fmjoven/fmjoven.php"; depth:20; nocase; http.host; content:"portalmedios.cl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/layerslider/assets/static/admin/img/slider/slider.php"; depth:73; nocase; http.host; content:"dsefaywhq.preview.infomaniak.website"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238167; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"versitaopen.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238166; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup-1477507809-wp-includes/requests/exception/http/http.php"; depth:63; nocase; http.host; content:"carolgraceserves.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aroma/dark/assets/plugins/datatable/css/css.js"; depth:47; nocase; http.host; content:"projects.njgraphica.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/acf-quickedit-fields/include/acfquickedit/acfquickedit.php"; depth:78; nocase; http.host; content:"shop.ggarabia.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/emailcorporativo/bercati/bercati.php"; depth:37; nocase; http.host; content:"vielco.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/backup/all-in-one-seo-pack-pro/app/common/importexport/rankmath/rankmath.js"; depth:95; nocase; http.host; content:"www.indian-designs.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ag-custom-admin/images/images.php"; depth:53; nocase; http.host; content:"juliem-ladeco.fr"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/www.easisell.com/best-way-to-use-colour-wheel-for-website-design-2/best-way-to-use-colour-wheel-for-website-design-2.php"; depth:152; nocase; http.host; content:"www.easisell.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.js"; depth:43; nocase; http.host; content:"skincare.7uptheme.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.maaviformazione.it"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/briefcase-elementor-widgets/assets/css/css.php"; depth:89; nocase; http.host; content:"musicaenalcala.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar/lib/lib.php"; depth:80; nocase; http.host; content:"wijmakencomputers.nl"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/impresistem/guzzlehttp/adapter/curl/curl.php"; depth:45; nocase; http.host; content:"digitalepartner.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"handy.7uptheme.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238153; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/page_enhanced/www.cronoscapitalpartners.it/www.cronoscapitalpartners.it.php"; depth:93; nocase; http.host; content:"www.cronoscapitalpartners.it"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/advanced-custom-fields/assets/inc/datepicker/images/images.php"; depth:82; nocase; http.host; content:"iserveindia.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assinatura/wp-admin/css/colors/blue/blue.php"; depth:45; nocase; http.host; content:"petdelicia.com.br"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backups/wp-content/plugins/acf-extended/includes/admin/views/views.php"; depth:71; nocase; http.host; content:"brown1.ezmartech.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/naacmodules/jquery-ui-1.12.1.custom/images/images.php"; depth:54; nocase; http.host; content:"skillhut.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"haustiere.7uptheme.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/colors.php"; depth:31; nocase; http.host; content:"iustore.7uptheme.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration-unlimited-extension/all-in-one-wp-migration-unlimited-extension.js"; depth:110; nocase; http.host; content:"www.bkkps.co.th"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/css.php"; depth:21; nocase; http.host; content:"shrachirealty.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nseit/wp-content/plugins/advanced-custom-fields/assets/images/field-states/field-states.js"; depth:91; nocase; http.host; content:"www.nseituat.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress/wp-content/cache/db/singletables/3e7/d91/d91.php"; depth:59; nocase; http.host; content:"idiomas2.8belts.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup29112022/wp-admin/css/colors/blue/blue.php"; depth:49; nocase; http.host; content:"futxtrm.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/360/sap/sap_3data/cafe_2_105/html5/html5.php"; depth:45; nocase; http.host; content:"mmoseronelink.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin/cgi-bin.php"; depth:148; nocase; http.host; content:"academia.canaturh.org"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/libarts.pnu.ac.th/all/1649/feed/feed.js"; depth:57; nocase; http.host; content:"libarts.pnu.ac.th"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.scatolificiosantanna.it"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"www.buildingblocksacademyalvin.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/pressapps-login-access/includes/skelet/assets/assets.php"; depth:99; nocase; http.host; content:"www.buildingblocksacademypasadena.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/cache/min/1/wp-content/plugins/pressapps-login-access/includes/skelet/assets/assets.php"; depth:99; nocase; http.host; content:"www.buildingblocksacademy.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jspdf/docs/scripts/prettify/prettify.php"; depth:41; nocase; http.host; content:"neicweb.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/admin/controller/extension/module/waclient/waclient.php"; depth:56; nocase; http.host; content:"goldenringsoman.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test/administrator/components/com_actionlogs/src/controller/controller.php"; depth:75; nocase; http.host; content:"uranustechnepal.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"sanicorpec.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/genus-solar-rooftop/plugins/slick/fonts/fonts.php"; depth:50; nocase; http.host; content:"www.genusinnovation.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/ultimate_vc_addons/admin/bsf-analytics/assets/css/minified/minified.js"; depth:90; nocase; http.host; content:"iaces.es"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor-pro/modules/highlight-new-menus/assets/assets.php"; depth:87; nocase; http.host; content:"v.elegantchina.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-includes/simplepie/content/type/type.php"; depth:44; nocase; http.host; content:"burialinsurancepro.org"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo.php"; depth:64; nocase; http.host; content:"thzweb.freesite.host"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"calendar-pro.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en/wp-admin/css/colors/blue/blue.php"; depth:37; nocase; http.host; content:"www.itenas.ac.id"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/layerslider/assets/static/dashicons/dashicons.php"; depth:69; nocase; http.host; content:"soundculture.pl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/wp-content/plugins/iwp-client/lib/dropbox/oauth/consumer/consumer.php"; depth:75; nocase; http.host; content:"www.dewildepinchetti.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/all-in-one-wp-migration/lib/vendor/bandar/bandar.php"; depth:72; nocase; http.host; content:"www.concretosflorense.com.br"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/astra-sites/admin/bsf-analytics/assets/css/minified/minified.php"; depth:84; nocase; http.host; content:"cyberuonline.rsu.ac.th"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/administrator/components/com_admin/views/sysinfo/tmpl/tmpl.php"; depth:63; nocase; http.host; content:"clear.community"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/advanced-nocaptcha-recaptcha/freemius/templates/account/partials/partials.php"; depth:89; nocase; http.host; content:"www.batondejoie.fr"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/admin-menu-editor-pro/modules/highlight-new-menus/assets/assets.php"; depth:87; nocase; http.host; content:"v.elegantchina.net"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en/wp-admin/css/colors/blue/blue.php"; depth:37; nocase; http.host; content:"www.itenas.ac.id"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyfour/assets/fonts/cardo/cardo.php"; depth:64; nocase; http.host; content:"thzweb.freesite.host"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/layerslider/assets/static/dashicons/dashicons.php"; depth:69; nocase; http.host; content:"soundculture.pl"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin/css/colors/blue/blue.php"; depth:34; nocase; http.host; content:"calendar-pro.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/backup-1477507809-wp-includes/requests/exception/http/http.php"; depth:63; nocase; http.host; content:"carolgraceserves.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/plugins/adthrive/components/static-files/partials/adcentric/adcentric.php"; depth:85; nocase; http.host; content:"182.92.201.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blog/wp-content/plugins/iwp-client/lib/dropbox/oauth/consumer/consumer.php"; depth:75; nocase; http.host; content:"www.dewildepinchetti.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238109; rev:1;)
alert tcp $HOME_NET any -> [192.210.236.218] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238108; rev:1;)
alert tcp $HOME_NET any -> [110.139.46.105] 36969  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_09; classtype:trojan-activity; sid:91238107; rev:1;)
alert tcp $HOME_NET any -> [137.220.197.155] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238106/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238106; rev:1;)
alert tcp $HOME_NET any -> [72.69.74.23] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238105/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_09; classtype:trojan-activity; sid:91238105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gamebigloadwindowscdnuploadstemporary.php"; depth:42; nocase; http.host; content:"265003cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238103; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.101] 11084  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238102; rev:1;)
alert tcp $HOME_NET any -> [116.196.106.249] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"18.118.35.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238099; rev:1;)
alert tcp $HOME_NET any -> [101.37.14.112] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"134.122.75.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238098; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 17888  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238096; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 17888  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238095; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 17888  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238094; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 17888  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238093; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 17888  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238092; rev:1;)
alert tcp $HOME_NET any -> [159.112.177.137] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238091; rev:1;)
alert tcp $HOME_NET any -> [88.214.25.254] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/v10.6/w2ge3sc8"; depth:24; nocase; http.host; content:"88.214.25.254"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238089; rev:1;)
alert tcp $HOME_NET any -> [40.86.174.181] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"159.112.177.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"146.235.52.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"update.westus.cloudapp.azure.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238084; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.westus.cloudapp.azure.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238085; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update37.eastus.cloudapp.azure.com"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238083; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msdn1357.centralus.cloudapp.azure.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"update37.eastus.cloudapp.azure.com"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"msdn1357.centralus.cloudapp.azure.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238080; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msupdate.brazilsouth.cloudapp.azure.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"msupdate.brazilsouth.cloudapp.azure.com"; depth:39; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238078; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.234] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238077/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238077; rev:1;)
alert tcp $HOME_NET any -> [18.118.35.133] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238074/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238074; rev:1;)
alert tcp $HOME_NET any -> [139.84.237.229] 2967  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238067; rev:1;)
alert tcp $HOME_NET any -> [104.129.55.104] 2223  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238068; rev:1;)
alert tcp $HOME_NET any -> [37.60.242.85] 9785  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238069; rev:1;)
alert tcp $HOME_NET any -> [95.179.191.137] 5938  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238070; rev:1;)
alert tcp $HOME_NET any -> [65.20.66.218] 5938  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238071; rev:1;)
alert tcp $HOME_NET any -> [158.220.80.157] 9785  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238072; rev:1;)
alert tcp $HOME_NET any -> [104.129.55.103] 2224  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9/gate.php"; depth:11; nocase; http.host; content:"couriercare.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"keywordslive.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gardenplaid.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238026; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gibbselectrics.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238027; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"gloverstech.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238028; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"investechnical.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238029; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brookselectrics.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238030; rev:1;)
alert tcp $HOME_NET any -> [85.239.243.155] 5000  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238043; rev:1;)
alert tcp $HOME_NET any -> [41.99.49.71] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238042; rev:1;)
alert tcp $HOME_NET any -> [121.121.101.33] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238041; rev:1;)
alert tcp $HOME_NET any -> [69.58.144.52] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238040; rev:1;)
alert tcp $HOME_NET any -> [45.243.131.12] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238039; rev:1;)
alert tcp $HOME_NET any -> [86.194.132.111] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238038; rev:1;)
alert tcp $HOME_NET any -> [46.19.67.107] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238037; rev:1;)
alert tcp $HOME_NET any -> [40.113.39.99] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238036; rev:1;)
alert tcp $HOME_NET any -> [78.45.49.197] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238035; rev:1;)
alert tcp $HOME_NET any -> [32.143.50.222] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238034; rev:1;)
alert tcp $HOME_NET any -> [185.62.57.11] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238033; rev:1;)
alert tcp $HOME_NET any -> [49.13.149.129] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238032; rev:1;)
alert tcp $HOME_NET any -> [37.152.191.55] 7777  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238031; rev:1;)
alert tcp $HOME_NET any -> [45.93.20.76] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238024/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91238024; rev:1;)
alert tcp $HOME_NET any -> [45.95.146.22] 9931  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238023/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91238023; rev:1;)
alert tcp $HOME_NET any -> [45.95.146.22] 42421  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238022/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91238022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tjwz9/"; depth:7; nocase; http.host; content:"gloverstech.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238021; rev:1;)
alert tcp $HOME_NET any -> [54.224.134.117] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238020/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238020; rev:1;)
alert tcp $HOME_NET any -> [158.220.80.167] 2967  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"107.174.253.49"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238018; rev:1;)
alert tcp $HOME_NET any -> [107.174.253.49] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.fucksec.buzz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238015; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fucksec.buzz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1238016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyb/gate.php"; depth:15; nocase; http.host; content:"siteseoguide.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/better/multi2eternalrequest/6/mariadbuniversalmariadbexternal/tempdatalife/024update/auth/downloadsflower5downloads/dle/4temporarysql/apicpu53/wordpressdownloads.php"; depth:166; nocase; http.host; content:"185.16.39.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ponyd/gate.php"; depth:15; nocase; http.host; content:"6.magicalomaha.co"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.3.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1238011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238011; rev:1;)
alert tcp $HOME_NET any -> [116.202.3.242] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238010; rev:1;)
alert tcp $HOME_NET any -> [45.142.182.104] 15352  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238009; rev:1;)
alert tcp $HOME_NET any -> [8.130.79.120] 8003  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238008/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91238008; rev:1;)
alert tcp $HOME_NET any -> [2.50.137.183] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238007; rev:1;)
alert tcp $HOME_NET any -> [170.64.155.70] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238006; rev:1;)
alert tcp $HOME_NET any -> [138.68.141.212] 10443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238005; rev:1;)
alert tcp $HOME_NET any -> [3.65.82.134] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238004; rev:1;)
alert tcp $HOME_NET any -> [118.193.38.211] 54322  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238003; rev:1;)
alert tcp $HOME_NET any -> [159.203.160.168] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238002; rev:1;)
alert tcp $HOME_NET any -> [51.75.194.165] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238001; rev:1;)
alert tcp $HOME_NET any -> [171.35.43.158] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1238000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91238000; rev:1;)
alert tcp $HOME_NET any -> [35.158.74.188] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237999; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fonts.g-a.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237998; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"findajobforme.linkedin.loginfor.me"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237997; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ssl.g-a.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237996; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"content.g-a.fun"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237994; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clients5.g-a.fun"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237995; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xenodochial-austin.142-11-199-59.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237993; rev:1;)
alert tcp $HOME_NET any -> [178.79.138.91] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237992; rev:1;)
alert tcp $HOME_NET any -> [121.127.252.248] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237991; rev:1;)
alert tcp $HOME_NET any -> [149.104.27.224] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237990; rev:1;)
alert tcp $HOME_NET any -> [103.16.224.239] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237989; rev:1;)
alert tcp $HOME_NET any -> [51.77.121.144] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237988; rev:1;)
alert tcp $HOME_NET any -> [37.221.92.58] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237987; rev:1;)
alert tcp $HOME_NET any -> [146.19.191.178] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237986; rev:1;)
alert tcp $HOME_NET any -> [20.151.153.84] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237985; rev:1;)
alert tcp $HOME_NET any -> [164.215.103.171] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237984; rev:1;)
alert tcp $HOME_NET any -> [134.255.254.225] 5051  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237983; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.10] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237982; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.120] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237980; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.189] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237981; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap449572-1.zap-srv.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237979; rev:1;)
alert tcp $HOME_NET any -> [154.61.74.84] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237978; rev:1;)
alert tcp $HOME_NET any -> [181.161.3.29] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237976; rev:1;)
alert tcp $HOME_NET any -> [114.104.183.54] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237977; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.234] 82  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237975; rev:1;)
alert tcp $HOME_NET any -> [185.78.76.85] 443  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237973; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"photopoiskvk.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237972; rev:1;)
alert tcp $HOME_NET any -> [3.79.194.172] 443  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237971; rev:1;)
alert tcp $HOME_NET any -> [191.7.32.19] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237970; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.192] 50555  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237969; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.93] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237967; rev:1;)
alert tcp $HOME_NET any -> [194.26.192.66] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237968; rev:1;)
alert tcp $HOME_NET any -> [94.177.106.44] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237966; rev:1;)
alert tcp $HOME_NET any -> [164.92.189.59] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237965; rev:1;)
alert tcp $HOME_NET any -> [80.90.179.251] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237964; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.179] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237963; rev:1;)
alert tcp $HOME_NET any -> [187.24.66.48] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237962; rev:1;)
alert tcp $HOME_NET any -> [181.235.80.187] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237960; rev:1;)
alert tcp $HOME_NET any -> [181.235.80.187] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237961; rev:1;)
alert tcp $HOME_NET any -> [154.16.67.94] 8088  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237958; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.3] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237959; rev:1;)
alert tcp $HOME_NET any -> [93.242.137.1] 51124  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237957; rev:1;)
alert tcp $HOME_NET any -> [154.212.145.72] 8008  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237956; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237954; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237955; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237953; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237951; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237952; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2281  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237950; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237948; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237949; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2082  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237947; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237945; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237946; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 1756  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237944; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237943; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237941; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237942; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.194] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237940; rev:1;)
alert tcp $HOME_NET any -> [116.212.120.32] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237939; rev:1;)
alert tcp $HOME_NET any -> [116.212.120.32] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237938; rev:1;)
alert tcp $HOME_NET any -> [196.235.104.22] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237936; rev:1;)
alert tcp $HOME_NET any -> [43.128.85.89] 8011  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237937; rev:1;)
alert tcp $HOME_NET any -> [43.228.89.247] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237935; rev:1;)
alert tcp $HOME_NET any -> [43.228.89.247] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237934; rev:1;)
alert tcp $HOME_NET any -> [205.234.233.180] 2082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237933; rev:1;)
alert tcp $HOME_NET any -> [43.228.89.246] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237931; rev:1;)
alert tcp $HOME_NET any -> [43.228.89.246] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237932; rev:1;)
alert tcp $HOME_NET any -> [43.228.89.248] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237930; rev:1;)
alert tcp $HOME_NET any -> [43.228.89.248] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237929; rev:1;)
alert tcp $HOME_NET any -> [120.48.96.69] 9001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237928; rev:1;)
alert tcp $HOME_NET any -> [65.20.81.7] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237926; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.169] 2000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237927; rev:1;)
alert tcp $HOME_NET any -> [115.126.107.244] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237925; rev:1;)
alert tcp $HOME_NET any -> [101.201.46.105] 1234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237923; rev:1;)
alert tcp $HOME_NET any -> [115.126.107.244] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237924; rev:1;)
alert tcp $HOME_NET any -> [43.228.89.245] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237922; rev:1;)
alert tcp $HOME_NET any -> [43.228.89.245] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237921; rev:1;)
alert tcp $HOME_NET any -> [8.137.50.92] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237919; rev:1;)
alert tcp $HOME_NET any -> [79.132.140.216] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237920; rev:1;)
alert tcp $HOME_NET any -> [81.56.212.102] 49443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237918; rev:1;)
alert tcp $HOME_NET any -> [103.228.108.247] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237917; rev:1;)
alert tcp $HOME_NET any -> [47.98.178.246] 4567  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237915; rev:1;)
alert tcp $HOME_NET any -> [103.228.108.247] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237916; rev:1;)
alert tcp $HOME_NET any -> [163.53.216.157] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237914; rev:1;)
alert tcp $HOME_NET any -> [163.53.216.157] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237913; rev:1;)
alert tcp $HOME_NET any -> [213.109.202.222] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237912; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gifted-khayyam.104-168-102-175.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237910; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pensive-brattain.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237911; rev:1;)
alert tcp $HOME_NET any -> [49.232.220.17] 7000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237909; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lucid-albattani.104-168-102-175.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237908; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bold-clarke.104-168-102-175.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237906; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.priceless-bose.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237907; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.38] 46185  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237905; rev:1;)
alert tcp $HOME_NET any -> [23.155.8.220] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237904/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237904; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.77] 1760  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237903; rev:1;)
alert tcp $HOME_NET any -> [45.81.23.13] 1433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237862; rev:1;)
alert tcp $HOME_NET any -> [45.95.146.13] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237863; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.172] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237864; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.173] 1306  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237865; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.174] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237866; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.175] 1517  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237867; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.176] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237868; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.182] 1725  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237869; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.253] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237871; rev:1;)
alert tcp $HOME_NET any -> [89.190.156.211] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237870; rev:1;)
alert tcp $HOME_NET any -> [185.224.128.49] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237872; rev:1;)
alert tcp $HOME_NET any -> [185.224.128.50] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237873; rev:1;)
alert tcp $HOME_NET any -> [185.224.128.51] 1435  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237874; rev:1;)
alert tcp $HOME_NET any -> [185.224.128.52] 2053  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237875; rev:1;)
alert tcp $HOME_NET any -> [185.224.128.53] 2079  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237876; rev:1;)
alert tcp $HOME_NET any -> [185.224.128.54] 1629  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237877; rev:1;)
alert tcp $HOME_NET any -> [185.224.128.55] 1713  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owuyyziynzhjmjk4/"; depth:18; nocase; http.host; content:"sybrstrmteknopark.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owuyyziynzhjmjk4/"; depth:18; nocase; http.host; content:"sybrstrmteknokalak.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owuyyziynzhjmjk4/"; depth:18; nocase; http.host; content:"sybrstrmtdiyari.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"jolaxodanser.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ywfim2vkmmfmnwfh/"; depth:18; nocase; http.host; content:"jolaxodanserxyz.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237883; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzbkmwe2zdm0mwe2/"; depth:18; nocase; http.host; content:"hk-49847.xyz"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237888; rev:1;)
alert tcp $HOME_NET any -> [3.124.67.191] 12609  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91237894; rev:1;)
alert tcp $HOME_NET any -> [3.125.188.168] 12609  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237895/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91237895; rev:1;)
alert tcp $HOME_NET any -> [3.133.207.110] 16825  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237902; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.202] 4036  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237901; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.181] 1775  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237900; rev:1;)
alert tcp $HOME_NET any -> [3.136.65.236] 16825  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237899; rev:1;)
alert tcp $HOME_NET any -> [3.131.147.49] 16825  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237898; rev:1;)
alert tcp $HOME_NET any -> [3.138.180.119] 16825  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalgameserveruniversal.php"; depth:31; nocase; http.host; content:"103761cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237896; rev:1;)
alert tcp $HOME_NET any -> [80.66.66.97] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237893/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237893; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.38] 2642  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mod/resellers/2e4wlr6u3uv"; depth:26; nocase; http.host; content:"172.200.160.7"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237890; rev:1;)
alert tcp $HOME_NET any -> [172.200.160.7] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237891; rev:1;)
alert tcp $HOME_NET any -> [34.147.242.231] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237889; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.136] 32260  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237861; rev:1;)
alert tcp $HOME_NET any -> [95.217.243.137] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237860; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.137"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237859; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.209.125"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.33.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.184.165"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.108.242"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.0.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237853; rev:1;)
alert tcp $HOME_NET any -> [49.13.33.99] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237848; rev:1;)
alert tcp $HOME_NET any -> [5.75.211.127] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237849; rev:1;)
alert tcp $HOME_NET any -> [88.198.108.242] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237850; rev:1;)
alert tcp $HOME_NET any -> [5.75.209.125] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237851; rev:1;)
alert tcp $HOME_NET any -> [116.202.0.229] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237852; rev:1;)
alert tcp $HOME_NET any -> [116.202.184.165] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237847; rev:1;)
alert tcp $HOME_NET any -> [45.11.180.127] 3120  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tosecurepacketgeocpuauthsqlwindowspublictemp.php"; depth:49; nocase; http.host; content:"553689cm.nyashsens.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237845; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kiwtreyy456rwty.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237842; rev:1;)
alert tcp $HOME_NET any -> [5.180.155.218] 1337  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237844; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.14] 8181  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g8samsa2/index.php"; depth:19; nocase; http.host; content:"5.42.66.32"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237841; rev:1;)
alert tcp $HOME_NET any -> [193.111.248.167] 2003  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237840; rev:1;)
alert tcp $HOME_NET any -> [189.140.16.135] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237839; rev:1;)
alert tcp $HOME_NET any -> [176.44.89.132] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237838; rev:1;)
alert tcp $HOME_NET any -> [201.124.86.37] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237837; rev:1;)
alert tcp $HOME_NET any -> [145.82.129.126] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237836; rev:1;)
alert tcp $HOME_NET any -> [49.12.7.88] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237835; rev:1;)
alert tcp $HOME_NET any -> [172.105.14.104] 4444  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237834; rev:1;)
alert tcp $HOME_NET any -> [51.15.235.86] 53  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237833; rev:1;)
alert tcp $HOME_NET any -> [31.220.80.82] 53  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237832; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.234] 64242  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237831; rev:1;)
alert tcp $HOME_NET any -> [43.198.240.228] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237830; rev:1;)
alert tcp $HOME_NET any -> [82.146.39.80] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237829; rev:1;)
alert tcp $HOME_NET any -> [46.183.220.203] 40935  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237828; rev:1;)
alert tcp $HOME_NET any -> [5.42.67.14] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237827; rev:1;)
alert tcp $HOME_NET any -> [103.67.196.125] 4505  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237826/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91237826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"195.20.16.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/doctr8fb7z9/index.php"; depth:22; nocase; http.host; content:"5.42.67.14"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237825; rev:1;)
alert tcp $HOME_NET any -> [5.255.113.34] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237805/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237805; rev:1;)
alert tcp $HOME_NET any -> [5.255.126.243] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237806/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237806; rev:1;)
alert tcp $HOME_NET any -> [45.59.118.118] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237807/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237807; rev:1;)
alert tcp $HOME_NET any -> [185.99.133.228] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237809/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237809; rev:1;)
alert tcp $HOME_NET any -> [5.230.74.51] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237804/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237804; rev:1;)
alert tcp $HOME_NET any -> [146.19.143.113] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237808/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237808; rev:1;)
alert tcp $HOME_NET any -> [5.101.44.49] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237802/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237802; rev:1;)
alert tcp $HOME_NET any -> [5.230.68.180] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237803/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/9659650c81ce1b984c58.js"; depth:24; nocase; http.host; content:"aitcaid.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lbk9ko6q3vnxkieio4arsueqh7l82d/o+dxbsug="; depth:41; nocase; http.host; content:"pluralism.themancav.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aitcaid.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pluralism.themancav.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/25012024.js"; depth:12; nocase; http.host; content:"mwasro.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237781; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.64] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237791; rev:1;)
alert tcp $HOME_NET any -> [45.134.26.17] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237792; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.103] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237794; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.135] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237793; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.28] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237795; rev:1;)
alert tcp $HOME_NET any -> [185.215.113.67] 26260  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237800; rev:1;)
alert tcp $HOME_NET any -> [185.106.102.82] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237810/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_08; classtype:trojan-activity; sid:91237810; rev:1;)
alert tcp $HOME_NET any -> [5.255.113.36] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237811/; target:src_ip; metadata: confidence_level 85, first_seen 2024_02_08; classtype:trojan-activity; sid:91237811; rev:1;)
alert tcp $HOME_NET any -> [193.168.143.133] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 85%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237812/; target:src_ip; metadata: confidence_level 85, first_seen 2024_02_08; classtype:trojan-activity; sid:91237812; rev:1;)
alert tcp $HOME_NET any -> [15.204.245.61] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237816/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_08; classtype:trojan-activity; sid:91237816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"195.20.16.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237823; rev:1;)
alert tcp $HOME_NET any -> [47.115.203.204] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237822/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237822; rev:1;)
alert tcp $HOME_NET any -> [52.144.124.61] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237821; rev:1;)
alert tcp $HOME_NET any -> [39.106.74.90] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237820/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237820; rev:1;)
alert tcp $HOME_NET any -> [47.104.232.113] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237819/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237819; rev:1;)
alert tcp $HOME_NET any -> [121.36.226.214] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cd43986.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_08; classtype:trojan-activity; sid:91237817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"27.215.214.58"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_08; classtype:trojan-activity; sid:91237815; rev:1;)
alert tcp $HOME_NET any -> [111.230.12.198] 8071  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237814/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_08; classtype:trojan-activity; sid:91237814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0915140.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237813; rev:1;)
alert tcp $HOME_NET any -> [90.15.154.112] 4789  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7b7c07c1b3625773.php"; depth:21; nocase; http.host; content:"193.187.174.182"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237799; rev:1;)
alert tcp $HOME_NET any -> [23.101.122.219] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download/"; depth:10; nocase; http.host; content:"173.212.224.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237797; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.84] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237796/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237796; rev:1;)
alert tcp $HOME_NET any -> [178.73.218.9] 2222  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237790; rev:1;)
alert tcp $HOME_NET any -> [181.141.40.28] 4433  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237789; rev:1;)
alert tcp $HOME_NET any -> [60.241.11.63] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237788; rev:1;)
alert tcp $HOME_NET any -> [188.25.142.172] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237787; rev:1;)
alert tcp $HOME_NET any -> [149.109.109.136] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237786; rev:1;)
alert tcp $HOME_NET any -> [154.247.41.221] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237785; rev:1;)
alert tcp $HOME_NET any -> [99.83.220.181] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237784; rev:1;)
alert tcp $HOME_NET any -> [172.245.156.157] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"194.26.135.115"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237776; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"du7wh8bicca0t.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237774; rev:1;)
alert tcp $HOME_NET any -> [3.208.85.37] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/2k69twx54rr2wjefwla6zyrx9va"; depth:45; nocase; http.host; content:"du7wh8bicca0t.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"64.226.76.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"64.226.76.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"39.105.101.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237770; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mythic-slender.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237768; rev:1;)
alert tcp $HOME_NET any -> [3.68.56.232] 12555  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lookup-domain.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qltuh.canopusacrux.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"qltuh.shadowflameartisan.top"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"new-bestfortunes.life"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"re-captha-version-3-21.icu"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"webdatatrace.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentyseventeen/et3tah.php"; depth:45; nocase; http.host; content:"www.dicatindustrial.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/3jubhh.php"; depth:45; nocase; http.host; content:"jubileemovement.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwenty/zaevgn.php"; depth:42; nocase; http.host; content:"helpforhypnotherapists.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/css/oxewdf.php"; depth:22; nocase; http.host; content:"emprendi2.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/themes/twentytwentyone/vu0bkq.php"; depth:45; nocase; http.host; content:"1oneventos.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237763; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1oneventos.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237758; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emprendi2.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237759; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helpforhypnotherapists.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237760; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jubileemovement.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237761; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dicatindustrial.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237762; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 30650  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237751; rev:1;)
alert tcp $HOME_NET any -> [218.156.253.232] 80  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237750/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237750; rev:1;)
alert tcp $HOME_NET any -> [74.81.37.165] 666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237749/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237749; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.26] 64418  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tprobuzixc8/index.php"; depth:22; nocase; http.host; content:"autogrant.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237747/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tprobuzixc8/index.php"; depth:22; nocase; http.host; content:"bytehom.online"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237748/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tprobuzixc8/index.php"; depth:22; nocase; http.host; content:"bytehom.online"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237746/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tprobuzixc8/index.php"; depth:22; nocase; http.host; content:"autogrant.pw"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237745/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237745; rev:1;)
alert tcp $HOME_NET any -> [107.174.138.159] 1900  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237744/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237744; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.32] 36599  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237743; rev:1;)
alert tcp $HOME_NET any -> [84.17.61.179] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237742/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237742; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.26] 7766  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237741/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237741; rev:1;)
alert tcp $HOME_NET any -> [155.254.24.167] 5400  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237740; rev:1;)
alert tcp $HOME_NET any -> [125.16.112.10] 33333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237738; rev:1;)
alert tcp $HOME_NET any -> [162.19.246.26] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237737; rev:1;)
alert tcp $HOME_NET any -> [64.227.96.80] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237736; rev:1;)
alert tcp $HOME_NET any -> [13.126.10.251] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237735; rev:1;)
alert tcp $HOME_NET any -> [142.93.31.17] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237734; rev:1;)
alert tcp $HOME_NET any -> [18.197.24.167] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237733; rev:1;)
alert tcp $HOME_NET any -> [52.77.99.94] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237732; rev:1;)
alert tcp $HOME_NET any -> [146.235.47.45] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237731; rev:1;)
alert tcp $HOME_NET any -> [64.226.125.104] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237730; rev:1;)
alert tcp $HOME_NET any -> [51.144.174.31] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237729; rev:1;)
alert tcp $HOME_NET any -> [16.171.24.155] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237728; rev:1;)
alert tcp $HOME_NET any -> [34.176.172.223] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237727; rev:1;)
alert tcp $HOME_NET any -> [35.158.74.188] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237726; rev:1;)
alert tcp $HOME_NET any -> [138.197.47.129] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237725; rev:1;)
alert tcp $HOME_NET any -> [20.53.247.128] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237724; rev:1;)
alert tcp $HOME_NET any -> [3.82.152.9] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237723; rev:1;)
alert tcp $HOME_NET any -> [34.202.144.74] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237722; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cranky-easley.142-11-199-59.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237721; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deenpel.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237720; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"awesome-villani.142-11-199-59.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237719; rev:1;)
alert tcp $HOME_NET any -> [64.226.76.0] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237717/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237717; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.admiring-pascal.142-11-199-59.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237718; rev:1;)
alert tcp $HOME_NET any -> [43.139.175.28] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237716; rev:1;)
alert tcp $HOME_NET any -> [121.40.146.236] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/massaction.html"; depth:16; nocase; http.host; content:"0.0xo.lat"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237714/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237714; rev:1;)
alert tcp $HOME_NET any -> [156.227.6.70] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237713; rev:1;)
alert tcp $HOME_NET any -> [172.206.26.225] 80  (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237712; rev:1;)
alert tcp $HOME_NET any -> [167.172.131.98] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237711; rev:1;)
alert tcp $HOME_NET any -> [164.90.246.103] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237710; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"web-panel.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237709; rev:1;)
alert tcp $HOME_NET any -> [51.77.121.144] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237708; rev:1;)
alert tcp $HOME_NET any -> [23.26.247.122] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237707; rev:1;)
alert tcp $HOME_NET any -> [45.77.240.70] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237706; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3psilonapi.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237705; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-210-242-78.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237704; rev:1;)
alert tcp $HOME_NET any -> [54.86.17.63] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237702; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-237-138-159.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237703; rev:1;)
alert tcp $HOME_NET any -> [185.221.198.84] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237701; rev:1;)
alert tcp $HOME_NET any -> [85.105.91.170] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237700; rev:1;)
alert tcp $HOME_NET any -> [147.50.240.224] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237699; rev:1;)
alert tcp $HOME_NET any -> [47.92.123.66] 1311  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237697; rev:1;)
alert tcp $HOME_NET any -> [45.112.205.126] 5588  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237698; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"great-mcnulty.164-92-180-123.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237695; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.23-26-55-9.cprapid.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237696; rev:1;)
alert tcp $HOME_NET any -> [122.114.156.104] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237694; rev:1;)
alert tcp $HOME_NET any -> [40.90.255.165] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237693; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goofy-satoshi.142-202-191-144.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237692; rev:1;)
alert tcp $HOME_NET any -> [142.202.191.144] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237691; rev:1;)
alert tcp $HOME_NET any -> [45.195.198.204] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237689; rev:1;)
alert tcp $HOME_NET any -> [79.109.104.58] 2222  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237690; rev:1;)
alert tcp $HOME_NET any -> [167.86.86.15] 1010  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237688; rev:1;)
alert tcp $HOME_NET any -> [8.222.144.134] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237687; rev:1;)
alert tcp $HOME_NET any -> [14.225.210.222] 12024  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237686; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.135] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237684; rev:1;)
alert tcp $HOME_NET any -> [45.134.26.17] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237685; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d.kfaaa.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237683; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.225] 50555  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237682; rev:1;)
alert tcp $HOME_NET any -> [35.246.175.130] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237681; rev:1;)
alert tcp $HOME_NET any -> [154.91.83.247] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237680; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.118] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237679; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.179] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237678; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.179] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237677; rev:1;)
alert tcp $HOME_NET any -> [45.145.55.81] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237676; rev:1;)
alert tcp $HOME_NET any -> [172.96.172.203] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237675; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.104] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237673; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.104] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237674; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.104] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237672; rev:1;)
alert tcp $HOME_NET any -> [161.97.151.222] 2011  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237671; rev:1;)
alert tcp $HOME_NET any -> [45.141.215.222] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237670; rev:1;)
alert tcp $HOME_NET any -> [107.161.81.150] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237669; rev:1;)
alert tcp $HOME_NET any -> [107.161.81.150] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237668; rev:1;)
alert tcp $HOME_NET any -> [78.161.49.74] 20000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237667; rev:1;)
alert tcp $HOME_NET any -> [20.253.24.99] 8444  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237666/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_07; classtype:trojan-activity; sid:91237666; rev:1;)
alert tcp $HOME_NET any -> [34.162.154.209] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237665/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_07; classtype:trojan-activity; sid:91237665; rev:1;)
alert tcp $HOME_NET any -> [62.113.115.249] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237664/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_07; classtype:trojan-activity; sid:91237664; rev:1;)
alert tcp $HOME_NET any -> [67.217.228.4] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237663/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_07; classtype:trojan-activity; sid:91237663; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2177  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237662; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237661; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237659; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237660; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237658; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237657; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237655; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237656; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237654; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 1901  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237653; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237652; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237650; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237651; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 1718  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237649; rev:1;)
alert tcp $HOME_NET any -> [154.223.17.64] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237648; rev:1;)
alert tcp $HOME_NET any -> [34.149.60.199] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237647; rev:1;)
alert tcp $HOME_NET any -> [173.212.224.123] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237646; rev:1;)
alert tcp $HOME_NET any -> [117.72.36.211] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237645; rev:1;)
alert tcp $HOME_NET any -> [205.234.233.180] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237644; rev:1;)
alert tcp $HOME_NET any -> [175.178.175.168] 9100  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"98.lan-za2-1.static.rozabg.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237642; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.98] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237641; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.98] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237640; rev:1;)
alert tcp $HOME_NET any -> [114.116.18.42] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237639; rev:1;)
alert tcp $HOME_NET any -> [45.131.132.55] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237638; rev:1;)
alert tcp $HOME_NET any -> [121.40.185.132] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237637; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"priceless-bose.104-168-102-175.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237636; rev:1;)
alert tcp $HOME_NET any -> [103.35.191.158] 5344  (msg:"ThreatFox XpertRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237635; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.61] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237634/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237634; rev:1;)
alert tcp $HOME_NET any -> [34.32.44.11] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237633/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"39.174.238.52"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237632/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237632; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pastratas.ac.ug"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237631; rev:1;)
alert tcp $HOME_NET any -> [165.232.113.85] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237630/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237630; rev:1;)
alert tcp $HOME_NET any -> [82.147.85.148] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237629/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237629; rev:1;)
alert tcp $HOME_NET any -> [42.3.134.97] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"42.3.134.97"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237627; rev:1;)
alert tcp $HOME_NET any -> [179.60.147.175] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar"; depth:13; nocase; http.host; content:"zx.regcssv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237624; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx.regcssv.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237625; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar"; depth:13; nocase; http.host; content:"as.regcssv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237622; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as.regcssv.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237623; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qw.regcssv.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237621; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fam_calendar"; depth:13; nocase; http.host; content:"qw.regcssv.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237620; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.70] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237619/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237619; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.232] 1985  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237618; rev:1;)
alert tcp $HOME_NET any -> [194.143.146.147] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237608; rev:1;)
alert tcp $HOME_NET any -> [194.143.146.141] 1521  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237609; rev:1;)
alert tcp $HOME_NET any -> [194.143.146.152] 1433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237610; rev:1;)
alert tcp $HOME_NET any -> [87.121.112.29] 1294  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237611; rev:1;)
alert tcp $HOME_NET any -> [87.121.112.41] 1299  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237612; rev:1;)
alert tcp $HOME_NET any -> [195.14.123.125] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237613; rev:1;)
alert tcp $HOME_NET any -> [195.14.123.126] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237614; rev:1;)
alert tcp $HOME_NET any -> [51.195.61.8] 65535  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237615; rev:1;)
alert tcp $HOME_NET any -> [195.85.114.141] 65535  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237616; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.27] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237617; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.169] 2880  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237607; rev:1;)
alert tcp $HOME_NET any -> [185.74.222.151] 1295  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237603; rev:1;)
alert tcp $HOME_NET any -> [80.92.206.176] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237604; rev:1;)
alert tcp $HOME_NET any -> [74.119.193.126] 1297  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237605; rev:1;)
alert tcp $HOME_NET any -> [94.131.13.80] 1288  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237606; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.68] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237509; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.36] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237510; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.39] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237511; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.40] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237513; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.35] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237515; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.25] 1299  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237518; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.52] 1310  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237519; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.27] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237520; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.12] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237521; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.51] 1307  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237522; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.49] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237523; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.56] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237524; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.49] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237525; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.46] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237526; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.128] 1294  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237598; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.54] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237527; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.32] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237528; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.230] 1287  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237599; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.237] 1284  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237600; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.247] 1295  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237601; rev:1;)
alert tcp $HOME_NET any -> [85.204.116.24] 1293  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237602; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.55] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237529; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.50] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237530; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.20] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237531; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.48] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237532; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.156] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237534; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.30] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237533; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.57] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237535; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.21] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237538; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.58] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237536; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.31] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237537; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.42] 1332  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237539; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.26] 1303  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237540; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.28] 1291  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237541; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.43] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237542; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.36] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237543; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.45] 1433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237544; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.50] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237545; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.60] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237546; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.230] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237547; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.53] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237548; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.47] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237549; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.19] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237550; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.111] 1289  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237551; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.223] 1288  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237552; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.231] 1288  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237553; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.100] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237554; rev:1;)
alert tcp $HOME_NET any -> [45.93.9.113] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237592; rev:1;)
alert tcp $HOME_NET any -> [45.93.9.116] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237593; rev:1;)
alert tcp $HOME_NET any -> [45.93.9.107] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237594; rev:1;)
alert tcp $HOME_NET any -> [45.93.9.108] 1299  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237595; rev:1;)
alert tcp $HOME_NET any -> [45.93.9.100] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237596; rev:1;)
alert tcp $HOME_NET any -> [45.93.9.98] 1285  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237597; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.23] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237512; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.31] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237514; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.24] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237516; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.37] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237517; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.20] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237508; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.44] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237505; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.6] 1298  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237507; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.65] 1302  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237506; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.14] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237504; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.5] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237503; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.61] 1291  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237502; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.72] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237500; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.71] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237501; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.4] 1375  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237497; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.17] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237498; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.16] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237499; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.7] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237494; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.32] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237496; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.21] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237495; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.9] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237492; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.2] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237493; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.69] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237490; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.41] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237491; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.18] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237488; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.3] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237489; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.43] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237486; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.22] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237487; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.38] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237483; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.66] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237484; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.45] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237485; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.44] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237482; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.13] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237480; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.41] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237481; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.33] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237478; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.11] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237479; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.34] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237476; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.30] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237477; rev:1;)
alert tcp $HOME_NET any -> [62.72.185.42] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237474; rev:1;)
alert tcp $HOME_NET any -> [204.76.203.70] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237475; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.221] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237555; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.103] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237556; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.38] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237557; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.39] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237558; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.41] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237560; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.40] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237559; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.43] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237561; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.53] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237562; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.54] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237563; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.150] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237564; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.151] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237565; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.152] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237566; rev:1;)
alert tcp $HOME_NET any -> [5.181.80.153] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237567; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.216] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237585; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.219] 1290  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237582; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.222] 1310  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237583; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.218] 1294  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237584; rev:1;)
alert tcp $HOME_NET any -> [64.227.106.194] 1288  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237580; rev:1;)
alert tcp $HOME_NET any -> [134.209.94.234] 1310  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237581; rev:1;)
alert tcp $HOME_NET any -> [157.230.244.224] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237578; rev:1;)
alert tcp $HOME_NET any -> [170.64.202.30] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237579; rev:1;)
alert tcp $HOME_NET any -> [165.22.101.63] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237575; rev:1;)
alert tcp $HOME_NET any -> [68.183.187.38] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237576; rev:1;)
alert tcp $HOME_NET any -> [159.223.89.203] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237577; rev:1;)
alert tcp $HOME_NET any -> [157.230.242.17] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237573; rev:1;)
alert tcp $HOME_NET any -> [68.183.183.68] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237574; rev:1;)
alert tcp $HOME_NET any -> [165.22.96.144] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237571; rev:1;)
alert tcp $HOME_NET any -> [159.223.89.252] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237572; rev:1;)
alert tcp $HOME_NET any -> [104.248.129.146] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237570; rev:1;)
alert tcp $HOME_NET any -> [159.223.90.237] 1311  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237569; rev:1;)
alert tcp $HOME_NET any -> [3.121.139.82] 19762  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237568/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237568; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.113] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237586; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.13] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237587; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.14] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237588; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.50] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237589; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.52] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237590; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.53] 61616  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.89.175.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237473; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"65.21.133.187"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1237467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"masjidalfurqon.id"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1237468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"masjidalfurqon.id"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1237469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.97.132.85"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1237470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.253.214.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"stutti.de"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237472; rev:1;)
alert tcp $HOME_NET any -> [185.236.228.203] 2024  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237466/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"117.50.162.183"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237464; rev:1;)
alert tcp $HOME_NET any -> [117.50.162.183] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237465; rev:1;)
alert tcp $HOME_NET any -> [35.158.159.254] 19762  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237462; rev:1;)
alert tcp $HOME_NET any -> [3.127.59.75] 19762  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237463; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 19762  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237461; rev:1;)
alert tcp $HOME_NET any -> [89.249.73.162] 2479  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237460/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237460; rev:1;)
alert tcp $HOME_NET any -> [194.156.98.232] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237459/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237459; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.13] 2222  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237458/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237458; rev:1;)
alert tcp $HOME_NET any -> [178.73.218.6] 2222  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237457/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237457; rev:1;)
alert tcp $HOME_NET any -> [67.71.30.49] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237456/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237456; rev:1;)
alert tcp $HOME_NET any -> [86.98.222.105] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237455; rev:1;)
alert tcp $HOME_NET any -> [149.28.94.80] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237454; rev:1;)
alert tcp $HOME_NET any -> [71.187.88.67] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237453; rev:1;)
alert tcp $HOME_NET any -> [138.68.169.56] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237452; rev:1;)
alert tcp $HOME_NET any -> [172.105.14.104] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237451; rev:1;)
alert tcp $HOME_NET any -> [164.90.233.164] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237450; rev:1;)
alert tcp $HOME_NET any -> [23.229.31.21] 25623  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237449; rev:1;)
alert tcp $HOME_NET any -> [220.77.118.115] 53  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237448; rev:1;)
alert tcp $HOME_NET any -> [119.190.136.165] 9000  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237447/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237447; rev:1;)
alert tcp $HOME_NET any -> [65.153.151.175] 10010  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237446/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237446; rev:1;)
alert tcp $HOME_NET any -> [45.33.59.99] 10724  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237445; rev:1;)
alert tcp $HOME_NET any -> [191.252.214.5] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_07; classtype:trojan-activity; sid:91237444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gjvjls3jd2v/login.php"; depth:22; nocase; http.host; content:"193.233.132.73"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237403; rev:1;)
alert tcp $HOME_NET any -> [37.60.227.156] 7  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237406; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.148] 3362  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237405; rev:1;)
alert tcp $HOME_NET any -> [216.218.135.118] 9583  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"gigeconomycase.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"pngairservices.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"basicincomeonline.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/connect"; depth:12; nocase; http.host; content:"basicincomeonline.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"213.109.202.161"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bm341/index.php"; depth:16; nocase; http.host; content:"bmld.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237443; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.220] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237442/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237442; rev:1;)
alert tcp $HOME_NET any -> [94.232.45.52] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237440/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237440; rev:1;)
alert tcp $HOME_NET any -> [46.105.141.60] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237441/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237441; rev:1;)
alert tcp $HOME_NET any -> [37.120.247.104] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237438/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237438; rev:1;)
alert tcp $HOME_NET any -> [5.255.119.56] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237439/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_07; classtype:trojan-activity; sid:91237439; rev:1;)
alert tcp $HOME_NET any -> [65.0.50.125] 22220  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237437; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 1741  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237436/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237436; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237435; rev:1;)
alert tcp $HOME_NET any -> [94.232.47.185] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237434; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 10445  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237428; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 10445  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237427; rev:1;)
alert tcp $HOME_NET any -> [18.156.13.209] 10445  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237426; rev:1;)
alert tcp $HOME_NET any -> [3.126.37.18] 10445  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237425; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.5] 10445  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237424; rev:1;)
alert tcp $HOME_NET any -> [18.157.68.73] 10445  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_07; classtype:trojan-activity; sid:91237423; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.83] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237422/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237422; rev:1;)
alert tcp $HOME_NET any -> [104.225.142.194] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237421/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_07; classtype:trojan-activity; sid:91237421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237420; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"47.57.12.167"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"119.3.220.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6provider/_cdn/baseupdatelinux/trafficasyncwprequest/imagevmdefaultbaselinuxasyncuniversaltemporary.php"; depth:104; nocase; http.host; content:"194.87.93.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237416; rev:1;)
alert tcp $HOME_NET any -> [117.72.15.82] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"117.72.15.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237414; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 1800  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237413; rev:1;)
alert tcp $HOME_NET any -> [41.96.128.248] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237412; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2259  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237411/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237411; rev:1;)
alert tcp $HOME_NET any -> [46.149.77.41] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237409; rev:1;)
alert tcp $HOME_NET any -> [109.234.38.247] 443  (msg:"ThreatFox DanaBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237408; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.145] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237407; rev:1;)
alert tcp $HOME_NET any -> [92.246.138.88] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237404; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.204] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237402; rev:1;)
alert tcp $HOME_NET any -> [39.105.101.138] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237401/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237401; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"alma27.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237390/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237390; rev:1;)
alert tcp $HOME_NET any -> [79.137.203.183] 36235  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237391; rev:1;)
alert tcp $HOME_NET any -> [139.59.10.184] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237400; rev:1;)
alert tcp $HOME_NET any -> [188.54.98.85] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237399; rev:1;)
alert tcp $HOME_NET any -> [190.28.91.39] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237398; rev:1;)
alert tcp $HOME_NET any -> [103.152.221.43] 6607  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237397/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237397; rev:1;)
alert tcp $HOME_NET any -> [217.114.43.93] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237396/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237396; rev:1;)
alert tcp $HOME_NET any -> [143.198.131.4] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237395/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"5.101.0.245"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/nprgttmfrtmijp7xaraq7p87jp9"; depth:45; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/nprgttmfrtmijp7xaraq7p87jp9"; depth:45; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237392; rev:1;)
alert tcp $HOME_NET any -> [185.202.239.171] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237389/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237389; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.14] 2054  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237388; rev:1;)
alert tcp $HOME_NET any -> [46.246.14.16] 2552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"77.105.147.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/flash.php"; depth:14; nocase; http.host; content:"45.15.156.229"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237385; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"yaniqueque.sytes.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237384/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237384; rev:1;)
alert tcp $HOME_NET any -> [62.204.41.234] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237383; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"xmail.cfd"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237282; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.186] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237382; rev:1;)
alert tcp $HOME_NET any -> [157.230.175.190] 7754  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237381; rev:1;)
alert tcp $HOME_NET any -> [45.128.133.21] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237380; rev:1;)
alert tcp $HOME_NET any -> [185.202.175.208] 54600  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237379; rev:1;)
alert tcp $HOME_NET any -> [185.236.203.102] 54600  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237378; rev:1;)
alert tcp $HOME_NET any -> [174.138.56.147] 8080  (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237377; rev:1;)
alert tcp $HOME_NET any -> [20.234.140.27] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237376; rev:1;)
alert tcp $HOME_NET any -> [46.151.214.196] 9090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237374; rev:1;)
alert tcp $HOME_NET any -> [152.32.131.171] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237375; rev:1;)
alert tcp $HOME_NET any -> [161.97.89.128] 3000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237373; rev:1;)
alert tcp $HOME_NET any -> [20.126.32.228] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237372; rev:1;)
alert tcp $HOME_NET any -> [13.244.70.207] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237371; rev:1;)
alert tcp $HOME_NET any -> [54.252.170.245] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237370; rev:1;)
alert tcp $HOME_NET any -> [40.68.94.216] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237369; rev:1;)
alert tcp $HOME_NET any -> [20.73.188.143] 3000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237368; rev:1;)
alert tcp $HOME_NET any -> [3.18.169.79] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237367; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apis.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237366; rev:1;)
alert tcp $HOME_NET any -> [154.12.25.252] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237365; rev:1;)
alert tcp $HOME_NET any -> [103.52.154.243] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237364; rev:1;)
alert tcp $HOME_NET any -> [182.16.35.146] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237362; rev:1;)
alert tcp $HOME_NET any -> [107.172.144.7] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237363; rev:1;)
alert tcp $HOME_NET any -> [182.16.35.150] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237361; rev:1;)
alert tcp $HOME_NET any -> [182.16.35.148] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237360; rev:1;)
alert tcp $HOME_NET any -> [182.16.35.147] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237359; rev:1;)
alert tcp $HOME_NET any -> [114.115.145.188] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237357; rev:1;)
alert tcp $HOME_NET any -> [142.171.229.85] 2096  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237358; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mine-panel.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237355; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mine-panel.space"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237356; rev:1;)
alert tcp $HOME_NET any -> [212.193.11.40] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237354; rev:1;)
alert tcp $HOME_NET any -> [212.193.11.40] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237353; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-44-196-101-127.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237351; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-208-95-157.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237352; rev:1;)
alert tcp $HOME_NET any -> [54.237.138.159] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237350; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"enter.showconfig.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237349; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.64] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237348; rev:1;)
alert tcp $HOME_NET any -> [142.93.191.198] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237347; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.253] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237346; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.254] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237345; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.88] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237344; rev:1;)
alert tcp $HOME_NET any -> [5.42.67.10] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237343; rev:1;)
alert tcp $HOME_NET any -> [108.62.49.215] 88  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237342; rev:1;)
alert tcp $HOME_NET any -> [193.163.7.156] 8008  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237341; rev:1;)
alert tcp $HOME_NET any -> [45.86.163.142] 22533  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237340; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.11] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237339; rev:1;)
alert tcp $HOME_NET any -> [172.233.240.86] 8080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237338; rev:1;)
alert tcp $HOME_NET any -> [103.243.180.16] 5588  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237337; rev:1;)
alert tcp $HOME_NET any -> [103.243.180.7] 5588  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237336; rev:1;)
alert tcp $HOME_NET any -> [157.254.165.110] 8888  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237335; rev:1;)
alert tcp $HOME_NET any -> [195.62.47.154] 8890  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237334; rev:1;)
alert tcp $HOME_NET any -> [185.238.171.42] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237333; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsft-security.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237332; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-76-234-184.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237331; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap1095765-1.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237330; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.5.96.119.168.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237329; rev:1;)
alert tcp $HOME_NET any -> [4.255.104.31] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237328; rev:1;)
alert tcp $HOME_NET any -> [140.82.48.210] 2404  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237327; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.73] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237326; rev:1;)
alert tcp $HOME_NET any -> [181.161.6.87] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237325; rev:1;)
alert tcp $HOME_NET any -> [149.28.148.246] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237324; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hookqd.tttseo.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237322; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pensive-shamir.45-134-26-33.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237323; rev:1;)
alert tcp $HOME_NET any -> [77.73.131.54] 50555  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237321; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.119] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237320; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.249] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237319; rev:1;)
alert tcp $HOME_NET any -> [20.6.81.237] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237318; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.117] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237317; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsaojzuv225.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237316; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.jettresponse.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237315; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin4.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237314; rev:1;)
alert tcp $HOME_NET any -> [62.109.15.32] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237313; rev:1;)
alert tcp $HOME_NET any -> [27.79.88.176] 8007  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237312; rev:1;)
alert tcp $HOME_NET any -> [172.96.172.69] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237311; rev:1;)
alert tcp $HOME_NET any -> [45.145.55.81] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237310; rev:1;)
alert tcp $HOME_NET any -> [45.154.98.190] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237309; rev:1;)
alert tcp $HOME_NET any -> [45.154.98.190] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237308; rev:1;)
alert tcp $HOME_NET any -> [216.250.254.227] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237306; rev:1;)
alert tcp $HOME_NET any -> [216.250.254.227] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237307; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.4] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237305; rev:1;)
alert tcp $HOME_NET any -> [172.96.172.203] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237304; rev:1;)
alert tcp $HOME_NET any -> [172.96.172.203] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237303; rev:1;)
alert tcp $HOME_NET any -> [20.215.41.119] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237302/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_06; classtype:trojan-activity; sid:91237302; rev:1;)
alert tcp $HOME_NET any -> [3.133.3.35] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237301/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_06; classtype:trojan-activity; sid:91237301; rev:1;)
alert tcp $HOME_NET any -> [43.249.9.224] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237300; rev:1;)
alert tcp $HOME_NET any -> [101.43.161.148] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237299; rev:1;)
alert tcp $HOME_NET any -> [192.3.101.133] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237298; rev:1;)
alert tcp $HOME_NET any -> [104.234.240.6] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237296; rev:1;)
alert tcp $HOME_NET any -> [192.3.101.133] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237297; rev:1;)
alert tcp $HOME_NET any -> [103.42.30.219] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237295; rev:1;)
alert tcp $HOME_NET any -> [137.175.97.93] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237294; rev:1;)
alert tcp $HOME_NET any -> [64.226.76.0] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237293; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.164-90-169-184.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237292; rev:1;)
alert tcp $HOME_NET any -> [47.99.66.200] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237291; rev:1;)
alert tcp $HOME_NET any -> [129.226.154.245] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237290; rev:1;)
alert tcp $HOME_NET any -> [129.226.154.245] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237289; rev:1;)
alert tcp $HOME_NET any -> [20.163.176.140] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237288; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"30.210.31.34.bc.googleusercontent.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0913447.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237286; rev:1;)
alert tcp $HOME_NET any -> [74.91.116.12] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.46.251.181"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237284; rev:1;)
alert tcp $HOME_NET any -> [78.46.251.181] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"xmail.cfd"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237281; rev:1;)
alert tcp $HOME_NET any -> [157.90.20.51] 47753  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"xmail.cfd"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237279/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237279; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.252] 8276  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237277/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237277; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.252] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237278/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237278; rev:1;)
alert tcp $HOME_NET any -> [109.107.181.228] 1676  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237276/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237276; rev:1;)
alert tcp $HOME_NET any -> [109.107.181.228] 666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237275/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237275; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.120] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237274/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237274; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"mosaicyoungoccasionnyej.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237272/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237272; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"updaterootapplederjuios.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237273/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237273; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"modestessayevenmilwek.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237254/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237254; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"triangleseasonbenchwj.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237255/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237255; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"secretionsuitcasenioise.shop"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237256/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"circulatejobspontane.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237257/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237257; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"tonguehypnothesislan.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237258/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237258; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"nationalistvetecanve.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237259/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237259; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"inviteaccessiblesaltw.shop"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237260/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237260; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stamprollabbeymemberw.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237261; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"donorwifeconfusionstronko.site"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237262/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237262; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"essayinterventiondepof.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237263/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"smilesnugglemonstouseo.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237264/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237264; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"offsetundressdriveryjow.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237265; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"publishfavorharbouroe.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237266/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237266; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"banquetmasteryfailurw.site"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237267/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237267; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"exemptatmospherestingw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237268/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237268; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"pavementpreferencewjiao.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237269; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"benddiscoleideasbridrew.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237270; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"hovermeatglacierrjuw.site"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firecom.php"; depth:16; nocase; http.host; content:"77.105.147.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31b57f88e9b186cd.php"; depth:21; nocase; http.host; content:"gsggaoo.top"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237253; rev:1;)
alert tcp $HOME_NET any -> [43.143.228.239] 7766  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237251/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237251; rev:1;)
alert tcp $HOME_NET any -> [47.100.170.9] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237250/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/guumxl4dhprl9owye74vbaqcbppfgijt"; depth:37; nocase; http.host; content:"ogind.drobpox.us"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237248; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogind.drobpox.us"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237249; rev:1;)
alert tcp $HOME_NET any -> [103.186.117.105] 1970  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237247; rev:1;)
alert tcp $HOME_NET any -> [212.113.106.100] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237246/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237246; rev:1;)
alert tcp $HOME_NET any -> [88.198.107.6] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237245; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.107.6"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237244; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"frozenk.fr"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237197; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ftp.frozenk.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237198; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.frozenk.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237199; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1357229.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237200; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maksonsab.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237201; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.maksonsab.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237202; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.nateeka.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nateeka.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237204; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-107-23-38-171.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237205; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farkhunda.3cx.us"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237207; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c0mmit.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237215; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.149] 38245  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237224/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237224; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.shop4youv2.de"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237225/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237225; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bot.elite-likes.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237226/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237226; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.4] 9931  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237234/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_06; classtype:trojan-activity; sid:91237234; rev:1;)
alert tcp $HOME_NET any -> [167.56.197.73] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237243/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237243; rev:1;)
alert tcp $HOME_NET any -> [124.220.235.28] 1002  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237242/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237242; rev:1;)
alert tcp $HOME_NET any -> [3.143.234.125] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237241/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237241; rev:1;)
alert tcp $HOME_NET any -> [45.9.191.183] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237240/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237240; rev:1;)
alert tcp $HOME_NET any -> [20.224.11.48] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237238/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237238; rev:1;)
alert tcp $HOME_NET any -> [216.189.159.197] 53  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237237/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237237; rev:1;)
alert tcp $HOME_NET any -> [152.69.220.235] 1443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237236/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_06; classtype:trojan-activity; sid:91237236; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.111] 1977  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c6/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237233; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.228] 65517  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/26048ad8.php"; depth:13; nocase; http.host; content:"a0915620.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237231; rev:1;)
alert tcp $HOME_NET any -> [52.66.148.83] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237230/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237230; rev:1;)
alert tcp $HOME_NET any -> [119.3.220.200] 9080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237229/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237229; rev:1;)
alert tcp $HOME_NET any -> [190.232.148.118] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237228/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237228; rev:1;)
alert tcp $HOME_NET any -> [109.248.151.213] 45682  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237227; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.178] 8080  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_06; classtype:trojan-activity; sid:91237223; rev:1;)
alert tcp $HOME_NET any -> [45.148.244.206] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237222/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_06; classtype:trojan-activity; sid:91237222; rev:1;)
alert tcp $HOME_NET any -> [159.223.72.29] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237221/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237221; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237220; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237219; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237218; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237217; rev:1;)
alert tcp $HOME_NET any -> [47.76.34.199] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237216/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237216; rev:1;)
alert tcp $HOME_NET any -> [41.201.100.168] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237214/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237214; rev:1;)
alert tcp $HOME_NET any -> [109.255.66.174] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237213/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237213; rev:1;)
alert tcp $HOME_NET any -> [41.98.4.60] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237212/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237212; rev:1;)
alert tcp $HOME_NET any -> [85.107.13.154] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237211/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237211; rev:1;)
alert tcp $HOME_NET any -> [94.23.155.217] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237210/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237210; rev:1;)
alert tcp $HOME_NET any -> [134.209.244.69] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237209/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237209; rev:1;)
alert tcp $HOME_NET any -> [45.152.85.10] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237208/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91237208; rev:1;)
alert tcp $HOME_NET any -> [154.195.152.232] 63641  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237206; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.37.14.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"91.230.110.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.43.161.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.138.156.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"147.124.221.85"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.htm"; depth:10; nocase; http.host; content:"anotherpalece.sytes.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237189; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"anotherpalece.sytes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"91.230.110.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.43.161.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"154.8.157.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"91.230.110.126"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237185; rev:1;)
alert tcp $HOME_NET any -> [3.216.239.218] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"traincaster.net"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237182; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"traincaster.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"39.105.101.138"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237181; rev:1;)
alert tcp $HOME_NET any -> [47.92.146.233] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"solar.huawei.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"23.94.255.161"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"121.43.33.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"peasanthovecapspll.shop"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237176; rev:1;)
alert tcp $HOME_NET any -> [103.69.96.162] 4502  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237175/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91237175; rev:1;)
alert tcp $HOME_NET any -> [95.217.215.24] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.215.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237171; rev:1;)
alert tcp $HOME_NET any -> [95.216.181.87] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237172; rev:1;)
alert tcp $HOME_NET any -> [78.47.233.159] 9000  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.47.233.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newagev"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.181.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237168; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199631487327"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237167; rev:1;)
alert tcp $HOME_NET any -> [174.138.56.147] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237166/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237166; rev:1;)
alert tcp $HOME_NET any -> [85.215.237.245] 4483  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237165; rev:1;)
alert tcp $HOME_NET any -> [3.6.122.107] 19208  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237163/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91237163; rev:1;)
alert tcp $HOME_NET any -> [149.248.17.69] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237164/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"36.150.160.202"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.221.248.167"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237158; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.182] 19208  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237157; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.64] 19208  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237156; rev:1;)
alert tcp $HOME_NET any -> [3.6.98.232] 19208  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237155; rev:1;)
alert tcp $HOME_NET any -> [3.6.30.85] 19208  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"5.230.229.207"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237153; rev:1;)
alert tcp $HOME_NET any -> [54.39.179.157] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237152/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91237152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"mysticselect.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"mysticselect.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1237149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237149; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bizabiza.mywire.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bizabiza.mywire.org"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1237151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237151; rev:1;)
alert tcp $HOME_NET any -> [45.66.248.135] 5833  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237147; rev:1;)
alert tcp $HOME_NET any -> [51.38.178.159] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237146; rev:1;)
alert tcp $HOME_NET any -> [3.142.70.21] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237145; rev:1;)
alert tcp $HOME_NET any -> [3.143.139.73] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237144; rev:1;)
alert tcp $HOME_NET any -> [141.145.196.196] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237143; rev:1;)
alert tcp $HOME_NET any -> [167.172.47.15] 36936  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237142; rev:1;)
alert tcp $HOME_NET any -> [180.139.173.232] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237141; rev:1;)
alert tcp $HOME_NET any -> [3.109.228.183] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237140; rev:1;)
alert tcp $HOME_NET any -> [175.24.130.231] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237139; rev:1;)
alert tcp $HOME_NET any -> [137.74.7.196] 8001  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237138; rev:1;)
alert tcp $HOME_NET any -> [4.156.181.32] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237137; rev:1;)
alert tcp $HOME_NET any -> [18.194.227.164] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237136; rev:1;)
alert tcp $HOME_NET any -> [18.157.139.50] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237135; rev:1;)
alert tcp $HOME_NET any -> [172.205.168.27] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237134; rev:1;)
alert tcp $HOME_NET any -> [212.39.153.66] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237133; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.vitamedicajobccb.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237132; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"admiring-pascal.142-11-199-59.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237130; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drive.deenpel.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237131; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.dnl-l.ooguy.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237129; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.charming-wright.142-11-199-59.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237127; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.deenpel.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237128; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fonts.deenpel.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237126; rev:1;)
alert tcp $HOME_NET any -> [49.232.149.43] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237125; rev:1;)
alert tcp $HOME_NET any -> [103.108.42.172] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237124; rev:1;)
alert tcp $HOME_NET any -> [103.108.43.23] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237123; rev:1;)
alert tcp $HOME_NET any -> [103.108.42.171] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237121; rev:1;)
alert tcp $HOME_NET any -> [103.108.43.25] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237122; rev:1;)
alert tcp $HOME_NET any -> [182.16.35.149] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237120; rev:1;)
alert tcp $HOME_NET any -> [103.108.43.24] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237119; rev:1;)
alert tcp $HOME_NET any -> [124.223.201.58] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237118; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.akunet.host"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237117; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.14] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237116; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epsilonapi.fr"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237115; rev:1;)
alert tcp $HOME_NET any -> [52.200.22.116] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237114; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sw.sono.pw"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237113; rev:1;)
alert tcp $HOME_NET any -> [66.135.13.235] 9075  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237112; rev:1;)
alert tcp $HOME_NET any -> [34.118.118.118] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237111; rev:1;)
alert tcp $HOME_NET any -> [35.199.67.241] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237110; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.64] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237109; rev:1;)
alert tcp $HOME_NET any -> [98.66.153.174] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237108; rev:1;)
alert tcp $HOME_NET any -> [89.23.97.83] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237107; rev:1;)
alert tcp $HOME_NET any -> [188.27.175.18] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237106; rev:1;)
alert tcp $HOME_NET any -> [109.107.182.205] 25  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237105; rev:1;)
alert tcp $HOME_NET any -> [194.33.191.239] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237104; rev:1;)
alert tcp $HOME_NET any -> [103.243.180.11] 5588  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237103; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-175-41-143-87.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237102; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-235-248-157.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237101; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"192-46-228-106.ip.linodeusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237099; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap1065782-2.zap-srv.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237100; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"files.paronibarry.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237098; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 104  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237097; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 57963  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237096; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 5903  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237094; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 9036  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237095; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 5671  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237093; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 4242  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237092; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 222  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237090; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 832  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237091; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 24828  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237089; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 6009  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237087; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 18925  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237088; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 2376  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237086; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 28015  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237085; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 4444  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237083; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 12920  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237084; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 2375  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237082; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 4781  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237080; rev:1;)
alert tcp $HOME_NET any -> [102.117.152.61] 64741  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237081; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.126] 3741  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237079; rev:1;)
alert tcp $HOME_NET any -> [191.82.252.2] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237078; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"erp.topixtechnology.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237076; rev:1;)
alert tcp $HOME_NET any -> [13.212.79.65] 443  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237077; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reksiaeksinov4.fvds.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237075; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pegasus.chicecon.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237073; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.racun.app"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237074; rev:1;)
alert tcp $HOME_NET any -> [194.48.251.140] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237072; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsaojzhn885.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237070; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ok.chicecon.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237071; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taojszxz.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237068; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsaojzuv455.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237069; rev:1;)
alert tcp $HOME_NET any -> [79.137.207.154] 50555  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237067; rev:1;)
alert tcp $HOME_NET any -> [34.107.114.24] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237065; rev:1;)
alert tcp $HOME_NET any -> [85.202.160.192] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237066; rev:1;)
alert tcp $HOME_NET any -> [31.44.2.39] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237064; rev:1;)
alert tcp $HOME_NET any -> [45.61.166.149] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237063; rev:1;)
alert tcp $HOME_NET any -> [62.72.32.226] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237062; rev:1;)
alert tcp $HOME_NET any -> [104.234.240.231] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237060; rev:1;)
alert tcp $HOME_NET any -> [206.189.130.11] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237061; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.194-233-74-255.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237059; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin2.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237057; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.356142.fun"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237058; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev.fvds.ru"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237055; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev6.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237056; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"194-233-74-255.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237054; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.215] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237052; rev:1;)
alert tcp $HOME_NET any -> [193.233.254.64] 50555  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237053; rev:1;)
alert tcp $HOME_NET any -> [137.184.43.170] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237050; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.64-225-100-2.cprapid.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237051; rev:1;)
alert tcp $HOME_NET any -> [172.96.172.69] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237048; rev:1;)
alert tcp $HOME_NET any -> [172.96.172.69] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237049; rev:1;)
alert tcp $HOME_NET any -> [20.106.168.188] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237047; rev:1;)
alert tcp $HOME_NET any -> [20.106.168.188] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237046; rev:1;)
alert tcp $HOME_NET any -> [45.141.215.222] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237045; rev:1;)
alert tcp $HOME_NET any -> [190.28.167.19] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237043; rev:1;)
alert tcp $HOME_NET any -> [45.154.98.190] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237044; rev:1;)
alert tcp $HOME_NET any -> [107.161.81.150] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237042; rev:1;)
alert tcp $HOME_NET any -> [45.154.98.34] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237041; rev:1;)
alert tcp $HOME_NET any -> [68.67.203.245] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237039; rev:1;)
alert tcp $HOME_NET any -> [45.154.98.34] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237040; rev:1;)
alert tcp $HOME_NET any -> [206.123.132.163] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237038; rev:1;)
alert tcp $HOME_NET any -> [194.26.229.212] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237036; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-18-134-234-207.eu-west-2.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1237037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237037; rev:1;)
alert tcp $HOME_NET any -> [38.6.177.120] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237035; rev:1;)
alert tcp $HOME_NET any -> [44.219.14.139] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237034/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_05; classtype:trojan-activity; sid:91237034; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.246] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237033; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.246] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237032; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.246] 1718  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237030; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.246] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237031; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.246] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237029; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237027; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237028; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2082  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237026; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237024; rev:1;)
alert tcp $HOME_NET any -> [187.135.83.117] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237025; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.62] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237023; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.62] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237022; rev:1;)
alert tcp $HOME_NET any -> [78.24.223.222] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237020; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.62] 83  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237021; rev:1;)
alert tcp $HOME_NET any -> [123.60.10.196] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237019; rev:1;)
alert tcp $HOME_NET any -> [167.179.86.31] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237018; rev:1;)
alert tcp $HOME_NET any -> [68.183.213.199] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237016; rev:1;)
alert tcp $HOME_NET any -> [140.143.223.55] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237017; rev:1;)
alert tcp $HOME_NET any -> [4.228.218.10] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237015; rev:1;)
alert tcp $HOME_NET any -> [4.228.218.10] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237014; rev:1;)
alert tcp $HOME_NET any -> [93.179.124.200] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237012; rev:1;)
alert tcp $HOME_NET any -> [82.147.85.148] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237013; rev:1;)
alert tcp $HOME_NET any -> [43.143.241.241] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237011; rev:1;)
alert tcp $HOME_NET any -> [117.50.196.59] 3255  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237010; rev:1;)
alert tcp $HOME_NET any -> [123.56.81.44] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237009; rev:1;)
alert tcp $HOME_NET any -> [124.221.248.167] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237008; rev:1;)
alert tcp $HOME_NET any -> [104.236.196.5] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237007; rev:1;)
alert tcp $HOME_NET any -> [141.98.81.97] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237006; rev:1;)
alert tcp $HOME_NET any -> [34.31.210.30] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237005; rev:1;)
alert tcp $HOME_NET any -> [129.204.245.247] 10080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237003; rev:1;)
alert tcp $HOME_NET any -> [129.204.245.247] 10443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237004; rev:1;)
alert tcp $HOME_NET any -> [101.201.46.105] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237002; rev:1;)
alert tcp $HOME_NET any -> [222.187.224.70] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237001; rev:1;)
alert tcp $HOME_NET any -> [124.222.173.133] 9443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236999; rev:1;)
alert tcp $HOME_NET any -> [49.235.144.122] 9000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1237000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91237000; rev:1;)
alert tcp $HOME_NET any -> [43.143.168.186] 9000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236998; rev:1;)
alert tcp $HOME_NET any -> [8.130.80.79] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236996; rev:1;)
alert tcp $HOME_NET any -> [74.48.125.18] 2086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236997; rev:1;)
alert tcp $HOME_NET any -> [185.154.14.215] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236995; rev:1;)
alert tcp $HOME_NET any -> [5.135.224.155] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236993; rev:1;)
alert tcp $HOME_NET any -> [188.166.22.203] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236994; rev:1;)
alert tcp $HOME_NET any -> [104.168.102.175] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236992; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gifted-khayyam.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236991; rev:1;)
alert tcp $HOME_NET any -> [134.122.164.214] 5566  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236989; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.optimistic-rubin.104-168-102-175.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236990; rev:1;)
alert tcp $HOME_NET any -> [122.51.243.31] 39689  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236988; rev:1;)
alert tcp $HOME_NET any -> [175.24.130.231] 9000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236987; rev:1;)
alert tcp $HOME_NET any -> [202.79.168.65] 5511  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236985; rev:1;)
alert tcp $HOME_NET any -> [120.27.132.223] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236986; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"confident-bouman.104-168-102-175.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236983; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"quirky-williamson.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236984; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kind-villani.104-168-102-175.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236982; rev:1;)
alert tcp $HOME_NET any -> [45.134.225.247] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236981; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.modest-colden.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236980; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sync.maksonsab.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236978; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.brave-herschel.104-168-102-175.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236979; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.optimistic-almeida.104-168-102-175.plesk.page"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236977; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.happy-burnell.104-168-102-175.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236975; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-36-225-33.eu-west-3.compute.amazonaws.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236976; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibrant-fermat.104-168-102-175.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236973; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fervent-gates.104-168-102-175.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236974; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hardcore-wescoff.104-168-102-175.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236972; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"modest-colden.104-168-102-175.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236971; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"our.openarmscv.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236969; rev:1;)
alert tcp $HOME_NET any -> [88.119.169.207] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236970; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 99%)"; dns_query; content:"i.wanna.see.20242525.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236968/; target:src_ip; metadata: confidence_level 99, first_seen 2024_02_05; classtype:trojan-activity; sid:91236968; rev:1;)
alert tcp $HOME_NET any -> [175.24.197.196] 8001  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 99%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236967/; target:src_ip; metadata: confidence_level 99, first_seen 2024_02_05; classtype:trojan-activity; sid:91236967; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.95] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236966; rev:1;)
alert tcp $HOME_NET any -> [43.136.71.208] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"www.micros0fti.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236964; rev:1;)
alert tcp $HOME_NET any -> [172.67.165.208] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236962/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91236962; rev:1;)
alert tcp $HOME_NET any -> [104.21.73.201] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236963/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91236963; rev:1;)
alert tcp $HOME_NET any -> [101.201.46.105] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236961/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236961; rev:1;)
alert tcp $HOME_NET any -> [156.251.19.27] 20399  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236960; rev:1;)
alert tcp $HOME_NET any -> [39.105.101.138] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236959/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236959; rev:1;)
alert tcp $HOME_NET any -> [45.142.182.104] 4568  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236957/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91236957; rev:1;)
alert tcp $HOME_NET any -> [130.61.130.111] 2087  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236958/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236958; rev:1;)
alert tcp $HOME_NET any -> [91.230.110.126] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236956/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236956; rev:1;)
alert tcp $HOME_NET any -> [147.124.221.85] 8086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236955/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.28.5"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.99.38.67"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236953; rev:1;)
alert tcp $HOME_NET any -> [95.217.28.5] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236952; rev:1;)
alert tcp $HOME_NET any -> [88.99.38.67] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236951; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.248] 1985  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236950; rev:1;)
alert tcp $HOME_NET any -> [45.15.159.130] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236949/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236949; rev:1;)
alert tcp $HOME_NET any -> [103.145.107.109] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236948/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236948; rev:1;)
alert tcp $HOME_NET any -> [116.204.123.237] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236947/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236947; rev:1;)
alert tcp $HOME_NET any -> [123.57.3.221] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236946/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236946; rev:1;)
alert tcp $HOME_NET any -> [41.99.71.216] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236945/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236945; rev:1;)
alert tcp $HOME_NET any -> [41.251.199.21] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236944/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236944; rev:1;)
alert tcp $HOME_NET any -> [41.98.253.127] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236943/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236943; rev:1;)
alert tcp $HOME_NET any -> [41.97.152.52] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236942/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236942; rev:1;)
alert tcp $HOME_NET any -> [84.237.209.170] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236941/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236941; rev:1;)
alert tcp $HOME_NET any -> [45.137.10.34] 3333  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236940/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236940; rev:1;)
alert tcp $HOME_NET any -> [141.98.168.243] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236939/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236939; rev:1;)
alert tcp $HOME_NET any -> [141.98.168.243] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236938/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236938; rev:1;)
alert tcp $HOME_NET any -> [45.78.32.214] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236937/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236937; rev:1;)
alert tcp $HOME_NET any -> [35.73.145.106] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236936/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236936; rev:1;)
alert tcp $HOME_NET any -> [20.61.4.19] 4005  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236934/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236934; rev:1;)
alert tcp $HOME_NET any -> [20.61.4.19] 4006  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236935/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236935; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.162] 53535  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236933/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236933; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.162] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236932/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236932; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"telergraml.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236895; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"telergraml.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236896; rev:1;)
alert tcp $HOME_NET any -> [192.236.162.234] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236928/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_05; classtype:trojan-activity; sid:91236928; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.108] 1986  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/667f720d.php"; depth:13; nocase; http.host; content:"hammiest-dependents.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_05; classtype:trojan-activity; sid:91236930; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.85] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236929/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_05; classtype:trojan-activity; sid:91236929; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"59.178.76.117"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236927/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_05; classtype:trojan-activity; sid:91236927; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"193.222.96.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236926; rev:1;)
alert tcp $HOME_NET any -> [124.220.49.74] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236925/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236925; rev:1;)
alert tcp $HOME_NET any -> [5.149.249.74] 47987  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236924; rev:1;)
alert tcp $HOME_NET any -> [165.22.116.84] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236923/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236923; rev:1;)
alert tcp $HOME_NET any -> [118.24.128.204] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236922/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236922; rev:1;)
alert tcp $HOME_NET any -> [101.35.141.80] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236921/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236921; rev:1;)
alert tcp $HOME_NET any -> [20.2.223.43] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236920/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236920; rev:1;)
alert tcp $HOME_NET any -> [47.115.230.159] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236919/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236919; rev:1;)
alert tcp $HOME_NET any -> [43.143.130.124] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236918/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236918; rev:1;)
alert tcp $HOME_NET any -> [47.115.225.184] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236917/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236917; rev:1;)
alert tcp $HOME_NET any -> [20.56.70.245] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236916/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236916; rev:1;)
alert tcp $HOME_NET any -> [45.195.76.82] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236915/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236915; rev:1;)
alert tcp $HOME_NET any -> [45.93.20.242] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236914/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236914; rev:1;)
alert tcp $HOME_NET any -> [103.13.210.210] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236913; rev:1;)
alert tcp $HOME_NET any -> [91.230.110.126] 4321  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236912/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236912; rev:1;)
alert tcp $HOME_NET any -> [3.121.139.82] 16322  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236911; rev:1;)
alert tcp $HOME_NET any -> [3.127.253.86] 16322  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236910; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.136] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236909/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236909; rev:1;)
alert tcp $HOME_NET any -> [103.66.59.68] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236908; rev:1;)
alert tcp $HOME_NET any -> [74.48.220.31] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236907; rev:1;)
alert tcp $HOME_NET any -> [142.154.101.77] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236906; rev:1;)
alert tcp $HOME_NET any -> [74.12.144.248] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236904/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236904; rev:1;)
alert tcp $HOME_NET any -> [154.246.150.122] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236905; rev:1;)
alert tcp $HOME_NET any -> [31.190.194.12] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236903/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236903; rev:1;)
alert tcp $HOME_NET any -> [94.98.76.163] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236902/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236902; rev:1;)
alert tcp $HOME_NET any -> [86.222.181.33] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236901/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236901; rev:1;)
alert tcp $HOME_NET any -> [193.178.147.164] 8010  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236900/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236900; rev:1;)
alert tcp $HOME_NET any -> [143.198.78.107] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236899/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236899; rev:1;)
alert tcp $HOME_NET any -> [38.62.236.182] 34712  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236898/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236898; rev:1;)
alert tcp $HOME_NET any -> [51.158.96.140] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236897/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236897; rev:1;)
alert tcp $HOME_NET any -> [175.24.197.196] 53576  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f993692117a3fda2.php"; depth:21; nocase; http.host; content:"185.172.128.24"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31b57f88e9b186cd.php"; depth:21; nocase; http.host; content:"91.206.178.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236892; rev:1;)
alert tcp $HOME_NET any -> [167.235.26.247] 9300  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236891; rev:1;)
alert tcp $HOME_NET any -> [195.201.242.216] 443  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236890/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236890; rev:1;)
alert tcp $HOME_NET any -> [123.206.29.183] 1234  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236889/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236889; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.240] 1234  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236888/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236888; rev:1;)
alert tcp $HOME_NET any -> [194.9.172.238] 1443  (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236887/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236887; rev:1;)
alert tcp $HOME_NET any -> [218.161.70.146] 80  (msg:"ThreatFox Empire Downloader botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236886/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236886; rev:1;)
alert tcp $HOME_NET any -> [171.5.180.138] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236885/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236885; rev:1;)
alert tcp $HOME_NET any -> [109.205.61.95] 3777  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236884; rev:1;)
alert tcp $HOME_NET any -> [147.229.148.205] 5000  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236883; rev:1;)
alert tcp $HOME_NET any -> [141.255.167.250] 4760  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236882; rev:1;)
alert tcp $HOME_NET any -> [103.223.12.163] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236881/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236881; rev:1;)
alert tcp $HOME_NET any -> [178.63.172.20] 443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236880/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236880; rev:1;)
alert tcp $HOME_NET any -> [94.188.60.245] 3333  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236879; rev:1;)
alert tcp $HOME_NET any -> [159.65.156.37] 9990  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236878; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.37] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236831; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updacon.hopto.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236832; rev:1;)
alert tcp $HOME_NET any -> [192.253.251.98] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236877; rev:1;)
alert tcp $HOME_NET any -> [186.169.69.242] 8523  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236876/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236876; rev:1;)
alert tcp $HOME_NET any -> [45.76.12.238] 5555  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236875/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236875; rev:1;)
alert tcp $HOME_NET any -> [178.236.247.250] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236874/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236874; rev:1;)
alert tcp $HOME_NET any -> [111.92.243.131] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236873/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236873; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.235] 9898  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236872/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236872; rev:1;)
alert tcp $HOME_NET any -> [45.76.196.96] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236871/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236871; rev:1;)
alert tcp $HOME_NET any -> [47.242.73.99] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236870; rev:1;)
alert tcp $HOME_NET any -> [141.255.159.87] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236869/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236869; rev:1;)
alert tcp $HOME_NET any -> [38.181.35.232] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236868/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236868; rev:1;)
alert tcp $HOME_NET any -> [141.255.159.135] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236867/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236867; rev:1;)
alert tcp $HOME_NET any -> [154.246.204.6] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236866/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236866; rev:1;)
alert tcp $HOME_NET any -> [198.13.49.217] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236865/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236865; rev:1;)
alert tcp $HOME_NET any -> [139.99.186.184] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236864/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236864; rev:1;)
alert tcp $HOME_NET any -> [154.247.243.232] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236863/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236863; rev:1;)
alert tcp $HOME_NET any -> [171.80.235.121] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236862; rev:1;)
alert tcp $HOME_NET any -> [154.246.107.125] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236861; rev:1;)
alert tcp $HOME_NET any -> [154.247.197.111] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236860/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236860; rev:1;)
alert tcp $HOME_NET any -> [141.255.146.46] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236859/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236859; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.93] 4444  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236858/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236858; rev:1;)
alert tcp $HOME_NET any -> [171.41.199.216] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236857/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236857; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.225] 2023  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236856/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236856; rev:1;)
alert tcp $HOME_NET any -> [166.88.61.138] 9898  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236855/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236855; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.107] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236854/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236854; rev:1;)
alert tcp $HOME_NET any -> [213.226.117.48] 1337  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236853; rev:1;)
alert tcp $HOME_NET any -> [95.72.172.97] 9080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236852/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236852; rev:1;)
alert tcp $HOME_NET any -> [171.80.251.240] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236851/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236851; rev:1;)
alert tcp $HOME_NET any -> [64.176.217.187] 6666  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236850; rev:1;)
alert tcp $HOME_NET any -> [183.105.191.36] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236849/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236849; rev:1;)
alert tcp $HOME_NET any -> [154.204.178.170] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236848; rev:1;)
alert tcp $HOME_NET any -> [171.80.235.135] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236847; rev:1;)
alert tcp $HOME_NET any -> [85.209.176.79] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236846; rev:1;)
alert tcp $HOME_NET any -> [171.80.234.90] 25565  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236845; rev:1;)
alert tcp $HOME_NET any -> [210.56.49.4] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236844/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236844; rev:1;)
alert tcp $HOME_NET any -> [148.135.34.21] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236843; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.204] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236842; rev:1;)
alert tcp $HOME_NET any -> [88.99.150.167] 4444  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236841/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236841; rev:1;)
alert tcp $HOME_NET any -> [88.99.150.149] 4444  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236840/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236840; rev:1;)
alert tcp $HOME_NET any -> [88.99.150.167] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236839/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236839; rev:1;)
alert tcp $HOME_NET any -> [104.248.249.135] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236838/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236838; rev:1;)
alert tcp $HOME_NET any -> [44.200.32.105] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236837/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236837; rev:1;)
alert tcp $HOME_NET any -> [13.235.8.98] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236836/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236836; rev:1;)
alert tcp $HOME_NET any -> [3.83.182.180] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236835/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236835; rev:1;)
alert tcp $HOME_NET any -> [175.41.143.87] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236834/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cd2b41cbde8fc9c.php"; depth:21; nocase; http.host; content:"185.172.128.79"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"101.33.221.102"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236830; rev:1;)
alert tcp $HOME_NET any -> [107.23.38.171] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236829; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dmobd90auod5w.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"dmobd90auod5w.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236827; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d2zp39t2eezbsc.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d2zp39t2eezbsc.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acap.html"; depth:10; nocase; http.host; content:"167.71.88.65"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236823; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"k-hbgsakedfme8azej.a03.azurefd.net"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"k-hbgsakedfme8azej.a03.azurefd.net"; depth:34; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236821; rev:1;)
alert tcp $HOME_NET any -> [47.119.19.34] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236820; rev:1;)
alert tcp $HOME_NET any -> [104.131.9.172] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"adibh.azureedge.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236817; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adibh.azureedge.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236818; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 17960  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236816/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236816; rev:1;)
alert tcp $HOME_NET any -> [101.37.14.112] 8899  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236815/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236815; rev:1;)
alert tcp $HOME_NET any -> [172.187.200.225] 443  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236814/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.147.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"194.87.31.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.216.100.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.205.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.185.85.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.205.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.65"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.87.160"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.35"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.182.87.27"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.147.136"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236694; rev:1;)
alert tcp $HOME_NET any -> [195.85.207.219] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236683; rev:1;)
alert tcp $HOME_NET any -> [31.210.50.162] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236684; rev:1;)
alert tcp $HOME_NET any -> [94.131.113.192] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236685; rev:1;)
alert tcp $HOME_NET any -> [31.42.190.137] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236687; rev:1;)
alert tcp $HOME_NET any -> [154.198.245.50] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236686; rev:1;)
alert tcp $HOME_NET any -> [194.195.245.97] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236689; rev:1;)
alert tcp $HOME_NET any -> [195.10.205.18] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236688; rev:1;)
alert tcp $HOME_NET any -> [207.180.224.118] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236690; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.240] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236691; rev:1;)
alert tcp $HOME_NET any -> [20.90.160.195] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.225"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.77.121"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"146.70.161.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.149.146.159"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"193.233.133.81"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.236.247.9"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.26.239.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.106.94.31"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"212.118.52.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"8.217.23.144"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.150.65.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"212.113.116.56"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"20.0.25.177"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.236.246.39"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.107.181.169"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.185.85.132"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.207.44"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"78.141.239.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.72.7"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.20.46.217"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.20.43.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"109.107.173.48"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"74.50.93.136"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"51.81.243.237"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.72.48"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.74.19.107"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.106.94.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.17.0.222"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"178.236.246.253"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.203.80"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.170.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"194.87.71.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.203.233"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.235"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"95.181.173.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.147.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"5.42.78.61"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.199.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.207.226"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"64.52.80.13"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"193.233.133.97"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.202.24"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.103.72"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.105.146.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"185.225.200.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"79.137.194.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236753; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 30520  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236558/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236558; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"jd03-30520.portmap.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236559/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236559; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 14881  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236574/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236574; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"auto-benjamin.gl.at.ply.gg"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236575/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236575; rev:1;)
alert tcp $HOME_NET any -> [213.159.61.169] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236663/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236663; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vinijr27.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236662/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236662; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"noiphabibi.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236664/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236664; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail4.the-kup-key.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236794; rev:1;)
alert tcp $HOME_NET any -> [123.207.50.70] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236791; rev:1;)
alert tcp $HOME_NET any -> [74.48.84.59] 23  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236792; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail4.the-kup-key.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236793; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mta4.aerostatus.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236788; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail4.the-kup-key.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236789; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.go2tr.ir"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236790; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mta4.theaerie.ca"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236786; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mta4.sharenscookbook.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236787; rev:1;)
alert tcp $HOME_NET any -> [50.18.8.146] 17240  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236783; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0.tcp.us-cal-1.ngrok.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236784; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.aist.world"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236785; rev:1;)
alert tcp $HOME_NET any -> [184.72.44.51] 17240  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236781; rev:1;)
alert tcp $HOME_NET any -> [54.193.184.75] 17240  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236782; rev:1;)
alert tcp $HOME_NET any -> [3.140.223.7] 15696  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_04; classtype:trojan-activity; sid:91236769; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuxy.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236779; rev:1;)
alert tcp $HOME_NET any -> [52.8.87.87] 17240  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236780; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"twjdy.freemyip.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236795; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moveleiros-projeto.ddns.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236796; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjhghyfgtttyuuugfd7654332.cfd"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qweuurgr86765.cfd"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236811; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjghgfgftdrdssst7654345.cfd"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236808; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjgjghfgfhgdhfgsed56.cfd"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236809; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hghgfttcdsstyytff655cvhf.cfd"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236806; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hjfhwefhuuuuf8383992.cfd"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236807; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gfffhtdrtggdd654346.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236803; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghgfjfgfgfty6765433.cfd"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236804; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ghgfttyuujg87654.cfd"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236805; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ewuhruewhrhurw7837.cfd"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236801; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fffsddhddd3.cfd"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236802; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfjfglklihilughgf434wdfg.cfd"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236800; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.107] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236797; rev:1;)
alert tcp $HOME_NET any -> [206.237.15.161] 8096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236799; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ygyjgjygjyfjyfftt6654433.cfd"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ytytyfghhjhyt77865.cfd"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/windowstestjavascript/provider3/dletopython8/voiddblowprovider/bigloadasync0temp/packetgametemporary.php"; depth:105; nocase; http.host; content:"185.195.27.26"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236798; rev:1;)
alert tcp $HOME_NET any -> [84.2.81.135] 6923  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.116.198.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"39.106.74.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"107.189.14.144"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236775; rev:1;)
alert tcp $HOME_NET any -> [84.45.122.150] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236774; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"can.comewithme.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236773; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.25] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236772; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"copper-king.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236771; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.72] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236770; rev:1;)
alert tcp $HOME_NET any -> [189.140.50.67] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236768; rev:1;)
alert tcp $HOME_NET any -> [159.235.5.173] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236767; rev:1;)
alert tcp $HOME_NET any -> [74.12.144.248] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236766/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236766; rev:1;)
alert tcp $HOME_NET any -> [45.243.218.9] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236765/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236765; rev:1;)
alert tcp $HOME_NET any -> [151.30.51.238] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236764/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236764; rev:1;)
alert tcp $HOME_NET any -> [79.107.138.79] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236763/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236763; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.160] 6075  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236762/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236762; rev:1;)
alert tcp $HOME_NET any -> [94.103.87.88] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236761/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236761; rev:1;)
alert tcp $HOME_NET any -> [204.28.111.10] 8843  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236760/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"178.141.170.135"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236759/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_04; classtype:trojan-activity; sid:91236759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cm56126.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236758; rev:1;)
alert tcp $HOME_NET any -> [13.245.184.253] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236757/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236757; rev:1;)
alert tcp $HOME_NET any -> [119.91.89.203] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236756/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236756; rev:1;)
alert tcp $HOME_NET any -> [185.39.204.47] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236755/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/game/3/securetestuniversal/phpjshttpprocessorauthsqlwp.php"; depth:59; nocase; http.host; content:"85.209.9.184"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_04; classtype:trojan-activity; sid:91236754; rev:1;)
alert tcp $HOME_NET any -> [164.155.203.165] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236693; rev:1;)
alert tcp $HOME_NET any -> [188.127.24.220] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236682/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236682; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.35] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236681; rev:1;)
alert tcp $HOME_NET any -> [94.228.123.188] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236680/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236680; rev:1;)
alert tcp $HOME_NET any -> [154.8.157.205] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236679/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236679; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.18] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236678/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_04; classtype:trojan-activity; sid:91236678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalsecurehttppacketbigloadsqltest.php"; depth:42; nocase; http.host; content:"907916cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236677; rev:1;)
alert tcp $HOME_NET any -> [101.43.161.148] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236676; rev:1;)
alert tcp $HOME_NET any -> [13.36.225.33] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236675/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236675; rev:1;)
alert tcp $HOME_NET any -> [154.8.157.205] 8999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236674; rev:1;)
alert tcp $HOME_NET any -> [23.94.255.161] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236673/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236673; rev:1;)
alert tcp $HOME_NET any -> [88.214.25.253] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.36/mz6phzvyk"; depth:23; nocase; http.host; content:"88.214.25.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.36/mz6phzvyk"; depth:23; nocase; http.host; content:"invoce-social.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236670; rev:1;)
alert tcp $HOME_NET any -> [88.214.25.253] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.36/mz6phzvyk"; depth:23; nocase; http.host; content:"88.214.25.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236668; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"invoce-social.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/latest/v2.36/mz6phzvyk"; depth:23; nocase; http.host; content:"invoce-social.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236666; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.138] 3320  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236665; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.20] 3030  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236661; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.89] 4443  (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236660/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236660; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.146] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236659/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236659; rev:1;)
alert tcp $HOME_NET any -> [13.56.214.28] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236658/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236658; rev:1;)
alert tcp $HOME_NET any -> [178.73.218.3] 101  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236657; rev:1;)
alert tcp $HOME_NET any -> [138.201.19.103] 3336  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236656; rev:1;)
alert tcp $HOME_NET any -> [85.10.133.189] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236655; rev:1;)
alert tcp $HOME_NET any -> [34.198.81.115] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236654; rev:1;)
alert tcp $HOME_NET any -> [34.128.110.49] 9443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236653; rev:1;)
alert tcp $HOME_NET any -> [52.146.15.133] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236652; rev:1;)
alert tcp $HOME_NET any -> [3.25.226.216] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236651; rev:1;)
alert tcp $HOME_NET any -> [35.199.114.125] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236650; rev:1;)
alert tcp $HOME_NET any -> [18.157.139.50] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236649; rev:1;)
alert tcp $HOME_NET any -> [34.237.150.77] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236648; rev:1;)
alert tcp $HOME_NET any -> [47.100.81.121] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236647; rev:1;)
alert tcp $HOME_NET any -> [37.60.239.239] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236646; rev:1;)
alert tcp $HOME_NET any -> [18.194.227.164] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236645; rev:1;)
alert tcp $HOME_NET any -> [49.234.190.91] 8083  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236644; rev:1;)
alert tcp $HOME_NET any -> [104.238.214.47] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.vitamedicajobccb.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236642; rev:1;)
alert tcp $HOME_NET any -> [142.11.199.59] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236641; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outlook.vitamedicajobccb.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236640; rev:1;)
alert tcp $HOME_NET any -> [60.204.203.14] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236639; rev:1;)
alert tcp $HOME_NET any -> [110.40.36.67] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236638; rev:1;)
alert tcp $HOME_NET any -> [143.92.58.61] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236637; rev:1;)
alert tcp $HOME_NET any -> [176.124.32.23] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236636; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mywestpac.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"103.54.57.251.sslip.io"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236634; rev:1;)
alert tcp $HOME_NET any -> [123.99.201.37] 808  (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236633; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jolly-ganguly.45-141-215-173.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236632; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"node1.abcd2.monster"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236631; rev:1;)
alert tcp $HOME_NET any -> [95.111.238.79] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236630; rev:1;)
alert tcp $HOME_NET any -> [18.139.243.205] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236629; rev:1;)
alert tcp $HOME_NET any -> [188.26.86.131] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236628; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srv001e.feja111.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236627; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.152] 6606  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236626; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.121] 5902  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236625; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"premier-stream.co.uk"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236624; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-235-8-98.ap-south-1.compute.amazonaws.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236622; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.premier-stream.co.uk"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236623; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ambankgruop.store"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236621; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www-12.eekal.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236620; rev:1;)
alert tcp $HOME_NET any -> [94.156.69.28] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236619; rev:1;)
alert tcp $HOME_NET any -> [193.163.7.139] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236618; rev:1;)
alert tcp $HOME_NET any -> [194.233.74.255] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236617; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.131] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236616; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"356142.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236614; rev:1;)
alert tcp $HOME_NET any -> [3.72.85.14] 8001  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236615; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.194-233-74-255.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236612; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tsola256.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236613; rev:1;)
alert tcp $HOME_NET any -> [3.1.206.216] 8001  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236611; rev:1;)
alert tcp $HOME_NET any -> [178.236.247.158] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236610; rev:1;)
alert tcp $HOME_NET any -> [154.12.30.64] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236609; rev:1;)
alert tcp $HOME_NET any -> [45.145.55.81] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236608; rev:1;)
alert tcp $HOME_NET any -> [186.112.194.124] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236607; rev:1;)
alert tcp $HOME_NET any -> [20.106.168.188] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236605; rev:1;)
alert tcp $HOME_NET any -> [151.67.33.99] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236606; rev:1;)
alert tcp $HOME_NET any -> [216.250.254.227] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236604; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.126] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236603; rev:1;)
alert tcp $HOME_NET any -> [45.154.98.34] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236602; rev:1;)
alert tcp $HOME_NET any -> [190.123.44.228] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236600/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_03; classtype:trojan-activity; sid:91236600; rev:1;)
alert tcp $HOME_NET any -> [34.162.154.209] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236601/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_03; classtype:trojan-activity; sid:91236601; rev:1;)
alert tcp $HOME_NET any -> [47.111.31.7] 43365  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236599/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_03; classtype:trojan-activity; sid:91236599; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 13975  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236598/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_03; classtype:trojan-activity; sid:91236598; rev:1;)
alert tcp $HOME_NET any -> [185.82.219.87] 2351  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236597; rev:1;)
alert tcp $HOME_NET any -> [187.135.240.152] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236595; rev:1;)
alert tcp $HOME_NET any -> [187.135.240.152] 1896  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236596; rev:1;)
alert tcp $HOME_NET any -> [88.214.26.54] 52047  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236594; rev:1;)
alert tcp $HOME_NET any -> [154.3.0.131] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236593; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.143] 8083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236592; rev:1;)
alert tcp $HOME_NET any -> [43.154.190.128] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236591; rev:1;)
alert tcp $HOME_NET any -> [162.14.125.5] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236590; rev:1;)
alert tcp $HOME_NET any -> [45.148.244.206] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236589; rev:1;)
alert tcp $HOME_NET any -> [43.136.71.208] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236587; rev:1;)
alert tcp $HOME_NET any -> [107.174.243.15] 554  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236588; rev:1;)
alert tcp $HOME_NET any -> [154.9.252.97] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236586; rev:1;)
alert tcp $HOME_NET any -> [192.3.235.87] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236585; rev:1;)
alert tcp $HOME_NET any -> [107.189.14.144] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236584; rev:1;)
alert tcp $HOME_NET any -> [47.120.54.55] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236582; rev:1;)
alert tcp $HOME_NET any -> [43.138.156.178] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236583; rev:1;)
alert tcp $HOME_NET any -> [107.172.201.247] 19211  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236581; rev:1;)
alert tcp $HOME_NET any -> [110.42.209.75] 812  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236580; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-116-205-190-164.compute.hwclouds-dns.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236579; rev:1;)
alert tcp $HOME_NET any -> [185.216.70.81] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236578; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-22-66-152.us-east-2.compute.amazonaws.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236577; rev:1;)
alert tcp $HOME_NET any -> [176.122.189.30] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236576; rev:1;)
alert tcp $HOME_NET any -> [5.42.73.251] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236573/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236573; rev:1;)
alert tcp $HOME_NET any -> [43.228.125.144] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236572/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236572; rev:1;)
alert tcp $HOME_NET any -> [43.143.236.67] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236571/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236571; rev:1;)
alert tcp $HOME_NET any -> [78.16.61.94] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236570/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236570; rev:1;)
alert tcp $HOME_NET any -> [96.87.28.171] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236569/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236569; rev:1;)
alert tcp $HOME_NET any -> [41.99.50.6] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236568/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236568; rev:1;)
alert tcp $HOME_NET any -> [77.8.150.104] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236567/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236567; rev:1;)
alert tcp $HOME_NET any -> [148.135.11.253] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236566/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236566; rev:1;)
alert tcp $HOME_NET any -> [20.38.38.37] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236565/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236565; rev:1;)
alert tcp $HOME_NET any -> [124.222.63.238] 8029  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236564; rev:1;)
alert tcp $HOME_NET any -> [91.132.196.39] 9090  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236563/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236563; rev:1;)
alert tcp $HOME_NET any -> [20.61.4.19] 4007  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236562; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.161] 53535  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lowuniversal.php"; depth:17; nocase; http.host; content:"076902cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236560; rev:1;)
alert tcp $HOME_NET any -> [92.222.212.74] 1450  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"38.181.2.11"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236556; rev:1;)
alert tcp $HOME_NET any -> [212.224.86.54] 58003  (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236555; rev:1;)
alert tcp $HOME_NET any -> [216.98.13.172] 26604  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236554; rev:1;)
alert tcp $HOME_NET any -> [3.141.142.211] 17366  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236552; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"vbatallafinal23.duckdns.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236553/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236553; rev:1;)
alert tcp $HOME_NET any -> [46.246.86.4] 101  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7a957ef6cc168ff6.php"; depth:21; nocase; http.host; content:"194.120.116.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236550; rev:1;)
alert tcp $HOME_NET any -> [3.132.159.158] 17366  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236542; rev:1;)
alert tcp $HOME_NET any -> [3.140.223.7] 17366  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236543; rev:1;)
alert tcp $HOME_NET any -> [3.141.177.1] 17366  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236544; rev:1;)
alert tcp $HOME_NET any -> [3.141.210.37] 17366  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236545; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 13538  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236546/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236546; rev:1;)
alert tcp $HOME_NET any -> [3.22.30.40] 13747  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236547/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236547; rev:1;)
alert tcp $HOME_NET any -> [18.157.68.73] 13538  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236548/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236548; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.106] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236549/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236549; rev:1;)
alert tcp $HOME_NET any -> [88.210.9.117] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236541; rev:1;)
alert tcp $HOME_NET any -> [209.38.216.156] 2087  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236540/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"149.104.27.40"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"120.24.70.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"42.193.248.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.115.225.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"122.51.220.170"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.115.230.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"45.195.76.82"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.24.70.197"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"139.155.135.131"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"60.204.208.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"182.254.140.58"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"124.221.151.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ping"; depth:5; nocase; http.host; content:"cdns.casacam.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"www.micros0fti.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236522; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.micros0fti.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.99.93.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"185.196.10.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"139.155.90.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0913347.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236516; rev:1;)
alert tcp $HOME_NET any -> [85.239.34.70] 9110  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236514/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236514; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"z.botnet.rocks"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236515/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236515; rev:1;)
alert tcp $HOME_NET any -> [191.101.209.29] 20427  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236507; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"statisticsong.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236508; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.statisticsong.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236509; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panal.statisticsong.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236510; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panel.statisticsong.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236511; rev:1;)
alert tcp $HOME_NET any -> [45.13.227.186] 3912  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236512/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236512; rev:1;)
alert tcp $HOME_NET any -> [45.13.227.186] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236513/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236513; rev:1;)
alert tcp $HOME_NET any -> [42.236.91.107] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236506; rev:1;)
alert tcp $HOME_NET any -> [103.61.139.69] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"103.61.139.69"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236504; rev:1;)
alert tcp $HOME_NET any -> [89.247.50.191] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236503; rev:1;)
alert tcp $HOME_NET any -> [62.72.5.16] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236502; rev:1;)
alert tcp $HOME_NET any -> [89.208.103.187] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236501; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kami.magication.us"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"karleonno.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236499; rev:1;)
alert tcp $HOME_NET any -> [18.229.146.63] 18785  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236497/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236497; rev:1;)
alert tcp $HOME_NET any -> [18.228.115.60] 18785  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236495/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236495; rev:1;)
alert tcp $HOME_NET any -> [18.229.248.167] 18785  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236496/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_03; classtype:trojan-activity; sid:91236496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236498; rev:1;)
alert tcp $HOME_NET any -> [167.71.88.65] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236494; rev:1;)
alert tcp $HOME_NET any -> [74.12.146.248] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236493/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236493; rev:1;)
alert tcp $HOME_NET any -> [79.107.143.65] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236492; rev:1;)
alert tcp $HOME_NET any -> [122.114.8.164] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236491/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236491; rev:1;)
alert tcp $HOME_NET any -> [158.160.65.88] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236490; rev:1;)
alert tcp $HOME_NET any -> [104.238.60.14] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236489; rev:1;)
alert tcp $HOME_NET any -> [103.195.6.58] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236488; rev:1;)
alert tcp $HOME_NET any -> [47.236.237.46] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236487/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236487; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.195] 9443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_03; classtype:trojan-activity; sid:91236486; rev:1;)
alert tcp $HOME_NET any -> [60.247.153.126] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236485/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"39.105.51.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"39.105.51.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"39.105.51.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"91.92.242.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_03; classtype:trojan-activity; sid:91236481; rev:1;)
alert tcp $HOME_NET any -> [192.210.140.35] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236480/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236480; rev:1;)
alert tcp $HOME_NET any -> [42.193.248.127] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236479/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_03; classtype:trojan-activity; sid:91236479; rev:1;)
alert tcp $HOME_NET any -> [18.158.35.237] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236478; rev:1;)
alert tcp $HOME_NET any -> [18.158.35.237] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236477; rev:1;)
alert tcp $HOME_NET any -> [3.95.67.254] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236476; rev:1;)
alert tcp $HOME_NET any -> [37.60.239.240] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236475; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www2.deenpel.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236474; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"content.deenpel.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236473; rev:1;)
alert tcp $HOME_NET any -> [58.59.222.51] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236472; rev:1;)
alert tcp $HOME_NET any -> [62.204.41.197] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.controlpanel29.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236470; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-3-173-99.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236469; rev:1;)
alert tcp $HOME_NET any -> [73.3.46.163] 4855  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236468; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.64] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taobao7737.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236466; rev:1;)
alert tcp $HOME_NET any -> [193.233.255.105] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236465; rev:1;)
alert tcp $HOME_NET any -> [34.29.228.84] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236464; rev:1;)
alert tcp $HOME_NET any -> [45.141.215.222] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236463; rev:1;)
alert tcp $HOME_NET any -> [43.139.189.26] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236462; rev:1;)
alert tcp $HOME_NET any -> [91.236.116.26] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236461/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_02; classtype:trojan-activity; sid:91236461; rev:1;)
alert tcp $HOME_NET any -> [144.202.25.198] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236460/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_02; classtype:trojan-activity; sid:91236460; rev:1;)
alert tcp $HOME_NET any -> [206.166.251.32] 18443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236459; rev:1;)
alert tcp $HOME_NET any -> [116.205.190.164] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.133.156.69"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236457; rev:1;)
alert tcp $HOME_NET any -> [157.245.222.152] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/forge/static/hulnwcwi"; depth:22; nocase; http.host; content:"service-jnajkkdg-1318687485.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236454; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-jnajkkdg-1318687485.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236455; rev:1;)
alert tcp $HOME_NET any -> [84.45.122.150] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"comewithme.info"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236451; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"comewithme.info"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.105.51.11"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236450; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.143] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"91.92.242.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236448; rev:1;)
alert tcp $HOME_NET any -> [41.97.220.8] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236447/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236447; rev:1;)
alert tcp $HOME_NET any -> [45.150.79.56] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b0f62e5c.php"; depth:13; nocase; http.host; content:"109.107.182.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236445; rev:1;)
alert tcp $HOME_NET any -> [95.217.65.174] 11130  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236444; rev:1;)
alert tcp $HOME_NET any -> [52.28.247.255] 11080  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236424/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236424; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 11544  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236442/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236442; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 11544  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236443; rev:1;)
alert tcp $HOME_NET any -> [8.130.17.64] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236441/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236441; rev:1;)
alert tcp $HOME_NET any -> [79.130.53.226] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236440/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236440; rev:1;)
alert tcp $HOME_NET any -> [41.96.88.102] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236439; rev:1;)
alert tcp $HOME_NET any -> [201.137.204.103] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236438/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236438; rev:1;)
alert tcp $HOME_NET any -> [90.42.9.121] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236437/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236437; rev:1;)
alert tcp $HOME_NET any -> [154.247.198.92] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236436/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236436; rev:1;)
alert tcp $HOME_NET any -> [92.223.160.132] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236435/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236435; rev:1;)
alert tcp $HOME_NET any -> [138.197.134.200] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236434/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236434; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.138] 6075  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236433/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236433; rev:1;)
alert tcp $HOME_NET any -> [84.32.44.210] 64543  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236431/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236431; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.73] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236430/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236430; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 11544  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236429; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 11544  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gjvjls3jd2v/index.php"; depth:22; nocase; http.host; content:"193.233.132.73"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/99210de056092a58.php"; depth:21; nocase; http.host; content:"104.245.33.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236426; rev:1;)
alert tcp $HOME_NET any -> [159.69.86.27] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236425; rev:1;)
alert tcp $HOME_NET any -> [35.228.7.192] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236423/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236423; rev:1;)
alert tcp $HOME_NET any -> [20.106.168.188] 5050  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236422; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 11080  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236420; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 11080  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236421; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 11080  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236419; rev:1;)
alert tcp $HOME_NET any -> [77.1.170.194] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236418; rev:1;)
alert tcp $HOME_NET any -> [38.62.236.152] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236417; rev:1;)
alert tcp $HOME_NET any -> [152.203.66.173] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236416; rev:1;)
alert tcp $HOME_NET any -> [3.219.110.4] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236414; rev:1;)
alert tcp $HOME_NET any -> [189.112.212.12] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236415; rev:1;)
alert tcp $HOME_NET any -> [113.37.87.82] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236413; rev:1;)
alert tcp $HOME_NET any -> [18.191.227.114] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236412; rev:1;)
alert tcp $HOME_NET any -> [70.34.252.126] 5333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236410; rev:1;)
alert tcp $HOME_NET any -> [18.198.146.182] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236411; rev:1;)
alert tcp $HOME_NET any -> [141.94.244.50] 444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236409; rev:1;)
alert tcp $HOME_NET any -> [64.226.108.52] 17240  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236408; rev:1;)
alert tcp $HOME_NET any -> [63.35.217.229] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236407; rev:1;)
alert tcp $HOME_NET any -> [34.29.171.229] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236406; rev:1;)
alert tcp $HOME_NET any -> [20.195.169.69] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236405; rev:1;)
alert tcp $HOME_NET any -> [40.76.178.37] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236404; rev:1;)
alert tcp $HOME_NET any -> [54.174.138.45] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236403; rev:1;)
alert tcp $HOME_NET any -> [34.226.155.20] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236402; rev:1;)
alert tcp $HOME_NET any -> [34.125.18.85] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236400; rev:1;)
alert tcp $HOME_NET any -> [40.67.208.154] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236401; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-15-206-174-2.ap-south-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236399; rev:1;)
alert tcp $HOME_NET any -> [123.249.83.178] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236398; rev:1;)
alert tcp $HOME_NET any -> [120.55.85.239] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236397; rev:1;)
alert tcp $HOME_NET any -> [47.113.218.12] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236396; rev:1;)
alert tcp $HOME_NET any -> [8.137.106.49] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236395; rev:1;)
alert tcp $HOME_NET any -> [47.108.233.40] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236394; rev:1;)
alert tcp $HOME_NET any -> [23.105.197.219] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236393; rev:1;)
alert tcp $HOME_NET any -> [142.171.229.78] 2096  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236392; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mywestpac.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236391; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.panitor.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panelbar.ct8.pl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236389; rev:1;)
alert tcp $HOME_NET any -> [68.233.120.219] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236388; rev:1;)
alert tcp $HOME_NET any -> [45.139.104.69] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236387; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.79] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236386; rev:1;)
alert tcp $HOME_NET any -> [51.195.83.136] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236385; rev:1;)
alert tcp $HOME_NET any -> [79.137.197.6] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236384; rev:1;)
alert tcp $HOME_NET any -> [114.29.236.137] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236383; rev:1;)
alert tcp $HOME_NET any -> [37.60.235.110] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236382; rev:1;)
alert tcp $HOME_NET any -> [20.14.88.85] 8447  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236381; rev:1;)
alert tcp $HOME_NET any -> [115.79.230.192] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236380; rev:1;)
alert tcp $HOME_NET any -> [115.79.230.192] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236379; rev:1;)
alert tcp $HOME_NET any -> [193.169.245.86] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236378; rev:1;)
alert tcp $HOME_NET any -> [193.168.141.92] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236377; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.145] 7639  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236376; rev:1;)
alert tcp $HOME_NET any -> [181.162.151.66] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236375; rev:1;)
alert tcp $HOME_NET any -> [88.210.9.117] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236374; rev:1;)
alert tcp $HOME_NET any -> [45.87.153.107] 81  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev1.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236373; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omgs.asia"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236371; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.215] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236370; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev4.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236369; rev:1;)
alert tcp $HOME_NET any -> [20.236.74.148] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236368; rev:1;)
alert tcp $HOME_NET any -> [165.232.64.60] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236367; rev:1;)
alert tcp $HOME_NET any -> [64.226.104.86] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236366; rev:1;)
alert tcp $HOME_NET any -> [64.225.100.2] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236365; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-140-197-75.us-east-2.compute.amazonaws.com"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236364; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.147] 7000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236363; rev:1;)
alert tcp $HOME_NET any -> [46.246.84.15] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236362; rev:1;)
alert tcp $HOME_NET any -> [18.134.234.207] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236361; rev:1;)
alert tcp $HOME_NET any -> [186.112.194.124] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236360; rev:1;)
alert tcp $HOME_NET any -> [179.61.251.93] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236359; rev:1;)
alert tcp $HOME_NET any -> [39.105.213.32] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236358; rev:1;)
alert tcp $HOME_NET any -> [163.197.211.60] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236357; rev:1;)
alert tcp $HOME_NET any -> [20.241.197.233] 8444  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236355/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_02; classtype:trojan-activity; sid:91236355; rev:1;)
alert tcp $HOME_NET any -> [170.64.194.84] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236356/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_02; classtype:trojan-activity; sid:91236356; rev:1;)
alert tcp $HOME_NET any -> [187.135.240.152] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236353; rev:1;)
alert tcp $HOME_NET any -> [187.135.149.169] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236354; rev:1;)
alert tcp $HOME_NET any -> [187.135.240.152] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236352; rev:1;)
alert tcp $HOME_NET any -> [187.135.240.152] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236351; rev:1;)
alert tcp $HOME_NET any -> [93.80.47.229] 81  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236350; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.62] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236349; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.62] 8083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236348; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.234] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236346; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.62] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236347; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.143] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236345; rev:1;)
alert tcp $HOME_NET any -> [23.26.137.225] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236344; rev:1;)
alert tcp $HOME_NET any -> [154.221.17.44] 2999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236343; rev:1;)
alert tcp $HOME_NET any -> [201.68.220.236] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236342; rev:1;)
alert tcp $HOME_NET any -> [134.122.164.200] 5566  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236341; rev:1;)
alert tcp $HOME_NET any -> [207.180.224.247] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236340; rev:1;)
alert tcp $HOME_NET any -> [185.91.127.221] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236338; rev:1;)
alert tcp $HOME_NET any -> [123.57.174.3] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236339; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.233] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236337; rev:1;)
alert tcp $HOME_NET any -> [195.85.250.96] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236335; rev:1;)
alert tcp $HOME_NET any -> [74.48.84.59] 23  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236336; rev:1;)
alert tcp $HOME_NET any -> [154.9.252.97] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236334; rev:1;)
alert tcp $HOME_NET any -> [34.143.208.146] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236333; rev:1;)
alert tcp $HOME_NET any -> [1.94.11.140] 39443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236332; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.77] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236331; rev:1;)
alert tcp $HOME_NET any -> [172.233.25.65] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236330; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-89-165-37.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236329; rev:1;)
alert tcp $HOME_NET any -> [8.137.118.200] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236328; rev:1;)
alert tcp $HOME_NET any -> [121.41.4.196] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236327; rev:1;)
alert tcp $HOME_NET any -> [89.149.23.88] 20427  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236324; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"technoblade.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236325; rev:1;)
alert tcp $HOME_NET any -> [39.32.193.156] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236326/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236326; rev:1;)
alert tcp $HOME_NET any -> [38.46.13.118] 10443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"101.34.251.178"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236322; rev:1;)
alert tcp $HOME_NET any -> [38.46.13.115] 10443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"38.46.13.114"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"8.134.165.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"85.208.109.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"103.239.247.51"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236317; rev:1;)
alert tcp $HOME_NET any -> [43.143.130.124] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"121.43.62.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"3.22.66.152"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236314; rev:1;)
alert tcp $HOME_NET any -> [42.193.248.127] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236313/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236313; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"okled.cc"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"okled.cc"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236311; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"www.okled.cc"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236309; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.okled.cc"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236310; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdns.casacam.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236307; rev:1;)
alert tcp $HOME_NET any -> [104.168.158.242] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236308; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v1/login"; depth:13; nocase; http.host; content:"cdns.casacam.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"20.56.70.245"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236305; rev:1;)
alert tcp $HOME_NET any -> [121.41.4.196] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-2kefhgzl-1316598603.bj.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236302; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2kefhgzl-1316598603.bj.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"34.143.208.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.142.170.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236299; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.11] 65517  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236291; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.102] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236298/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236298; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236297; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236296; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236295; rev:1;)
alert tcp $HOME_NET any -> [158.160.124.3] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236294/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236294; rev:1;)
alert tcp $HOME_NET any -> [54.227.145.71] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236293; rev:1;)
alert tcp $HOME_NET any -> [45.129.199.136] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236292/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236292; rev:1;)
alert tcp $HOME_NET any -> [139.155.90.81] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"139.155.90.81"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236289; rev:1;)
alert tcp $HOME_NET any -> [80.79.7.197] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236287/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236287; rev:1;)
alert tcp $HOME_NET any -> [80.79.7.197] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236288/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236288; rev:1;)
alert tcp $HOME_NET any -> [80.79.7.197] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236286/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236286; rev:1;)
alert tcp $HOME_NET any -> [172.105.62.186] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236285/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236285; rev:1;)
alert tcp $HOME_NET any -> [192.52.166.9] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236284/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236284; rev:1;)
alert tcp $HOME_NET any -> [54.199.117.47] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236283/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236283; rev:1;)
alert tcp $HOME_NET any -> [47.76.61.241] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236282/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236282; rev:1;)
alert tcp $HOME_NET any -> [38.62.230.181] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236281/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236281; rev:1;)
alert tcp $HOME_NET any -> [38.62.230.181] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236280/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236280; rev:1;)
alert tcp $HOME_NET any -> [5.161.225.160] 80  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236279/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236279; rev:1;)
alert tcp $HOME_NET any -> [43.198.97.99] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236278/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236278; rev:1;)
alert tcp $HOME_NET any -> [84.201.141.119] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236277/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236277; rev:1;)
alert tcp $HOME_NET any -> [151.236.9.226] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236250/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236250; rev:1;)
alert tcp $HOME_NET any -> [185.123.53.208] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236252/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236252; rev:1;)
alert tcp $HOME_NET any -> [185.36.143.155] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236251/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236251; rev:1;)
alert tcp $HOME_NET any -> [45.155.121.203] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236248/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236248; rev:1;)
alert tcp $HOME_NET any -> [45.155.121.157] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236247/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236247; rev:1;)
alert tcp $HOME_NET any -> [85.239.34.69] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236249/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236249; rev:1;)
alert tcp $HOME_NET any -> [45.129.199.23] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236244/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236244; rev:1;)
alert tcp $HOME_NET any -> [45.129.199.165] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236245/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236245; rev:1;)
alert tcp $HOME_NET any -> [45.155.120.130] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236246/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236246; rev:1;)
alert tcp $HOME_NET any -> [5.230.41.133] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236243/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236243; rev:1;)
alert tcp $HOME_NET any -> [147.45.45.81] 30063  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236221; rev:1;)
alert tcp $HOME_NET any -> [193.168.141.27] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236253/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236253; rev:1;)
alert tcp $HOME_NET any -> [193.168.141.104] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236254/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236254; rev:1;)
alert tcp $HOME_NET any -> [213.232.235.220] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236255/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236255; rev:1;)
alert tcp $HOME_NET any -> [18.228.115.60] 11264  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236269/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236269; rev:1;)
alert tcp $HOME_NET any -> [18.231.93.153] 11264  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236270/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236270; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.158] 9931  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236265/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236265; rev:1;)
alert tcp $HOME_NET any -> [54.94.248.37] 11264  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236268/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_02; classtype:trojan-activity; sid:91236268; rev:1;)
alert tcp $HOME_NET any -> [5.230.42.207] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236256/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236256; rev:1;)
alert tcp $HOME_NET any -> [91.235.234.194] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236257/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236257; rev:1;)
alert tcp $HOME_NET any -> [185.123.53.150] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236258/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236258; rev:1;)
alert tcp $HOME_NET any -> [5.231.0.38] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236259/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236259; rev:1;)
alert tcp $HOME_NET any -> [194.110.247.73] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 95%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236260/; target:src_ip; metadata: confidence_level 95, first_seen 2024_02_02; classtype:trojan-activity; sid:91236260; rev:1;)
alert tcp $HOME_NET any -> [20.56.70.245] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236276/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236276; rev:1;)
alert tcp $HOME_NET any -> [129.159.134.19] 8080  (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236275; rev:1;)
alert tcp $HOME_NET any -> [31.210.173.10] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236274/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236274; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.79] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236273/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236273; rev:1;)
alert tcp $HOME_NET any -> [47.115.225.184] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236272/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/temporary/sql6js8/wordpress3/7sqlasync/8/publicmariadb/central/to_serverasyncpublictemp.php"; depth:92; nocase; http.host; content:"185.87.199.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236271; rev:1;)
alert tcp $HOME_NET any -> [185.243.115.50] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236266/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236266; rev:1;)
alert tcp $HOME_NET any -> [147.45.40.196] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"182.124.119.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236263/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_02; classtype:trojan-activity; sid:91236263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1/3secure/packet/gameflowerflowerpacket/local/generatoruniversal/asynclinesqlwindows/7javascripthttp/db57/track1python1/requestdatalifeexternal/packet4dbproton/providervm/testwindowstest/5javascriptwindows/pipe02public/processor/1securejavascript9/packetwp.php"; depth:261; nocase; http.host; content:"77.222.54.18"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_02; classtype:trojan-activity; sid:91236262; rev:1;)
alert tcp $HOME_NET any -> [100.21.141.96] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236261/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_02; classtype:trojan-activity; sid:91236261; rev:1;)
alert tcp $HOME_NET any -> [47.242.111.13] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236242/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236242; rev:1;)
alert tcp $HOME_NET any -> [136.244.78.33] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236241/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236241; rev:1;)
alert tcp $HOME_NET any -> [176.124.199.126] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236240/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236240; rev:1;)
alert tcp $HOME_NET any -> [91.151.93.75] 9443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236239/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236239; rev:1;)
alert tcp $HOME_NET any -> [182.254.140.58] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236238/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236238; rev:1;)
alert tcp $HOME_NET any -> [122.51.220.170] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236237/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236237; rev:1;)
alert tcp $HOME_NET any -> [47.76.56.64] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/make/apache/t0ztsfr9u"; depth:22; nocase; http.host; content:"waltonfoods.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.91.127.221"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236234; rev:1;)
alert tcp $HOME_NET any -> [45.15.156.209] 40481  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236233; rev:1;)
alert tcp $HOME_NET any -> [45.139.104.69] 443  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236232/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236232; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.19] 1337  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236231/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236231; rev:1;)
alert tcp $HOME_NET any -> [38.12.28.242] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236230/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236230; rev:1;)
alert tcp $HOME_NET any -> [2.56.109.134] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236229/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236229; rev:1;)
alert tcp $HOME_NET any -> [74.12.146.248] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236228/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236228; rev:1;)
alert tcp $HOME_NET any -> [194.219.192.97] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236227/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236227; rev:1;)
alert tcp $HOME_NET any -> [18.188.25.88] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236226; rev:1;)
alert tcp $HOME_NET any -> [164.92.180.123] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236225/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236225; rev:1;)
alert tcp $HOME_NET any -> [103.116.248.171] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236224; rev:1;)
alert tcp $HOME_NET any -> [165.232.64.60] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236223; rev:1;)
alert tcp $HOME_NET any -> [146.190.126.61] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91236222; rev:1;)
alert tcp $HOME_NET any -> [85.208.109.15] 9966  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236220/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236220; rev:1;)
alert tcp $HOME_NET any -> [147.124.207.124] 24624  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236219; rev:1;)
alert tcp $HOME_NET any -> [54.94.248.37] 12136  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236030/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236030; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"0.tcp.sa.ngrok.io"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236031/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236031; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pjnbadfjandkadm3kd.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pjnbadfjandkadm3kd.com"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1236215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236215; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"qcpanel.hackcrack.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236216/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagelongpollapiprotectdefaultlinuxflowerprivate.php"; depth:53; nocase; http.host; content:"369023cm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236218; rev:1;)
alert tcp $HOME_NET any -> [124.221.151.149] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236217/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236217; rev:1;)
alert tcp $HOME_NET any -> [103.191.15.137] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236213/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236213; rev:1;)
alert tcp $HOME_NET any -> [5.181.156.118] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpsecureupdatelongpollmultiprotecttestlocaldownloads.php"; depth:58; nocase; http.host; content:"681428cm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236211; rev:1;)
alert tcp $HOME_NET any -> [84.155.4.131] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236210; rev:1;)
alert tcp $HOME_NET any -> [2.50.137.98] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236209; rev:1;)
alert tcp $HOME_NET any -> [81.213.221.120] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236208; rev:1;)
alert tcp $HOME_NET any -> [45.58.52.17] 9090  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236207; rev:1;)
alert tcp $HOME_NET any -> [143.110.192.8] 18336  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236206; rev:1;)
alert tcp $HOME_NET any -> [38.62.236.152] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236205; rev:1;)
alert tcp $HOME_NET any -> [102.134.252.5] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236204; rev:1;)
alert tcp $HOME_NET any -> [154.41.253.67] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236202; rev:1;)
alert tcp $HOME_NET any -> [18.184.153.186] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236201; rev:1;)
alert tcp $HOME_NET any -> [45.142.100.44] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236200; rev:1;)
alert tcp $HOME_NET any -> [146.190.32.94] 1724  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236199; rev:1;)
alert tcp $HOME_NET any -> [87.254.230.24] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236198; rev:1;)
alert tcp $HOME_NET any -> [139.162.173.229] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236197; rev:1;)
alert tcp $HOME_NET any -> [120.26.3.31] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236196; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sts.drivevvyze.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236195; rev:1;)
alert tcp $HOME_NET any -> [182.92.209.12] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236194; rev:1;)
alert tcp $HOME_NET any -> [47.108.153.169] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236193; rev:1;)
alert tcp $HOME_NET any -> [47.115.228.149] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236192; rev:1;)
alert tcp $HOME_NET any -> [8.130.80.37] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236191; rev:1;)
alert tcp $HOME_NET any -> [8.130.123.192] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236190; rev:1;)
alert tcp $HOME_NET any -> [8.130.86.242] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236188; rev:1;)
alert tcp $HOME_NET any -> [203.9.150.113] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236189; rev:1;)
alert tcp $HOME_NET any -> [121.42.9.148] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236187; rev:1;)
alert tcp $HOME_NET any -> [16.62.149.189] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236186; rev:1;)
alert tcp $HOME_NET any -> [5.42.64.32] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236185; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panitor.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236184; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.doobiefly.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236183; rev:1;)
alert tcp $HOME_NET any -> [45.118.146.123] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236182; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.3psil0n.fr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236181; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.158] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236180; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.158] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236179; rev:1;)
alert tcp $HOME_NET any -> [94.156.144.48] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236178; rev:1;)
alert tcp $HOME_NET any -> [189.152.202.202] 8880  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236177; rev:1;)
alert tcp $HOME_NET any -> [134.195.90.8] 8890  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236176; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rss-bridge.emkd.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236174; rev:1;)
alert tcp $HOME_NET any -> [192.46.228.106] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236175; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-15-206-164-202.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236173; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emkd.ru"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1236172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236172; rev:1;)
alert tcp $HOME_NET any -> [211.24.117.21] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236171; rev:1;)
alert tcp $HOME_NET any -> [45.147.250.155] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236170; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 33920  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236168; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 45118  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236169; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 465  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236167; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 102  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236166; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 12078  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236165; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 6667  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236163; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 8000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236164; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 5220  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236162; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 2079  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236160; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 2222  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236161; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 4840  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236159; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 2004  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236158; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 48148  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236157; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 52200  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236155; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 16993  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236156; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 43014  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236154; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 5432  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236152; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 63842  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236153; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 110  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236151; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 60000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236149; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 64611  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236150; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 50956  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236148; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 45910  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236147; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 5672  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236145; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236146; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 64374  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236144; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 6000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236143; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 5307  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236142; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 20547  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236140; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 51376  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236141; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 18084  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236139; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 16196  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236138; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 11467  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236137; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 2380  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236135; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 8389  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236136; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 2096  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236134; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 49451  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236133; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 6699  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236132; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 9042  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236130; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 6697  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236131; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 6002  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236129; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 27199  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236127; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 31763  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236128; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 24663  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236126; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 6006  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236125; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 8443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236123; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 2701  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236124; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 6513  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236122; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 8010  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236121; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 37215  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236119; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 5903  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236120; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 36043  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236118; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 28139  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236117; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 50580  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236115; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 46207  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236116; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 40329  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236114; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 58603  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236112; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 61616  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236113; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 995  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236111; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236110; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 9000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236108; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 18029  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236109; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 6362  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236107; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 2762  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236105; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 5902  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236106; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 1521  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236104; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 2761  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236103; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 40000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236101; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 2078  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236102; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 10000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236100; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 5900  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236098; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 6008  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236099; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 1200  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236097; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 1080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236096; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 10443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236094; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 18049  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236095; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 8081  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236093; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 2323  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236091; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 4887  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236092; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 10258  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236090; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 57983  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236088; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 6004  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236089; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 52219  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236087; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 50001  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236086; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 2095  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236084; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 4369  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236085; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 40846  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236083; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 27017  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236082; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 6001  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236080; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 7170  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236081; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 3390  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236079; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 44332  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236077; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 104  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236078; rev:1;)
alert tcp $HOME_NET any -> [197.225.117.157] 6597  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236076; rev:1;)
alert tcp $HOME_NET any -> [191.82.244.204] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236075; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.180] 57420  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236074; rev:1;)
alert tcp $HOME_NET any -> [5.42.67.89] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236073; rev:1;)
alert tcp $HOME_NET any -> [42.96.11.30] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236072; rev:1;)
alert tcp $HOME_NET any -> [172.94.4.158] 8088  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236071; rev:1;)
alert tcp $HOME_NET any -> [176.103.52.51] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236070; rev:1;)
alert tcp $HOME_NET any -> [178.73.192.6] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236069; rev:1;)
alert tcp $HOME_NET any -> [142.171.213.30] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236068; rev:1;)
alert tcp $HOME_NET any -> [38.147.189.43] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236067; rev:1;)
alert tcp $HOME_NET any -> [34.162.103.107] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236066/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_01; classtype:trojan-activity; sid:91236066; rev:1;)
alert tcp $HOME_NET any -> [212.73.150.182] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236065/; target:src_ip; metadata: confidence_level 90, first_seen 2024_02_01; classtype:trojan-activity; sid:91236065; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.173] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236064; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.173] 1765  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236063; rev:1;)
alert tcp $HOME_NET any -> [187.135.149.169] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236061; rev:1;)
alert tcp $HOME_NET any -> [187.135.149.169] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236062; rev:1;)
alert tcp $HOME_NET any -> [187.135.149.169] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236060; rev:1;)
alert tcp $HOME_NET any -> [187.135.149.169] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236058; rev:1;)
alert tcp $HOME_NET any -> [187.135.149.169] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236059; rev:1;)
alert tcp $HOME_NET any -> [221.159.15.231] 80  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236057/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236057; rev:1;)
alert tcp $HOME_NET any -> [124.70.140.36] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236055; rev:1;)
alert tcp $HOME_NET any -> [121.36.198.30] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236056; rev:1;)
alert tcp $HOME_NET any -> [193.29.56.172] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236053; rev:1;)
alert tcp $HOME_NET any -> [192.151.243.135] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236054; rev:1;)
alert tcp $HOME_NET any -> [122.51.220.170] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236052; rev:1;)
alert tcp $HOME_NET any -> [172.105.48.31] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236051; rev:1;)
alert tcp $HOME_NET any -> [34.170.254.228] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236050; rev:1;)
alert tcp $HOME_NET any -> [34.170.254.228] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236048; rev:1;)
alert tcp $HOME_NET any -> [34.170.254.228] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236049; rev:1;)
alert tcp $HOME_NET any -> [1.117.60.33] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236047; rev:1;)
alert tcp $HOME_NET any -> [149.104.27.40] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236046; rev:1;)
alert tcp $HOME_NET any -> [107.150.5.191] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236044; rev:1;)
alert tcp $HOME_NET any -> [192.210.186.187] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236045; rev:1;)
alert tcp $HOME_NET any -> [47.236.108.15] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236043; rev:1;)
alert tcp $HOME_NET any -> [47.109.74.65] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236042; rev:1;)
alert tcp $HOME_NET any -> [47.95.31.78] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236041; rev:1;)
alert tcp $HOME_NET any -> [59.110.47.212] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236039; rev:1;)
alert tcp $HOME_NET any -> [152.136.100.26] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236040; rev:1;)
alert tcp $HOME_NET any -> [20.171.192.244] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236038; rev:1;)
alert tcp $HOME_NET any -> [205.185.118.120] 1200  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236037; rev:1;)
alert tcp $HOME_NET any -> [23.224.81.191] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236036; rev:1;)
alert tcp $HOME_NET any -> [81.70.79.31] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236035; rev:1;)
alert tcp $HOME_NET any -> [185.91.127.221] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236033; rev:1;)
alert tcp $HOME_NET any -> [43.248.189.11] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236034; rev:1;)
alert tcp $HOME_NET any -> [117.50.185.133] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236032; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.103] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236029/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91236029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"124.70.140.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236028; rev:1;)
alert tcp $HOME_NET any -> [185.222.57.87] 4505  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236027/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.113"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236025; rev:1;)
alert tcp $HOME_NET any -> [5.75.215.113] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236024; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.159.136.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236022; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"47.99.93.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236021; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236020; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236015; rev:1;)
alert tcp $HOME_NET any -> [4.246.234.87] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cnn/cnnx/qwerty/stream_hdt/1/cnnxlive1_6.bootstrap"; depth:51; nocase; http.host; content:"20.42.56.4"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236013; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.91] 3912  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236010/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236010; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.91] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236011/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236011; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.193] 4258  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236012/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236012; rev:1;)
alert tcp $HOME_NET any -> [172.111.10.14] 9506  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236006/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236006; rev:1;)
alert tcp $HOME_NET any -> [172.111.10.14] 9621  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236007/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236007; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.208] 3912  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236008/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236008; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.208] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1236009/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91236009; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f1aba1fe.php"; depth:13; nocase; http.host; content:"self-lighting-subpr.000webhostapp.com"; depth:37; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1236005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mail830071003.mywebspace.zone"; depth:29; nocase; reference:url, threatfox.abuse.ch/ioc/1235996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mail838727492.mywebspace.zone"; depth:29; nocase; reference:url, threatfox.abuse.ch/ioc/1235997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rinababyshop.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1235998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235998; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"li334-138.members.linode.com"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1235999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"novaesolution.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1236000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"umzug-logistic.de"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1236001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"database.umzug-logistic.de"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1236002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mail.tezcaniletisim.com.tr"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1236004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236004; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"tezcaniletisim.com.tr"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1236003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91236003; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.154] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235945; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.155] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235946; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.156] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235947; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.152] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235943; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.153] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235944; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.149] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235940; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.150] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235941; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.151] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235942; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.146] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235937; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.147] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235938; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.148] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235939; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.145] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235936; rev:1;)
alert tcp $HOME_NET any -> [37.187.1.37] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235935; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.157] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235948; rev:1;)
alert tcp $HOME_NET any -> [51.222.51.158] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235949; rev:1;)
alert tcp $HOME_NET any -> [167.114.173.191] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235950; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.209] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235951; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.210] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235952; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.212] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235954; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.211] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235953; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.213] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235955; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.214] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235956; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.215] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235957; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.216] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235958; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.217] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235959; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.218] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235960; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.219] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235961; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.220] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235962; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.221] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235963; rev:1;)
alert tcp $HOME_NET any -> [198.50.214.222] 8100  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235964; rev:1;)
alert tcp $HOME_NET any -> [138.197.150.104] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235966; rev:1;)
alert tcp $HOME_NET any -> [159.203.48.121] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235968; rev:1;)
alert tcp $HOME_NET any -> [104.248.54.93] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235967; rev:1;)
alert tcp $HOME_NET any -> [159.203.3.76] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235969; rev:1;)
alert tcp $HOME_NET any -> [87.106.251.121] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235970; rev:1;)
alert tcp $HOME_NET any -> [212.227.141.35] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235971; rev:1;)
alert tcp $HOME_NET any -> [45.76.179.15] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235972; rev:1;)
alert tcp $HOME_NET any -> [45.77.45.237] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235973; rev:1;)
alert tcp $HOME_NET any -> [207.148.89.210] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235974; rev:1;)
alert tcp $HOME_NET any -> [190.96.113.171] 8082  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235975; rev:1;)
alert tcp $HOME_NET any -> [190.96.113.173] 8082  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235976; rev:1;)
alert tcp $HOME_NET any -> [190.96.113.174] 8082  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235977; rev:1;)
alert tcp $HOME_NET any -> [190.92.148.174] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235978; rev:1;)
alert tcp $HOME_NET any -> [96.126.101.138] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235980; rev:1;)
alert tcp $HOME_NET any -> [190.92.148.73] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235979; rev:1;)
alert tcp $HOME_NET any -> [218.158.186.176] 18888  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235981; rev:1;)
alert tcp $HOME_NET any -> [222.107.255.119] 18888  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235982; rev:1;)
alert tcp $HOME_NET any -> [13.79.72.214] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235983; rev:1;)
alert tcp $HOME_NET any -> [20.124.237.208] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235984; rev:1;)
alert tcp $HOME_NET any -> [5.11.183.214] 1080  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235985; rev:1;)
alert tcp $HOME_NET any -> [202.158.36.51] 2134  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235988; rev:1;)
alert tcp $HOME_NET any -> [188.59.3.0] 30150  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235986; rev:1;)
alert tcp $HOME_NET any -> [68.178.148.35] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235987; rev:1;)
alert tcp $HOME_NET any -> [45.146.252.6] 2687  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235989; rev:1;)
alert tcp $HOME_NET any -> [202.169.44.105] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235990; rev:1;)
alert tcp $HOME_NET any -> [117.200.78.4] 8080  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235991; rev:1;)
alert tcp $HOME_NET any -> [185.78.165.105] 80  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235992; rev:1;)
alert tcp $HOME_NET any -> [13.208.144.176] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235995/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235995; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.78] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235994/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"sjyey.com"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235934/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"babonwo.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235933/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235933; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/geoasync7/6traffic/asynchttp5multi/3/wordpressimagewordpressprivate/1update/request/4/pollvmlineproton/eternal/phpphp/eternalpythonsecurecpulongpolldefaultlinuxflowergeneratordatalife.php"; depth:188; nocase; http.host; content:"5.35.80.183"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235932; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.69] 3609  (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/is-ready"; depth:9; nocase; http.host; content:"harold.jetos.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235930; rev:1;)
alert tcp $HOME_NET any -> [139.28.36.84] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235929/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235929; rev:1;)
alert tcp $HOME_NET any -> [65.108.24.114] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235928; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ghf3fkdw/post.php"; depth:18; nocase; http.host; content:"81.19.140.204"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235927; rev:1;)
alert tcp $HOME_NET any -> [47.99.98.42] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235926/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235926; rev:1;)
alert tcp $HOME_NET any -> [41.227.202.142] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235925/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235925; rev:1;)
alert tcp $HOME_NET any -> [72.27.102.76] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235924/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235924; rev:1;)
alert tcp $HOME_NET any -> [3.142.167.4] 12738  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235912/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235912; rev:1;)
alert tcp $HOME_NET any -> [3.67.62.142] 11024  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235915/; target:src_ip; metadata: confidence_level 75, first_seen 2024_02_01; classtype:trojan-activity; sid:91235915; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tzitziklishop3.ddns.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mozi.m"; depth:7; nocase; http.host; content:"125.41.0.91"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235923/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235923; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wiund98272sb01jshbq.con-ip.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235922; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.42] 6548  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235921; rev:1;)
alert tcp $HOME_NET any -> [51.81.69.127] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235919/; target:src_ip; metadata: confidence_level 50, first_seen 2024_02_01; classtype:trojan-activity; sid:91235919; rev:1;)
alert tcp $HOME_NET any -> [191.233.28.7] 1024  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235918; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jpdsj3d4m/index.php"; depth:20; nocase; http.host; content:"51.81.69.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235917; rev:1;)
alert tcp $HOME_NET any -> [81.214.129.138] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235916/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235916; rev:1;)
alert tcp $HOME_NET any -> [45.195.76.82] 9966  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235914/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235914; rev:1;)
alert tcp $HOME_NET any -> [3.22.66.152] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235913/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235913; rev:1;)
alert tcp $HOME_NET any -> [3.142.81.166] 12738  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235911; rev:1;)
alert tcp $HOME_NET any -> [3.19.130.43] 12738  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235910; rev:1;)
alert tcp $HOME_NET any -> [3.142.167.54] 12738  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235909; rev:1;)
alert tcp $HOME_NET any -> [13.58.157.220] 12738  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_02_01; classtype:trojan-activity; sid:91235908; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.107] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235907/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235907; rev:1;)
alert tcp $HOME_NET any -> [47.76.34.199] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235906/; target:src_ip; metadata: confidence_level 80, first_seen 2024_02_01; classtype:trojan-activity; sid:91235906; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"atedhilarlymcken.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235893; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eriegentsfsepara.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235894; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lacycuratedhila.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235895; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"licncesispervicear.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235896; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lymckensecuryre.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235897; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naightdecipientc.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235898; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"normaticalacycurat.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235899; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nscormationw.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235900; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"petropicalnorma.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235901; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yclearneriegen.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235902; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 11797  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235892/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235892; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spain-se-lab.eastus.cloudapp.azure.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235888; rev:1;)
alert tcp $HOME_NET any -> [20.42.56.4] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235889; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redflagssecurity.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235887; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.redflagssecurity.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235886; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.15] 1985  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235883/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235883; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bots.gxz.me"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235885/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235885; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 12041  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235875/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235875; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 12041  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235876/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235876; rev:1;)
alert tcp $HOME_NET any -> [105.96.242.45] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235905/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235905; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.69] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235904/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.99.93.124"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235903; rev:1;)
alert tcp $HOME_NET any -> [101.34.251.178] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235891/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/longpolltrack.php"; depth:18; nocase; http.host; content:"718710cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235890; rev:1;)
alert tcp $HOME_NET any -> [38.46.13.114] 10443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235884/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235884; rev:1;)
alert tcp $HOME_NET any -> [102.113.185.187] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235882/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235882; rev:1;)
alert tcp $HOME_NET any -> [141.136.44.219] 4443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235881/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235881; rev:1;)
alert tcp $HOME_NET any -> [98.186.108.222] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235880/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235880; rev:1;)
alert tcp $HOME_NET any -> [5.75.211.130] 2271  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.211.130"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235878; rev:1;)
alert tcp $HOME_NET any -> [159.223.64.235] 4483  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235877; rev:1;)
alert tcp $HOME_NET any -> [3.68.171.119] 12041  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235874; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 12041  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsquery-3.3.1.min.js"; depth:21; nocase; http.host; content:"192.243.102.171"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235872; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 10673  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235871; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 10673  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235870; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 10673  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235869; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.networkspacer.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235868; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waltonfoods.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235862; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.waltonfoods.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235863; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.globalusa.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235864; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"globalusa.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235865; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asb-help-assistance.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235866; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"networkspacer.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235867; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kennahammond.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235851; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kennahammond.autos"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235852; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kayleycuevas.autos"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235853; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kayleycuevas.autos"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235854; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.reidkelley.autos"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235857; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cademoses.autos"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235855; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.madisonbartlett.autos"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235856; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cademoses.autos"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235860; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reidkelley.autos"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235858; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zzwibxun.jimmychunglin.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235859; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"madisonbartlett.autos"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/doomday.zip"; depth:22; nocase; http.host; content:"5.181.159.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235849; rev:1;)
alert tcp $HOME_NET any -> [5.181.159.49] 80  (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/91c007b5.php"; depth:13; nocase; http.host; content:"185.185.68.50"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"209.126.102.155"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"followcache.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ui_cache.js"; depth:12; nocase; http.host; content:"followcache.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"152.89.218.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"andiandnoah.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"andiandnoah.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235760; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blessingjumarou1ubk01.duckdns.org"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235822; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blessingjumarou1ubk01.duckdns.org"; depth:33; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235823; rev:1;)
alert tcp $HOME_NET any -> [104.243.242.194] 39841  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235824; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"brodbeckconsulting.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-content/filmcensurernes.png"; depth:31; nocase; http.host; content:"brodbeckconsulting.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"159.253.214.149"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1235743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.91.45.248"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"51.79.99.120"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"67.205.139.23"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"183.90.230.5"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"162.19.24.166"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"62.210.137.149"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1235749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.82.120.47"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235750; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 15520  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235754/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.66.9.215"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1235741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"128.199.66.118"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1235742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"216.69.162.32"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"161.97.132.85"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.241.48.106"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.176.58.32"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1235738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235738; rev:1;)
alert tcp $HOME_NET any -> [38.180.60.31] 80  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235847/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235847; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"api.d-n-s.name"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235828/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235828; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"areekaweb.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235829/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235829; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clickcom.click"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235830/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235830; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"clicko.click"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235831/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235831; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"ehangmun.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235832/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235832; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"entraide-internationale.fr"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235833; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"line-api.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235834; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"miltonhouse.nl"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235835/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235835; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"secure-cama.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235836; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"symantke.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235837/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235837; rev:1;)
alert tcp $HOME_NET any -> [206.188.196.44] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235827; rev:1;)
alert tcp $HOME_NET any -> [94.103.87.88] 25  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235821; rev:1;)
alert tcp $HOME_NET any -> [154.53.160.71] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235820; rev:1;)
alert tcp $HOME_NET any -> [34.193.15.213] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235819; rev:1;)
alert tcp $HOME_NET any -> [3.208.237.246] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235818; rev:1;)
alert tcp $HOME_NET any -> [154.8.138.27] 2222  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235817; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drivevvyze.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235816; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myaccount.deenpel.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235815; rev:1;)
alert tcp $HOME_NET any -> [47.109.136.12] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235814; rev:1;)
alert tcp $HOME_NET any -> [211.97.157.183] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235813; rev:1;)
alert tcp $HOME_NET any -> [124.223.56.72] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235812; rev:1;)
alert tcp $HOME_NET any -> [43.138.110.8] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"23.105.197.219.16clouds.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235811; rev:1;)
alert tcp $HOME_NET any -> [123.249.86.77] 8089  (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235809; rev:1;)
alert tcp $HOME_NET any -> [51.195.83.136] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235808; rev:1;)
alert tcp $HOME_NET any -> [51.195.83.136] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235807; rev:1;)
alert tcp $HOME_NET any -> [147.45.40.99] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235806; rev:1;)
alert tcp $HOME_NET any -> [45.93.251.166] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235805; rev:1;)
alert tcp $HOME_NET any -> [81.28.6.17] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235804; rev:1;)
alert tcp $HOME_NET any -> [193.233.254.10] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235803; rev:1;)
alert tcp $HOME_NET any -> [95.181.151.118] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235801; rev:1;)
alert tcp $HOME_NET any -> [69.87.216.87] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235802; rev:1;)
alert tcp $HOME_NET any -> [189.152.202.202] 49152  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235799; rev:1;)
alert tcp $HOME_NET any -> [189.152.202.202] 81  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235800; rev:1;)
alert tcp $HOME_NET any -> [189.152.202.202] 31193  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235798; rev:1;)
alert tcp $HOME_NET any -> [189.152.202.202] 16714  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235797; rev:1;)
alert tcp $HOME_NET any -> [189.152.202.202] 222  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235796; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.217] 10443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235795; rev:1;)
alert tcp $HOME_NET any -> [79.137.226.104] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235793; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pgad.emkd.ru"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235794; rev:1;)
alert tcp $HOME_NET any -> [46.4.80.247] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235792; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev1.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235791; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nl1.nextpg.cfd"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235790; rev:1;)
alert tcp $HOME_NET any -> [188.119.112.49] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235789; rev:1;)
alert tcp $HOME_NET any -> [193.233.254.106] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235788; rev:1;)
alert tcp $HOME_NET any -> [89.148.24.117] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235787; rev:1;)
alert tcp $HOME_NET any -> [34.32.55.86] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235786/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_31; classtype:trojan-activity; sid:91235786; rev:1;)
alert tcp $HOME_NET any -> [44.219.14.139] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235785/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_31; classtype:trojan-activity; sid:91235785; rev:1;)
alert tcp $HOME_NET any -> [187.135.130.228] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235784; rev:1;)
alert tcp $HOME_NET any -> [187.135.130.228] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235783; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.173] 2295  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235782; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.173] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235781; rev:1;)
alert tcp $HOME_NET any -> [43.128.203.170] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235780; rev:1;)
alert tcp $HOME_NET any -> [47.99.93.124] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235778; rev:1;)
alert tcp $HOME_NET any -> [136.244.98.215] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235779; rev:1;)
alert tcp $HOME_NET any -> [154.12.85.223] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235777; rev:1;)
alert tcp $HOME_NET any -> [124.222.19.248] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235776; rev:1;)
alert tcp $HOME_NET any -> [47.93.98.77] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235775; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"209.lan-za2-1.static.rozabg.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/baselocal/73updategame/external06temporary/processor/universal/eternalgeomultiasynctestuniversalwptempcdncentral.php"; depth:117; nocase; http.host; content:"77.91.124.159"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.139.177.77"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"185.196.10.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"110.40.151.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"217.194.133.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.113.216.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"31.41.244.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/introduction/edr"; depth:17; nocase; http.host; content:"110.40.151.20"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"31.41.244.172"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.222.165.110"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235764; rev:1;)
alert tcp $HOME_NET any -> [139.59.238.68] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/set/v9.32/omdf83jf6h"; depth:21; nocase; http.host; content:"139.59.238.68"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235762; rev:1;)
alert tcp $HOME_NET any -> [119.161.100.84] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235761; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.109] 15520  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235753; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 15520  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235752; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 15520  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235751; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"css2.officeserver.at"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235735; rev:1;)
alert tcp $HOME_NET any -> [20.170.42.196] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235736; rev:1;)
alert tcp $HOME_NET any -> [8.212.183.173] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235734; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.unitedromtech.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235733; rev:1;)
alert tcp $HOME_NET any -> [78.46.135.92] 1575  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235732; rev:1;)
alert tcp $HOME_NET any -> [172.96.14.67] 9785  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235731/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235731; rev:1;)
alert tcp $HOME_NET any -> [172.96.14.30] 6871  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235730/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"1.13.17.173"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"43.159.136.92"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"139.155.0.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"115.29.171.175"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"120.26.196.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235720; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"service-dlrbbup7-1309697666.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235718; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235717; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.ibmxwork.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235716; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"support.ibmxwork.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"60.204.135.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235713; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235712; rev:1;)
alert tcp $HOME_NET any -> [47.99.54.48] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235711/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235711; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.79] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235710/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235710; rev:1;)
alert tcp $HOME_NET any -> [115.243.250.34] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235709/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235709; rev:1;)
alert tcp $HOME_NET any -> [185.38.142.22] 666  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235701/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235701; rev:1;)
alert tcp $HOME_NET any -> [45.140.146.208] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235708/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235708; rev:1;)
alert tcp $HOME_NET any -> [172.94.32.33] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235707/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235707; rev:1;)
alert tcp $HOME_NET any -> [172.94.32.33] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235706/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235706; rev:1;)
alert tcp $HOME_NET any -> [172.94.32.33] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235705/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235705; rev:1;)
alert tcp $HOME_NET any -> [172.94.32.33] 8881  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235704; rev:1;)
alert tcp $HOME_NET any -> [124.70.140.36] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jsprotectdefaultwpcdn.php"; depth:26; nocase; http.host; content:"193.187.172.13"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235702; rev:1;)
alert tcp $HOME_NET any -> [5.42.64.45] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235691; rev:1;)
alert tcp $HOME_NET any -> [95.214.52.175] 13735  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235690/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_31; classtype:trojan-activity; sid:91235690; rev:1;)
alert tcp $HOME_NET any -> [20.215.193.147] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235700/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235700; rev:1;)
alert tcp $HOME_NET any -> [38.6.177.93] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235699/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235699; rev:1;)
alert tcp $HOME_NET any -> [34.244.129.215] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235698/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235698; rev:1;)
alert tcp $HOME_NET any -> [185.49.70.105] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235697/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235697; rev:1;)
alert tcp $HOME_NET any -> [149.248.21.89] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235696/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235696; rev:1;)
alert tcp $HOME_NET any -> [5.188.86.214] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235695/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_31; classtype:trojan-activity; sid:91235695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.155"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_31; classtype:trojan-activity; sid:91235694; rev:1;)
alert tcp $HOME_NET any -> [217.194.133.68] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235693; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.173] 2067  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235692/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_31; classtype:trojan-activity; sid:91235692; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mfreshbnrem.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"mfreshbnrem.ddns.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235679; rev:1;)
alert tcp $HOME_NET any -> [192.177.111.126] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235680; rev:1;)
alert tcp $HOME_NET any -> [89.213.142.199] 28189  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235689; rev:1;)
alert tcp $HOME_NET any -> [45.137.148.124] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235688; rev:1;)
alert tcp $HOME_NET any -> [86.190.166.133] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235687; rev:1;)
alert tcp $HOME_NET any -> [72.27.36.68] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235686; rev:1;)
alert tcp $HOME_NET any -> [189.140.22.230] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235685/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235685; rev:1;)
alert tcp $HOME_NET any -> [62.15.128.250] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235684/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235684; rev:1;)
alert tcp $HOME_NET any -> [154.247.28.232] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235683; rev:1;)
alert tcp $HOME_NET any -> [5.42.64.4] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updategovua/upd/downloads/words.exe"; depth:36; nocase; http.host; content:"bitbucket.org"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235681; rev:1;)
alert tcp $HOME_NET any -> [65.21.212.85] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235677; rev:1;)
alert tcp $HOME_NET any -> [3.67.112.102] 11024  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235675/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235675; rev:1;)
alert tcp $HOME_NET any -> [138.124.183.37] 443  (msg:"ThreatFox DarkGate botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235676/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235676; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.209] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jpdsj3d4m/index.php"; depth:20; nocase; http.host; content:"5.42.64.4"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"nationalistvetecanve.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"gemcreedarticulateod.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"secretionsuitcasenioise.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"liabilityarrangemenyit.shop"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"claimconcessionrebe.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"modestessayevenmilwek.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235667; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"triangleseasonbenchwj.shop"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235666; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"culturesketchfinanciall.shop"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sofahuntingslidedine.shop"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235664; rev:1;)
alert tcp $HOME_NET any -> [3.64.4.198] 11024  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235663; rev:1;)
alert tcp $HOME_NET any -> [3.67.161.133] 11024  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235662; rev:1;)
alert tcp $HOME_NET any -> [18.158.58.205] 11024  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235661; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 18227  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235660; rev:1;)
alert tcp $HOME_NET any -> [18.157.68.73] 18227  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235659; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 18227  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235658; rev:1;)
alert tcp $HOME_NET any -> [18.156.13.209] 18227  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235581; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235580; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235579; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235577; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235575; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235574; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235568; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"ok.spartabig.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235565; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235582; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235583; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235584; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235586; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235588; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"count.spartabig.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235590; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235592; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235593; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235594; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235595; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235596; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235597; rev:1;)
alert tcp $HOME_NET any -> [210.61.91.39] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235656/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235598; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc4.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235599; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc5.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235600; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc6.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235601; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc7.exe"; depth:15; nocase; http.host; content:"sell.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235602; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"klosherskymoneyd.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"klosherskymoneyd.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1235605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235605; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc3.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235556; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/order/tuc2.exe"; depth:15; nocase; http.host; content:"moon.spartabig.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235555; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"moon.spartabig.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235550; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ok.spartabig.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235551; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sell.spartabig.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235552; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"count.spartabig.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235553; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"spartabig.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235554; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ndbplus.rs"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m5.jpg"; depth:7; nocase; http.host; content:"ndbplus.rs"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/plugzx.exe"; depth:23; nocase; http.host; content:"nab.blueyonderllc.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/plugzx.exe"; depth:23; nocase; http.host; content:"nab.blueyonderllc.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235546; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nab.blueyonderllc.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235545; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 53003  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235543/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235543; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bit-number.gl.at.ply.gg"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235544/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"andiandnoah.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"andiandnoah.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235526; rev:1;)
alert tcp $HOME_NET any -> [192.243.102.171] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235655; rev:1;)
alert tcp $HOME_NET any -> [34.125.227.117] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235654; rev:1;)
alert tcp $HOME_NET any -> [3.80.84.233] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235653; rev:1;)
alert tcp $HOME_NET any -> [52.21.211.84] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235652; rev:1;)
alert tcp $HOME_NET any -> [8.137.54.12] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235651; rev:1;)
alert tcp $HOME_NET any -> [43.136.58.193] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235650; rev:1;)
alert tcp $HOME_NET any -> [154.223.17.208] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235649; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"node115.5-systems.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235648/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235648; rev:1;)
alert tcp $HOME_NET any -> [134.255.252.185] 3000  (msg:"ThreatFox Bahamut botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235647; rev:1;)
alert tcp $HOME_NET any -> [54.249.71.250] 18082  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235646; rev:1;)
alert tcp $HOME_NET any -> [82.115.19.151] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235645; rev:1;)
alert tcp $HOME_NET any -> [85.209.176.113] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235644; rev:1;)
alert tcp $HOME_NET any -> [85.209.176.184] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235643; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.217] 7443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235642; rev:1;)
alert tcp $HOME_NET any -> [50.118.225.41] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235641; rev:1;)
alert tcp $HOME_NET any -> [181.162.169.153] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235640; rev:1;)
alert tcp $HOME_NET any -> [191.82.204.88] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235639; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.103] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235638; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"evgenytchurakin.fvds.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235637; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ramzanlee.fvds.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asp.keyshape.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235636; rev:1;)
alert tcp $HOME_NET any -> [5.42.67.88] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235634; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.85] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235632; rev:1;)
alert tcp $HOME_NET any -> [212.109.195.164] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235633; rev:1;)
alert tcp $HOME_NET any -> [64.227.124.8] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235631; rev:1;)
alert tcp $HOME_NET any -> [209.145.56.0] 1995  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235630; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.147] 8000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235629; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.155] 8088  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235628; rev:1;)
alert tcp $HOME_NET any -> [186.112.205.208] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235627; rev:1;)
alert tcp $HOME_NET any -> [3.19.71.233] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235626/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_30; classtype:trojan-activity; sid:91235626; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235624; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235625; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235623; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 2281  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235622; rev:1;)
alert tcp $HOME_NET any -> [39.106.2.138] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235621; rev:1;)
alert tcp $HOME_NET any -> [139.224.33.120] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235620; rev:1;)
alert tcp $HOME_NET any -> [139.224.33.120] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235619; rev:1;)
alert tcp $HOME_NET any -> [172.245.34.171] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235618; rev:1;)
alert tcp $HOME_NET any -> [107.189.14.144] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235616; rev:1;)
alert tcp $HOME_NET any -> [199.127.63.241] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235617; rev:1;)
alert tcp $HOME_NET any -> [124.223.201.58] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235615; rev:1;)
alert tcp $HOME_NET any -> [158.247.238.238] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235614; rev:1;)
alert tcp $HOME_NET any -> [82.157.71.34] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235612; rev:1;)
alert tcp $HOME_NET any -> [106.54.63.106] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235613; rev:1;)
alert tcp $HOME_NET any -> [8.222.165.110] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235611; rev:1;)
alert tcp $HOME_NET any -> [8.136.4.15] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235610; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1450/ladyisbeautiful.vbs"; depth:25; nocase; http.host; content:"65.20.81.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235608; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1450/irs.txt"; depth:13; nocase; http.host; content:"65.20.81.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235609; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/drd/microsoftupdationgoingformicrosoftofficeupgradingtonewmsofficeprotoecoltoreducethesys.doc"; depth:94; nocase; http.host; content:"65.20.81.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235607; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"allsmt.cam"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235606; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.54] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235603/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235603; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"124.71.9.23"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"124.223.220.137"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w3c.js"; depth:7; nocase; http.host; content:"dctrvi.azureedge.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.115.212.213"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"81.70.0.37"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.106.26.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.104.232.113"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.92.246.30"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"114.55.133.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"114.55.133.151"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"123.60.57.13"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"117.72.13.42"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jp.css"; depth:7; nocase; http.host; content:"91.238.181.237"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"204.44.94.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/interpret/today/vzardxorlr"; depth:27; nocase; http.host; content:"111.230.103.176"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235528; rev:1;)
alert tcp $HOME_NET any -> [49.7.197.52] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235525/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235525; rev:1;)
alert tcp $HOME_NET any -> [1.15.247.249] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235524/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235524; rev:1;)
alert tcp $HOME_NET any -> [47.92.199.201] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235523/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235523; rev:1;)
alert tcp $HOME_NET any -> [186.169.71.216] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235520/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235520; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"srryapi.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235521; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.76] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235522/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235522; rev:1;)
alert tcp $HOME_NET any -> [8.218.137.213] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235519; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.t0nger.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235518; rev:1;)
alert tcp $HOME_NET any -> [119.45.62.15] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235517; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.gac-oa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235516; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.gac-oa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235515; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.gac-oa.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235514; rev:1;)
alert tcp $HOME_NET any -> [150.158.34.235] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235513; rev:1;)
alert tcp $HOME_NET any -> [81.19.136.234] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235512; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.atchesonprint.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235511; rev:1;)
alert tcp $HOME_NET any -> [114.115.210.125] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235510; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"c1.tqrjfru.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiummgl.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumkls.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235501/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumapp.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumtch.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235500/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumlg.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"usdtethchasmanthiumsmg.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/oda3zdkzymfjmddm/"; depth:18; nocase; http.host; content:"94.156.68.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235496/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235496; rev:1;)
alert tcp $HOME_NET any -> [3.68.56.232] 14537  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235493/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235493; rev:1;)
alert tcp $HOME_NET any -> [3.126.224.214] 14537  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235492/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235492; rev:1;)
alert tcp $HOME_NET any -> [149.210.96.205] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235508; rev:1;)
alert tcp $HOME_NET any -> [94.102.148.42] 1337  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"f0912091.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/originate/temporal/yv3bjpo5btv9"; depth:32; nocase; http.host; content:"103.50.206.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235504; rev:1;)
alert tcp $HOME_NET any -> [103.50.206.45] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/originate/temporal/yv3bjpo5btv9"; depth:32; nocase; http.host; content:"cloudflairly.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235503; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.50] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235495; rev:1;)
alert tcp $HOME_NET any -> [103.72.97.236] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpsqlwindows.php"; depth:18; nocase; http.host; content:"562173cm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235491; rev:1;)
alert tcp $HOME_NET any -> [3.6.40.24] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235490; rev:1;)
alert tcp $HOME_NET any -> [3.125.188.168] 14537  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235489; rev:1;)
alert tcp $HOME_NET any -> [35.157.111.131] 14537  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235488; rev:1;)
alert tcp $HOME_NET any -> [3.67.15.169] 14537  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ccaue6.leadershiplink.my.id"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"37.27.26.28"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235486; rev:1;)
alert tcp $HOME_NET any -> [37.27.26.28] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235485; rev:1;)
alert tcp $HOME_NET any -> [103.69.194.227] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235484/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"service-bzbl2uq7-1312255927.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.100.170.9"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235476; rev:1;)
alert tcp $HOME_NET any -> [110.43.68.243] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235475/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235475; rev:1;)
alert tcp $HOME_NET any -> [62.204.41.234] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235474; rev:1;)
alert tcp $HOME_NET any -> [2.87.13.117] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235473/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235473; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.138] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235472/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235472; rev:1;)
alert tcp $HOME_NET any -> [143.110.192.8] 44387  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235471/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235471; rev:1;)
alert tcp $HOME_NET any -> [61.19.254.6] 2024  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235384; rev:1;)
alert tcp $HOME_NET any -> [39.105.51.11] 28101  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235385; rev:1;)
alert tcp $HOME_NET any -> [39.105.51.11] 28104  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235386; rev:1;)
alert tcp $HOME_NET any -> [186.169.37.61] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235391/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235391; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.5] 14272  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235399/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235399; rev:1;)
alert tcp $HOME_NET any -> [195.144.21.204] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235406/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235406; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"mkng.honors.howamerica.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unitylibrarymanager.exe"; depth:24; nocase; http.host; content:"3psil0n.fr"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/unitylibrarymanager.exe"; depth:24; nocase; http.host; content:"3psil0n.fr"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235387; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"3psil0n.fr"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"178.236.246.25"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"howamerica.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"honors.howamerica.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"honors.howamerica.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235371; rev:1;)
alert tcp $HOME_NET any -> [45.15.156.201] 10208  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235358; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 15309  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235356/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235356; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"people-primarily.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235357/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235357; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 16777  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235355/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_30; classtype:trojan-activity; sid:91235355; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.classicstandupcomedylive.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235329; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.classicstandupcomedy.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235330; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whyzup.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235331; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.louangelwolf.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235332; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"louangelwolf.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235333; rev:1;)
alert tcp $HOME_NET any -> [64.225.12.181] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235334; rev:1;)
alert tcp $HOME_NET any -> [192.252.183.121] 8524  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"clbh.honors.howamerica.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235340; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235470/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235470; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235469/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235469; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 1935  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235468/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235468; rev:1;)
alert tcp $HOME_NET any -> [65.109.90.47] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235467/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_30; classtype:trojan-activity; sid:91235467; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 1925  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235466/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235466; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235465/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235465; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235464/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235464; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.57] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235463/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235463; rev:1;)
alert tcp $HOME_NET any -> [188.241.240.187] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235462/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235462; rev:1;)
alert tcp $HOME_NET any -> [110.40.151.20] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235461/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235461; rev:1;)
alert tcp $HOME_NET any -> [65.109.90.47] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235460; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn752656009.softether.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235459; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.31] 80  (msg:"ThreatFox GhostLocker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235458; rev:1;)
alert tcp $HOME_NET any -> [190.135.185.214] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235457; rev:1;)
alert tcp $HOME_NET any -> [88.214.25.249] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235456; rev:1;)
alert tcp $HOME_NET any -> [18.198.146.182] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235455; rev:1;)
alert tcp $HOME_NET any -> [47.100.210.152] 4433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235454; rev:1;)
alert tcp $HOME_NET any -> [45.155.124.147] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235453; rev:1;)
alert tcp $HOME_NET any -> [35.184.204.195] 10443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235452; rev:1;)
alert tcp $HOME_NET any -> [138.68.72.211] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235451; rev:1;)
alert tcp $HOME_NET any -> [64.23.184.213] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235450; rev:1;)
alert tcp $HOME_NET any -> [64.23.184.213] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235449; rev:1;)
alert tcp $HOME_NET any -> [47.76.34.199] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235448; rev:1;)
alert tcp $HOME_NET any -> [120.46.45.74] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235447; rev:1;)
alert tcp $HOME_NET any -> [120.25.226.253] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235446; rev:1;)
alert tcp $HOME_NET any -> [122.10.68.253] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235445; rev:1;)
alert tcp $HOME_NET any -> [2.58.113.172] 4433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235444; rev:1;)
alert tcp $HOME_NET any -> [5.182.86.194] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235443; rev:1;)
alert tcp $HOME_NET any -> [194.36.88.211] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235442; rev:1;)
alert tcp $HOME_NET any -> [45.94.31.205] 6969  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235441; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ekfb.site"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235440; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.160] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235439; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.217] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235438; rev:1;)
alert tcp $HOME_NET any -> [185.93.69.149] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235437; rev:1;)
alert tcp $HOME_NET any -> [3.140.197.75] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235436; rev:1;)
alert tcp $HOME_NET any -> [45.61.137.134] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235435; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.147] 8088  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235434; rev:1;)
alert tcp $HOME_NET any -> [150.138.77.39] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235433; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235432; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235431; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235429; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235430; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235428; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235427; rev:1;)
alert tcp $HOME_NET any -> [52.146.1.235] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235426; rev:1;)
alert tcp $HOME_NET any -> [123.60.57.13] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235425; rev:1;)
alert tcp $HOME_NET any -> [20.62.251.205] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235423; rev:1;)
alert tcp $HOME_NET any -> [124.221.47.36] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235424; rev:1;)
alert tcp $HOME_NET any -> [117.72.42.234] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235422; rev:1;)
alert tcp $HOME_NET any -> [123.249.114.61] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235421; rev:1;)
alert tcp $HOME_NET any -> [188.213.198.232] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235420; rev:1;)
alert tcp $HOME_NET any -> [45.144.232.99] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235419; rev:1;)
alert tcp $HOME_NET any -> [45.144.232.99] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235418; rev:1;)
alert tcp $HOME_NET any -> [5.42.64.32] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1poll/3external/50provider0/windows/windowslongpoll/0externaljavascriptjs/phpphp/0async7/61gamevoiddb/tolongpollwindowsprivate.php"; depth:131; nocase; http.host; content:"185.244.51.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235410; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0912235.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_30; classtype:trojan-activity; sid:91235408; rev:1;)
alert tcp $HOME_NET any -> [47.113.216.45] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235407; rev:1;)
alert tcp $HOME_NET any -> [94.102.155.46] 1337  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235405/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235405; rev:1;)
alert tcp $HOME_NET any -> [110.40.151.20] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_30; classtype:trojan-activity; sid:91235404; rev:1;)
alert tcp $HOME_NET any -> [94.49.176.147] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235403; rev:1;)
alert tcp $HOME_NET any -> [187.135.84.89] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235402; rev:1;)
alert tcp $HOME_NET any -> [47.92.231.107] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235401/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235401; rev:1;)
alert tcp $HOME_NET any -> [182.61.25.107] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235398/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235398; rev:1;)
alert tcp $HOME_NET any -> [18.157.68.73] 14272  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235397; rev:1;)
alert tcp $HOME_NET any -> [3.126.37.18] 14272  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235396; rev:1;)
alert tcp $HOME_NET any -> [3.127.59.75] 17426  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235395; rev:1;)
alert tcp $HOME_NET any -> [3.127.253.86] 17426  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235394; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 17426  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235393; rev:1;)
alert tcp $HOME_NET any -> [3.121.139.82] 17426  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235392; rev:1;)
alert tcp $HOME_NET any -> [65.21.176.122] 11263  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235390; rev:1;)
alert tcp $HOME_NET any -> [86.126.216.130] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235370/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235370; rev:1;)
alert tcp $HOME_NET any -> [31.117.0.33] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235369/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235369; rev:1;)
alert tcp $HOME_NET any -> [154.246.153.209] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235368/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235368; rev:1;)
alert tcp $HOME_NET any -> [47.17.109.197] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235366/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235366; rev:1;)
alert tcp $HOME_NET any -> [145.82.146.57] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235365/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235365; rev:1;)
alert tcp $HOME_NET any -> [185.113.8.123] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235364/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235364; rev:1;)
alert tcp $HOME_NET any -> [2.49.56.253] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235362; rev:1;)
alert tcp $HOME_NET any -> [38.242.209.51] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235361/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235361; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"callii.ydns.eu"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235359; rev:1;)
alert tcp $HOME_NET any -> [34.88.85.211] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235354/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"negliganceassumeruew.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ama.exe"; depth:8; nocase; http.host; content:"185.172.128.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235351/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cp.exe"; depth:7; nocase; http.host; content:"185.172.128.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235352/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235352; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ma.exe"; depth:7; nocase; http.host; content:"185.172.128.154"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235350/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"braidfadefriendklypk.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"acquisitionfinancej.shop"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cooperatecliqueobstac.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"racerecessionrestrai.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"carvewomanflavourwop.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235344; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"vesselspeedcrosswakew.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235345; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"retainfactorypunishjkw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"communicationinchoicer.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"brickabsorptiondullyi.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235341; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 16777  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235339; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 16777  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235338; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 16777  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235337; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.51] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235336/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235336; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.currencyandsecurity.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235318; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"currencyandsecurity.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235319; rev:1;)
alert tcp $HOME_NET any -> [5.181.159.27] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235310; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"167-172-234-147.ipv4.staticdns2.io"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235317; rev:1;)
alert tcp $HOME_NET any -> [167.172.234.147] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235320; rev:1;)
alert tcp $HOME_NET any -> [64.237.213.102] 1800  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235316; rev:1;)
alert tcp $HOME_NET any -> [45.137.116.2] 443  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235314; rev:1;)
alert tcp $HOME_NET any -> [85.209.11.168] 443  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235315; rev:1;)
alert tcp $HOME_NET any -> [2.58.14.224] 443  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235313; rev:1;)
alert tcp $HOME_NET any -> [45.156.84.190] 443  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/securepacketgamedbtrack.php"; depth:38; nocase; http.host; content:"46.174.52.97"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235311; rev:1;)
alert tcp $HOME_NET any -> [85.102.165.243] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235309; rev:1;)
alert tcp $HOME_NET any -> [197.204.3.130] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235308; rev:1;)
alert tcp $HOME_NET any -> [216.238.83.84] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235307; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4445  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235306; rev:1;)
alert tcp $HOME_NET any -> [23.20.6.114] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235305; rev:1;)
alert tcp $HOME_NET any -> [101.34.47.66] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235304; rev:1;)
alert tcp $HOME_NET any -> [20.174.1.50] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235303; rev:1;)
alert tcp $HOME_NET any -> [163.172.150.135] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235302; rev:1;)
alert tcp $HOME_NET any -> [13.247.14.43] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235301; rev:1;)
alert tcp $HOME_NET any -> [122.10.12.198] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235300; rev:1;)
alert tcp $HOME_NET any -> [101.42.149.18] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235299; rev:1;)
alert tcp $HOME_NET any -> [43.139.195.144] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235298; rev:1;)
alert tcp $HOME_NET any -> [175.178.116.26] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235297; rev:1;)
alert tcp $HOME_NET any -> [47.107.44.15] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235296; rev:1;)
alert tcp $HOME_NET any -> [20.240.201.149] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235295; rev:1;)
alert tcp $HOME_NET any -> [161.97.102.40] 22533  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235294; rev:1;)
alert tcp $HOME_NET any -> [49.157.28.96] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235293; rev:1;)
alert tcp $HOME_NET any -> [52.81.76.168] 80  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235292; rev:1;)
alert tcp $HOME_NET any -> [165.227.213.147] 7552  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235291; rev:1;)
alert tcp $HOME_NET any -> [64.227.124.8] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235290; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 13832  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235289; rev:1;)
alert tcp $HOME_NET any -> [94.23.89.139] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235288/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_29; classtype:trojan-activity; sid:91235288; rev:1;)
alert tcp $HOME_NET any -> [109.117.91.172] 88  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235287; rev:1;)
alert tcp $HOME_NET any -> [141.164.34.159] 2082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235285; rev:1;)
alert tcp $HOME_NET any -> [8.130.101.106] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235286; rev:1;)
alert tcp $HOME_NET any -> [64.227.174.159] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235284; rev:1;)
alert tcp $HOME_NET any -> [1.12.254.234] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235283; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.186] 445  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235282; rev:1;)
alert tcp $HOME_NET any -> [8.134.165.196] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235280; rev:1;)
alert tcp $HOME_NET any -> [42.192.45.240] 4446  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235281; rev:1;)
alert tcp $HOME_NET any -> [172.105.8.252] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235279; rev:1;)
alert tcp $HOME_NET any -> [8.140.254.212] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235278; rev:1;)
alert tcp $HOME_NET any -> [142.171.233.211] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235277; rev:1;)
alert tcp $HOME_NET any -> [47.108.145.250] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"stachmentsuprimeresult.com"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1235274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0910130.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235275; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"euunclaimedpymt.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ap.php"; depth:7; nocase; http.host; content:"euunclaimedpymt.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235271; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stachmentsuprimeresult.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235273; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.70] 59646  (msg:"ThreatFox WpBruteBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"ripnoticebook.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"ripnoticebook.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"ghostcitygames.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235269; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.37] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235266; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/6cdvjjmfdowmbvw+3hrdrpttcvzkhu38mkim5i1ebnocvddqmkgb+i1vheoabuoujvud45ofvb3ebr2u0gug6p5ff/6dxxzmku4y+pgfeg=="; depth:109; nocase; http.host; content:"miner.eastestsite.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/uuo0fipov381aa4kz3kynci+uwzzcbzmiy9xfjqpx0k7owtwiyvayjq4rnkjabg0ndhgesnodir9aey0a2hydccyrxezov1nmyvyncw="; depth:105; nocase; http.host; content:"miner.eastestsite.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rpmkpnw76c3ku7cwmkqmht3t79smo6jfwpjm3dt81cleu6ag3luwhsf9+n3w/f7hx/tlysfz8ntf+u2g0w=="; depth:85; nocase; http.host; content:"miner.eastestsite.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235265; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"miner.eastestsite.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235262; rev:1;)
alert tcp $HOME_NET any -> [91.109.178.5] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235261; rev:1;)
alert tcp $HOME_NET any -> [3.22.30.40] 14868  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235245/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235245; rev:1;)
alert tcp $HOME_NET any -> [193.106.175.40] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235242; rev:1;)
alert tcp $HOME_NET any -> [3.17.7.232] 14868  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235244/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235244; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.38] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235258; rev:1;)
alert tcp $HOME_NET any -> [116.202.4.242] 2271  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.4.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tvrugrats"; depth:10; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235255; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199627279110"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235256; rev:1;)
alert tcp $HOME_NET any -> [91.109.176.7] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235254; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235253; rev:1;)
alert tcp $HOME_NET any -> [124.223.52.82] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235252; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bootstrap-5.3.1.min.js"; depth:23; nocase; http.host; content:"124.223.52.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235251; rev:1;)
alert tcp $HOME_NET any -> [81.68.210.91] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235250; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"81.68.210.91"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linejsrequestdbdle.php"; depth:23; nocase; http.host; content:"194.36.209.243"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235248; rev:1;)
alert tcp $HOME_NET any -> [164.92.187.144] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235247/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235247; rev:1;)
alert tcp $HOME_NET any -> [41.111.218.206] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235246/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235246; rev:1;)
alert tcp $HOME_NET any -> [47.92.246.30] 880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235243/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235243; rev:1;)
alert tcp $HOME_NET any -> [3.77.102.212] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235241/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235241; rev:1;)
alert tcp $HOME_NET any -> [123.249.114.61] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235240/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235240; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/da341/index.php"; depth:16; nocase; http.host; content:"damel.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235239; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"139.155.0.238"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235238; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235237; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"20.2.223.43"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235236; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235235; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"175.178.73.141"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235234; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"ns.chrome-crash.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"kitfishstore.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235232/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"homemademagazine.ru"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235231/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235231; rev:1;)
alert tcp $HOME_NET any -> [185.248.163.250] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235230/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"193.233.255.60"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.73.131.73"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"77.232.142.8"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"92.246.136.222"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"94.228.168.159"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.57"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"45.141.215.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.106.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"141.98.83.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"91.103.253.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"85.192.63.57.sslip.io"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235127; rev:1;)
alert tcp $HOME_NET any -> [103.215.221.168] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235190/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235190; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"abixmaly.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235194/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235194; rev:1;)
alert tcp $HOME_NET any -> [103.92.235.29] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235195/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235195; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"skscarsrjn.in"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235196/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235196; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"rocheholding.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235197/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235197; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"www.rnofinancial.com.au"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235201/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235201; rev:1;)
alert tcp $HOME_NET any -> [3.19.130.43] 10093  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235213/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235213; rev:1;)
alert tcp $HOME_NET any -> [185.91.127.235] 1312  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235210/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235210; rev:1;)
alert tcp $HOME_NET any -> [3.142.167.54] 10093  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235212/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1zkzw2mq"; depth:9; nocase; http.host; content:"draggedline.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ytw8d9xy"; depth:9; nocase; http.host; content:"climedballon.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bdrvdw9c"; depth:9; nocase; http.host; content:"waterlinesheet.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/rz7kfbxj"; depth:9; nocase; http.host; content:"dailytickyclock.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"devquery.org"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cd5fkzwv"; depth:9; nocase; http.host; content:"lemonicecold.org"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mxlvy9nz"; depth:9; nocase; http.host; content:"throatpills.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zcqvjvq1"; depth:9; nocase; http.host; content:"surelytheme.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpw79r1k"; depth:9; nocase; http.host; content:"drilledgas.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bxz6bx5c"; depth:9; nocase; http.host; content:"windowlight.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235107; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oracle-panel.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235104; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tunel.oracle-panel.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"tunel.oracle-panel.online"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login"; depth:11; nocase; http.host; content:"89.208.103.177"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235101; rev:1;)
alert tcp $HOME_NET any -> [89.208.103.177] 15666  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"bb2wexx2x2aa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235093/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235093; rev:1;)
alert tcp $HOME_NET any -> [78.153.139.198] 4000  (msg:"ThreatFox Raccoon botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"wexx2x11x2aa.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"x2313xsdx2a.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"babawwe2aa.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"wexx2x2aa.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235090/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"xex2napggq.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mju0mjdimtzmndvh/"; depth:18; nocase; http.host; content:"193.222.96.16"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235087/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235087; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.135] 8181  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235229/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235229; rev:1;)
alert tcp $HOME_NET any -> [72.11.158.94] 1604  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235228/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_29; classtype:trojan-activity; sid:91235228; rev:1;)
alert tcp $HOME_NET any -> [79.137.205.212] 8080  (msg:"ThreatFox SpyBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235081; rev:1;)
alert tcp $HOME_NET any -> [192.252.183.20] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235227/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235227; rev:1;)
alert tcp $HOME_NET any -> [192.252.183.17] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235226/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235226; rev:1;)
alert tcp $HOME_NET any -> [192.252.183.18] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235225/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235225; rev:1;)
alert tcp $HOME_NET any -> [192.252.183.19] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235224/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235224; rev:1;)
alert tcp $HOME_NET any -> [86.122.235.152] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235223/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235223; rev:1;)
alert tcp $HOME_NET any -> [31.190.83.230] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235222/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235222; rev:1;)
alert tcp $HOME_NET any -> [5.163.239.151] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235221/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235221; rev:1;)
alert tcp $HOME_NET any -> [91.140.64.57] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235220/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235220; rev:1;)
alert tcp $HOME_NET any -> [94.98.74.63] 2087  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235219/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235219; rev:1;)
alert tcp $HOME_NET any -> [59.20.162.22] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235218/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235218; rev:1;)
alert tcp $HOME_NET any -> [34.244.129.215] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235217/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235217; rev:1;)
alert tcp $HOME_NET any -> [45.90.218.248] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235216/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_29; classtype:trojan-activity; sid:91235216; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c3/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235215; rev:1;)
alert tcp $HOME_NET any -> [43.129.169.102] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235214/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235214; rev:1;)
alert tcp $HOME_NET any -> [111.230.103.176] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235211/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235211; rev:1;)
alert tcp $HOME_NET any -> [43.230.202.77] 4568  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235209; rev:1;)
alert tcp $HOME_NET any -> [87.98.177.182] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235208/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235208; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/blb41/index.php"; depth:16; nocase; http.host; content:"blblz.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235207; rev:1;)
alert tcp $HOME_NET any -> [149.102.231.75] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235206/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235206; rev:1;)
alert tcp $HOME_NET any -> [124.71.9.23] 8055  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235205/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235205; rev:1;)
alert tcp $HOME_NET any -> [23.155.8.220] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235204/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_29; classtype:trojan-activity; sid:91235204; rev:1;)
alert tcp $HOME_NET any -> [23.95.60.87] 8823  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_29; classtype:trojan-activity; sid:91235203; rev:1;)
alert tcp $HOME_NET any -> [64.227.174.159] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235189/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235189; rev:1;)
alert tcp $HOME_NET any -> [206.189.149.16] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235188; rev:1;)
alert tcp $HOME_NET any -> [20.11.73.26] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235187; rev:1;)
alert tcp $HOME_NET any -> [62.210.28.119] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235186; rev:1;)
alert tcp $HOME_NET any -> [65.20.76.49] 4488  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235185; rev:1;)
alert tcp $HOME_NET any -> [165.227.185.39] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235184; rev:1;)
alert tcp $HOME_NET any -> [195.133.13.135] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235183; rev:1;)
alert tcp $HOME_NET any -> [3.83.43.12] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235182; rev:1;)
alert tcp $HOME_NET any -> [181.32.129.119] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235181; rev:1;)
alert tcp $HOME_NET any -> [143.198.20.119] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235180; rev:1;)
alert tcp $HOME_NET any -> [34.143.218.4] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235179; rev:1;)
alert tcp $HOME_NET any -> [203.161.46.188] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235178; rev:1;)
alert tcp $HOME_NET any -> [52.128.230.170] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235177; rev:1;)
alert tcp $HOME_NET any -> [118.25.109.108] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235176; rev:1;)
alert tcp $HOME_NET any -> [52.128.230.174] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235175; rev:1;)
alert tcp $HOME_NET any -> [180.112.128.157] 8008  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235173; rev:1;)
alert tcp $HOME_NET any -> [220.173.27.222] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235174; rev:1;)
alert tcp $HOME_NET any -> [179.61.251.93] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235172; rev:1;)
alert tcp $HOME_NET any -> [3.213.37.39] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235171; rev:1;)
alert tcp $HOME_NET any -> [3.210.242.78] 443  (msg:"ThreatFox Serpent Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235170; rev:1;)
alert tcp $HOME_NET any -> [190.123.44.228] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235169; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.245] 4443  (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235168; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.235] 8080  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235167; rev:1;)
alert tcp $HOME_NET any -> [185.237.14.236] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235166; rev:1;)
alert tcp $HOME_NET any -> [159.69.86.27] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235164; rev:1;)
alert tcp $HOME_NET any -> [39.38.245.19] 8888  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235162; rev:1;)
alert tcp $HOME_NET any -> [154.212.146.81] 6606  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235163; rev:1;)
alert tcp $HOME_NET any -> [20.163.19.3] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235161; rev:1;)
alert tcp $HOME_NET any -> [85.209.176.79] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235160; rev:1;)
alert tcp $HOME_NET any -> [156.253.13.217] 4848  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235159; rev:1;)
alert tcp $HOME_NET any -> [94.103.188.123] 1111  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235158; rev:1;)
alert tcp $HOME_NET any -> [35.189.151.174] 5563  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235157; rev:1;)
alert tcp $HOME_NET any -> [125.130.86.64] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235156; rev:1;)
alert tcp $HOME_NET any -> [176.105.230.74] 2404  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235155; rev:1;)
alert tcp $HOME_NET any -> [64.231.120.66] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235154; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.60] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235153; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.4] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235152; rev:1;)
alert tcp $HOME_NET any -> [45.133.36.153] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235151; rev:1;)
alert tcp $HOME_NET any -> [62.109.30.102] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235149; rev:1;)
alert tcp $HOME_NET any -> [154.223.21.23] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235150; rev:1;)
alert tcp $HOME_NET any -> [192.252.183.16] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235148; rev:1;)
alert tcp $HOME_NET any -> [38.207.179.146] 48964  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235147/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_28; classtype:trojan-activity; sid:91235147; rev:1;)
alert tcp $HOME_NET any -> [187.135.114.239] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235146; rev:1;)
alert tcp $HOME_NET any -> [187.135.114.239] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235145; rev:1;)
alert tcp $HOME_NET any -> [187.135.114.239] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235144; rev:1;)
alert tcp $HOME_NET any -> [81.136.60.101] 1339  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235143; rev:1;)
alert tcp $HOME_NET any -> [108.165.113.54] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235142; rev:1;)
alert tcp $HOME_NET any -> [43.248.185.248] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235141; rev:1;)
alert tcp $HOME_NET any -> [121.41.50.152] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235140; rev:1;)
alert tcp $HOME_NET any -> [31.41.244.172] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235139; rev:1;)
alert tcp $HOME_NET any -> [139.155.135.131] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235138; rev:1;)
alert tcp $HOME_NET any -> [35.164.187.16] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235137; rev:1;)
alert tcp $HOME_NET any -> [38.60.253.13] 6443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235135; rev:1;)
alert tcp $HOME_NET any -> [104.244.72.123] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235136; rev:1;)
alert tcp $HOME_NET any -> [139.162.134.160] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235134; rev:1;)
alert tcp $HOME_NET any -> [82.97.251.102] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235132; rev:1;)
alert tcp $HOME_NET any -> [8.130.123.25] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235133; rev:1;)
alert tcp $HOME_NET any -> [139.196.226.108] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235131; rev:1;)
alert tcp $HOME_NET any -> [206.189.80.59] 22614  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235130; rev:1;)
alert tcp $HOME_NET any -> [192.169.69.26] 65517  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235129; rev:1;)
alert tcp $HOME_NET any -> [147.78.241.56] 313  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive.php"; depth:12; nocase; http.host; content:"190.123.44.240"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235100; rev:1;)
alert tcp $HOME_NET any -> [183.131.83.145] 8000  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235097/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235097; rev:1;)
alert tcp $HOME_NET any -> [154.246.34.250] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235096/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235096; rev:1;)
alert tcp $HOME_NET any -> [190.133.134.78] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235095/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235095; rev:1;)
alert tcp $HOME_NET any -> [38.62.236.182] 4567  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235094/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235094; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.87] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235086/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235086; rev:1;)
alert tcp $HOME_NET any -> [82.115.223.244] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235085/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_28; classtype:trojan-activity; sid:91235085; rev:1;)
alert tcp $HOME_NET any -> [47.108.89.235] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235084/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235084; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.14] 4412  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235083; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.47] 81  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235082; rev:1;)
alert tcp $HOME_NET any -> [176.128.10.125] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235080/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235080; rev:1;)
alert tcp $HOME_NET any -> [221.239.26.195] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235079/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235079; rev:1;)
alert tcp $HOME_NET any -> [165.227.31.192] 22509  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235078; rev:1;)
alert tcp $HOME_NET any -> [95.173.255.238] 4444  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235077; rev:1;)
alert tcp $HOME_NET any -> [95.217.81.77] 35530  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235076; rev:1;)
alert tcp $HOME_NET any -> [20.201.116.50] 1024  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235075; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.84] 8990  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235074; rev:1;)
alert tcp $HOME_NET any -> [161.35.237.131] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235073/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cf43561.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"117.72.11.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235070; rev:1;)
alert tcp $HOME_NET any -> [45.154.2.102] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"8.141.10.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235068; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"update.westus3.cloudapp.azure.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235059; rev:1;)
alert tcp $HOME_NET any -> [20.171.192.244] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235060; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rxjh.online"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235061; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"js.rxjh.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235062; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.rxjh.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"121.41.50.152"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"104.143.47.87"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235066; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caranthir.zapto.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"caranthir.zapto.org"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235064; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.67] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235058; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.68] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235057; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.220] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235056; rev:1;)
alert tcp $HOME_NET any -> [111.230.103.176] 9443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235055; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.86] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235054/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235054; rev:1;)
alert tcp $HOME_NET any -> [109.242.113.157] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235053; rev:1;)
alert tcp $HOME_NET any -> [74.12.146.125] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235052/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235052; rev:1;)
alert tcp $HOME_NET any -> [211.169.158.12] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235051/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235051; rev:1;)
alert tcp $HOME_NET any -> [151.48.177.238] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235050/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235050; rev:1;)
alert tcp $HOME_NET any -> [141.144.233.60] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235049/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235049; rev:1;)
alert tcp $HOME_NET any -> [164.92.125.68] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235048/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_28; classtype:trojan-activity; sid:91235048; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nowordshere.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235007; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greedyclowns.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235008; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"getquery.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235009; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"climedballon.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235010; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"windowlight.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235011; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"drilledgas.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235013; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devcodejs.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235012; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lemonicecold.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235014; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dailytickyclock.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235015; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"devqeury.org"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235016; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"slurpslimes.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235017; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deeptrickday.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235018; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greenpapers.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235019; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cancelledfirestarter.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235020; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloudwebhub.pro"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235021; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biggerfun.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235022; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"treegreeny.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235023; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"surelytheme.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235024; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqueryh.org"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235025; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"neworderspath.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235026; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"draggedline.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235027; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"waterlinesheet.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235028; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigbricks.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235029; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"searchgear.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235030; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"metallife.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235031; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emperorplan.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235032; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"catsndogz.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235033; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"greedyfines.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235034; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"libertader.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235035; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jsqur.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235036; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibedroom.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235037; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"codecruncher.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235038; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"biggreenlimes.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235039; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqueryns.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235041; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cheatlab.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234852; rev:1;)
alert tcp $HOME_NET any -> [77.246.104.220] 3422  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234851; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kkudndkwatnfevcaqeefytqnh.top"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234854; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"w33s1.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234858; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whxzqkbbtzvdyxdeseoiyujzs.co"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234859; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uohhunkmnfhbimtagizqgwpmv.to"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234860; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-kboespoo-1317138495.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234861; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"serevto.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234862; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.serevto.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234863; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.uapa-edu.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234864; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dzxngxmlsim3.cloudfront.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234887; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"estagioonlineeseguro.ddns.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234888; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bing921.215436454.xyz"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234885; rev:1;)
alert tcp $HOME_NET any -> [202.144.192.114] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234886; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dbdb.addea.workers.dev"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234865; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nnpservices.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234883; rev:1;)
alert tcp $HOME_NET any -> [189.18.237.245] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234889; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-70-254-144.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234890; rev:1;)
alert tcp $HOME_NET any -> [142.67.130.172] 54999  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234893; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"divert64.hopto.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234894; rev:1;)
alert tcp $HOME_NET any -> [163.172.255.114] 9080  (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234898; rev:1;)
alert tcp $HOME_NET any -> [54.37.196.189] 80  (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234899; rev:1;)
alert tcp $HOME_NET any -> [37.252.188.127] 8080  (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234900; rev:1;)
alert tcp $HOME_NET any -> [164.90.185.9] 443  (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234901; rev:1;)
alert tcp $HOME_NET any -> [206.189.109.146] 80  (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234902; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.237] 3999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234903; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"wired-ethical-marten.ngrok-free.app"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/run.exe"; depth:8; nocase; http.host; content:"wired-ethical-marten.ngrok-free.app"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234905; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kinggru.duckdns.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234989; rev:1;)
alert tcp $HOME_NET any -> [90.15.154.112] 4899  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234998; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"victacking.ddns.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91234999; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.20.16.155"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235006; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jqscr.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235040; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linedloop.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_28; classtype:trojan-activity; sid:91235042; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.151] 43957  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235045/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_28; classtype:trojan-activity; sid:91235045; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bp.somersaultcloud.xyz"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235046/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_28; classtype:trojan-activity; sid:91235046; rev:1;)
alert tcp $HOME_NET any -> [116.103.228.193] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235047/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235047; rev:1;)
alert tcp $HOME_NET any -> [187.135.114.239] 1660  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235044/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235044; rev:1;)
alert tcp $HOME_NET any -> [158.247.254.47] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235043/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_28; classtype:trojan-activity; sid:91235043; rev:1;)
alert tcp $HOME_NET any -> [108.165.113.54] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"108.165.113.54"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235004; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.124] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vlenath"; depth:8; nocase; http.host; content:"service.safaricom.workers.dev"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1235001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235001; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service.safaricom.workers.dev"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1235002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91235002; rev:1;)
alert tcp $HOME_NET any -> [217.31.202.98] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1235000/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91235000; rev:1;)
alert tcp $HOME_NET any -> [44.211.174.103] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234997; rev:1;)
alert tcp $HOME_NET any -> [51.81.35.61] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234996/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234996; rev:1;)
alert tcp $HOME_NET any -> [143.110.192.8] 27978  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234995/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234995; rev:1;)
alert tcp $HOME_NET any -> [141.255.159.227] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234994/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234994; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.46] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234993/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234993; rev:1;)
alert tcp $HOME_NET any -> [3.127.59.75] 16495  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234992; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e3e70db1.php"; depth:13; nocase; http.host; content:"a0894373.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234991; rev:1;)
alert tcp $HOME_NET any -> [38.207.179.166] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234990/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234990; rev:1;)
alert tcp $HOME_NET any -> [143.110.192.8] 10451  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234988; rev:1;)
alert tcp $HOME_NET any -> [45.66.248.135] 7438  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234987; rev:1;)
alert tcp $HOME_NET any -> [74.70.4.221] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234986/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234986; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.240] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234985/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234985; rev:1;)
alert tcp $HOME_NET any -> [51.159.6.180] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234984; rev:1;)
alert tcp $HOME_NET any -> [45.77.154.69] 30042  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234983; rev:1;)
alert tcp $HOME_NET any -> [141.94.244.50] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234982; rev:1;)
alert tcp $HOME_NET any -> [3.18.239.172] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234981; rev:1;)
alert tcp $HOME_NET any -> [52.31.167.252] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234980; rev:1;)
alert tcp $HOME_NET any -> [31.210.51.99] 4443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234979; rev:1;)
alert tcp $HOME_NET any -> [195.122.14.251] 7005  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234978; rev:1;)
alert tcp $HOME_NET any -> [139.59.68.45] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234977; rev:1;)
alert tcp $HOME_NET any -> [4.198.2.235] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234976; rev:1;)
alert tcp $HOME_NET any -> [172.175.210.16] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234975; rev:1;)
alert tcp $HOME_NET any -> [20.98.28.121] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234974; rev:1;)
alert tcp $HOME_NET any -> [20.75.254.123] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234973; rev:1;)
alert tcp $HOME_NET any -> [125.25.54.213] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234972; rev:1;)
alert tcp $HOME_NET any -> [104.155.11.224] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234971; rev:1;)
alert tcp $HOME_NET any -> [43.140.250.89] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234970; rev:1;)
alert tcp $HOME_NET any -> [128.199.159.85] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234968; rev:1;)
alert tcp $HOME_NET any -> [128.199.159.85] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234969; rev:1;)
alert tcp $HOME_NET any -> [34.201.66.228] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234967; rev:1;)
alert tcp $HOME_NET any -> [18.211.99.106] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234965; rev:1;)
alert tcp $HOME_NET any -> [159.203.136.239] 1724  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234966; rev:1;)
alert tcp $HOME_NET any -> [20.123.192.20] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234964; rev:1;)
alert tcp $HOME_NET any -> [159.223.224.238] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234963; rev:1;)
alert tcp $HOME_NET any -> [4.147.247.174] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234962; rev:1;)
alert tcp $HOME_NET any -> [52.128.230.172] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234961; rev:1;)
alert tcp $HOME_NET any -> [43.139.177.77] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234960; rev:1;)
alert tcp $HOME_NET any -> [149.104.24.104] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234958; rev:1;)
alert tcp $HOME_NET any -> [52.128.230.173] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234959; rev:1;)
alert tcp $HOME_NET any -> [52.128.230.171] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234957; rev:1;)
alert tcp $HOME_NET any -> [185.117.152.159] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234956; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.235] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234955; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.37] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234954; rev:1;)
alert tcp $HOME_NET any -> [46.101.126.207] 443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234953; rev:1;)
alert tcp $HOME_NET any -> [77.246.110.208] 8888  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234952; rev:1;)
alert tcp $HOME_NET any -> [115.79.234.191] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234951; rev:1;)
alert tcp $HOME_NET any -> [96.30.193.6] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234950; rev:1;)
alert tcp $HOME_NET any -> [51.79.197.146] 23456  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234949; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.91] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234947; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.108] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234948; rev:1;)
alert tcp $HOME_NET any -> [45.40.96.155] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234946; rev:1;)
alert tcp $HOME_NET any -> [95.164.2.178] 50555  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234945; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.187] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234944; rev:1;)
alert tcp $HOME_NET any -> [92.246.136.53] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234942; rev:1;)
alert tcp $HOME_NET any -> [3.76.253.201] 81  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234943; rev:1;)
alert tcp $HOME_NET any -> [88.218.60.150] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234941; rev:1;)
alert tcp $HOME_NET any -> [45.55.70.10] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234940; rev:1;)
alert tcp $HOME_NET any -> [64.23.149.139] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234939; rev:1;)
alert tcp $HOME_NET any -> [45.134.26.33] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234938; rev:1;)
alert tcp $HOME_NET any -> [20.77.15.101] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234937; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.150] 777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234936; rev:1;)
alert tcp $HOME_NET any -> [94.46.246.95] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234935; rev:1;)
alert tcp $HOME_NET any -> [103.28.89.112] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234934/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234934; rev:1;)
alert tcp $HOME_NET any -> [34.162.51.179] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234933/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234933; rev:1;)
alert tcp $HOME_NET any -> [80.78.22.159] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234932/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234932; rev:1;)
alert tcp $HOME_NET any -> [188.166.9.214] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234931/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_27; classtype:trojan-activity; sid:91234931; rev:1;)
alert tcp $HOME_NET any -> [79.36.28.36] 8080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234930; rev:1;)
alert tcp $HOME_NET any -> [105.98.42.244] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234929; rev:1;)
alert tcp $HOME_NET any -> [114.55.133.151] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234928; rev:1;)
alert tcp $HOME_NET any -> [223.255.246.169] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234927; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.62] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234925; rev:1;)
alert tcp $HOME_NET any -> [114.132.226.250] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234926; rev:1;)
alert tcp $HOME_NET any -> [120.24.70.197] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234924; rev:1;)
alert tcp $HOME_NET any -> [204.44.94.81] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234923; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.186] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234921; rev:1;)
alert tcp $HOME_NET any -> [124.221.15.74] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234922; rev:1;)
alert tcp $HOME_NET any -> [129.226.201.214] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234920; rev:1;)
alert tcp $HOME_NET any -> [60.205.115.92] 8011  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234918; rev:1;)
alert tcp $HOME_NET any -> [31.41.244.172] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234919; rev:1;)
alert tcp $HOME_NET any -> [69.165.74.218] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234917; rev:1;)
alert tcp $HOME_NET any -> [192.3.98.47] 2000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234916; rev:1;)
alert tcp $HOME_NET any -> [107.172.61.67] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234914; rev:1;)
alert tcp $HOME_NET any -> [121.43.117.166] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234915; rev:1;)
alert tcp $HOME_NET any -> [178.54.217.55] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234913; rev:1;)
alert tcp $HOME_NET any -> [43.163.224.112] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234912; rev:1;)
alert tcp $HOME_NET any -> [101.35.169.206] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234911; rev:1;)
alert tcp $HOME_NET any -> [195.230.23.126] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234910; rev:1;)
alert tcp $HOME_NET any -> [117.72.39.83] 30005  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234909; rev:1;)
alert tcp $HOME_NET any -> [104.143.47.87] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234908; rev:1;)
alert tcp $HOME_NET any -> [155.138.231.45] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/receive.php"; depth:12; nocase; http.host; content:"op.mrstealth.pagekite.me"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234897; rev:1;)
alert tcp $HOME_NET any -> [91.109.186.13] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234896/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234896; rev:1;)
alert tcp $HOME_NET any -> [194.33.191.53] 58001  (msg:"ThreatFox N-W0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234895; rev:1;)
alert tcp $HOME_NET any -> [8.141.10.30] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234892/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.139.128.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234891; rev:1;)
alert tcp $HOME_NET any -> [92.63.178.58] 442  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234884; rev:1;)
alert tcp $HOME_NET any -> [193.142.58.127] 80  (msg:"ThreatFox WhiteSnake Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp08/wp-includes/dtcla.php"; depth:27; nocase; http.host; content:"success.165gov.icu"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234880; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"success.165gov.icu"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234879; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"164.90.169.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/html.css"; depth:9; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234876; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beacon.evilginx2.bio"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234874; rev:1;)
alert tcp $HOME_NET any -> [64.23.174.74] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234875; rev:1;)
alert tcp $HOME_NET any -> [20.172.163.134] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234873; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bec.security-ssl.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234872; rev:1;)
alert tcp $HOME_NET any -> [95.179.177.89] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234871; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.modernbeem.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234870; rev:1;)
alert tcp $HOME_NET any -> [45.77.193.76] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234869; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.investmenttech.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234868; rev:1;)
alert tcp $HOME_NET any -> [95.179.142.153] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234867; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.currentbee.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234866; rev:1;)
alert tcp $HOME_NET any -> [104.143.47.137] 2087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234857; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cc.youku.zip"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/"; depth:18; nocase; http.host; content:"cc.youku.zip"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234855; rev:1;)
alert tcp $HOME_NET any -> [43.130.60.49] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234853; rev:1;)
alert tcp $HOME_NET any -> [193.233.254.78] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234850; rev:1;)
alert tcp $HOME_NET any -> [116.203.143.98] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234848/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234848; rev:1;)
alert tcp $HOME_NET any -> [109.107.182.26] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234849/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234849; rev:1;)
alert tcp $HOME_NET any -> [94.98.179.7] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nntp.aspx"; depth:10; nocase; http.host; content:"fleury-dev-g8d5b7fhg8fghxcm.a03.azurefd.net"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wais.html"; depth:10; nocase; http.host; content:"fleury-dev-g8d5b7fhg8fghxcm.a03.azurefd.net"; depth:43; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234846; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fleury-dev-g8d5b7fhg8fghxcm.a03.azurefd.net"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234844; rev:1;)
alert tcp $HOME_NET any -> [75.119.138.31] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234843/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234843; rev:1;)
alert tcp $HOME_NET any -> [179.13.3.199] 8010  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234842; rev:1;)
alert tcp $HOME_NET any -> [187.213.193.180] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234841/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234841; rev:1;)
alert tcp $HOME_NET any -> [41.99.122.66] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234840/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234840; rev:1;)
alert tcp $HOME_NET any -> [141.164.209.146] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234839; rev:1;)
alert tcp $HOME_NET any -> [72.27.73.7] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234838; rev:1;)
alert tcp $HOME_NET any -> [77.73.39.175] 1194  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234837; rev:1;)
alert tcp $HOME_NET any -> [74.12.146.125] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234836; rev:1;)
alert tcp $HOME_NET any -> [41.96.195.143] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234835; rev:1;)
alert tcp $HOME_NET any -> [38.242.21.30] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234834; rev:1;)
alert tcp $HOME_NET any -> [137.117.205.207] 4444  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234832; rev:1;)
alert tcp $HOME_NET any -> [4.205.75.12] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234833/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234833; rev:1;)
alert tcp $HOME_NET any -> [137.117.205.207] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234831; rev:1;)
alert tcp $HOME_NET any -> [89.245.139.188] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234830; rev:1;)
alert tcp $HOME_NET any -> [89.245.139.188] 4444  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234829; rev:1;)
alert tcp $HOME_NET any -> [52.136.223.233] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234828; rev:1;)
alert tcp $HOME_NET any -> [52.136.223.233] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234827/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234827; rev:1;)
alert tcp $HOME_NET any -> [157.230.175.190] 7405  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234826/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234826; rev:1;)
alert tcp $HOME_NET any -> [92.116.91.188] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234825/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234825; rev:1;)
alert tcp $HOME_NET any -> [165.227.106.254] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234824/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234824; rev:1;)
alert tcp $HOME_NET any -> [172.104.237.247] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234823; rev:1;)
alert tcp $HOME_NET any -> [37.27.17.204] 8080  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234822; rev:1;)
alert tcp $HOME_NET any -> [5.189.253.164] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234802; rev:1;)
alert tcp $HOME_NET any -> [185.123.53.231] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234803; rev:1;)
alert tcp $HOME_NET any -> [5.230.44.226] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234801; rev:1;)
alert tcp $HOME_NET any -> [109.107.182.26] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234798; rev:1;)
alert tcp $HOME_NET any -> [116.203.143.98] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234799; rev:1;)
alert tcp $HOME_NET any -> [5.231.0.34] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234800; rev:1;)
alert tcp $HOME_NET any -> [172.232.172.123] 80  (msg:"ThreatFox DBatLoader payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/400/isicentos.vbs"; depth:18; nocase; http.host; content:"172.232.172.123"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234778; rev:1;)
alert tcp $HOME_NET any -> [128.254.207.87] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234804; rev:1;)
alert tcp $HOME_NET any -> [178.236.247.167] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234805; rev:1;)
alert tcp $HOME_NET any -> [23.146.184.71] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234806; rev:1;)
alert tcp $HOME_NET any -> [66.135.17.87] 443  (msg:"ThreatFox FAKEUPDATES botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234807; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"places.creeksidehuntingpreserve.com"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234808; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colors.usajicgu.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234809; rev:1;)
alert tcp $HOME_NET any -> [178.20.43.58] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234811; rev:1;)
alert tcp $HOME_NET any -> [5.252.177.220] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234812; rev:1;)
alert tcp $HOME_NET any -> [104.194.157.23] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234813; rev:1;)
alert tcp $HOME_NET any -> [190.123.44.228] 80  (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_27; classtype:trojan-activity; sid:91234821; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonjavascriptlowcpugameserverdb.php"; depth:39; nocase; http.host; content:"yedar2on.beget.tech"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234820; rev:1;)
alert tcp $HOME_NET any -> [23.155.8.220] 1800  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234819/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234819; rev:1;)
alert tcp $HOME_NET any -> [77.246.110.208] 1337  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234818; rev:1;)
alert tcp $HOME_NET any -> [45.79.207.53] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234817/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234817; rev:1;)
alert tcp $HOME_NET any -> [20.125.88.113] 80  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234816/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234816; rev:1;)
alert tcp $HOME_NET any -> [46.17.46.226] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/nk6fekkvnwln1wrklks6hrb9moms13q4vdupalwm"; depth:45; nocase; http.host; content:"mirrors.office356.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_27; classtype:trojan-activity; sid:91234814; rev:1;)
alert tcp $HOME_NET any -> [45.120.177.147] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234810/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_27; classtype:trojan-activity; sid:91234810; rev:1;)
alert tcp $HOME_NET any -> [46.17.46.226] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234797; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mirrors.office356.shop"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/wshw-clk-lkpu0xzbc81nv0idqfwhff"; depth:36; nocase; http.host; content:"mirrors.office356.shop"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234795; rev:1;)
alert tcp $HOME_NET any -> [103.49.68.42] 80  (msg:"ThreatFox Mystic Stealer botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234794/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cn/nem/index.php"; depth:17; nocase; http.host; content:"5desconcertais.sa.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234793/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_26; classtype:trojan-activity; sid:91234793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"ck52959.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234792; rev:1;)
alert tcp $HOME_NET any -> [134.209.92.85] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234791/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234791; rev:1;)
alert tcp $HOME_NET any -> [92.97.227.10] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234790; rev:1;)
alert tcp $HOME_NET any -> [52.136.223.233] 4444  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234789; rev:1;)
alert tcp $HOME_NET any -> [116.203.129.118] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234788; rev:1;)
alert tcp $HOME_NET any -> [188.166.153.84] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234787; rev:1;)
alert tcp $HOME_NET any -> [164.90.210.111] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234786; rev:1;)
alert tcp $HOME_NET any -> [165.22.6.34] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234785; rev:1;)
alert tcp $HOME_NET any -> [165.22.6.34] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234784; rev:1;)
alert tcp $HOME_NET any -> [5.75.172.21] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234783; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"roof.spencerstuartllc.top"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234782; rev:1;)
alert tcp $HOME_NET any -> [140.143.167.90] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234781/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234781; rev:1;)
alert tcp $HOME_NET any -> [45.142.215.92] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234780/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234780; rev:1;)
alert tcp $HOME_NET any -> [129.146.237.85] 4876  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"lili19mainmasters.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1234774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234774; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lili19mainmasters.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234775; rev:1;)
alert tcp $HOME_NET any -> [5.75.172.21] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"cw42035.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234776; rev:1;)
alert tcp $HOME_NET any -> [124.71.184.96] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234773/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234773; rev:1;)
alert tcp $HOME_NET any -> [64.23.149.255] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234772/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0909123.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4provider/serveruploadswpdatalife/6request5windows/5protectwordpress/python3db/processormultibetterjs/_httplongpoll6/7requestdatalifepublic/windowsprivatesqlcentral/windowsmariadbuniversal/eternallinepipephprequestlongpollsqltestcentral.php"; depth:241; nocase; http.host; content:"176.97.68.115"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234767; rev:1;)
alert tcp $HOME_NET any -> [176.97.68.115] 80  (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234768; rev:1;)
alert tcp $HOME_NET any -> [185.51.173.2] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234769/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234769; rev:1;)
alert tcp $HOME_NET any -> [34.88.68.0] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234766/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234766; rev:1;)
alert tcp $HOME_NET any -> [146.70.161.85] 4217  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234765; rev:1;)
alert tcp $HOME_NET any -> [107.173.4.16] 8787  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234764; rev:1;)
alert tcp $HOME_NET any -> [81.213.221.223] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234763; rev:1;)
alert tcp $HOME_NET any -> [34.118.150.123] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234762; rev:1;)
alert tcp $HOME_NET any -> [54.159.80.53] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234761; rev:1;)
alert tcp $HOME_NET any -> [46.101.187.69] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234760; rev:1;)
alert tcp $HOME_NET any -> [88.92.231.93] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234759; rev:1;)
alert tcp $HOME_NET any -> [4.184.116.222] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234758; rev:1;)
alert tcp $HOME_NET any -> [89.223.122.247] 5555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234757; rev:1;)
alert tcp $HOME_NET any -> [52.59.95.85] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234756; rev:1;)
alert tcp $HOME_NET any -> [82.165.166.111] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234755; rev:1;)
alert tcp $HOME_NET any -> [163.172.150.135] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234754; rev:1;)
alert tcp $HOME_NET any -> [16.171.224.66] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234752; rev:1;)
alert tcp $HOME_NET any -> [16.170.251.233] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234753; rev:1;)
alert tcp $HOME_NET any -> [154.41.253.67] 2222  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234751; rev:1;)
alert tcp $HOME_NET any -> [206.119.168.185] 50026  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234750; rev:1;)
alert tcp $HOME_NET any -> [3.23.91.240] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234748; rev:1;)
alert tcp $HOME_NET any -> [103.86.130.74] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234749/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234749; rev:1;)
alert tcp $HOME_NET any -> [34.226.155.20] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234747; rev:1;)
alert tcp $HOME_NET any -> [68.183.36.66] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234746; rev:1;)
alert tcp $HOME_NET any -> [34.116.168.166] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234745; rev:1;)
alert tcp $HOME_NET any -> [101.43.31.90] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234744; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logon.100pingissues.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234743; rev:1;)
alert tcp $HOME_NET any -> [143.244.170.153] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234741; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"37-72-168-178.static.hvvc.us"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234742; rev:1;)
alert tcp $HOME_NET any -> [106.54.45.136] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234740; rev:1;)
alert tcp $HOME_NET any -> [65.21.235.156] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234739/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_26; classtype:trojan-activity; sid:91234739; rev:1;)
alert tcp $HOME_NET any -> [65.21.235.156] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234738/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_26; classtype:trojan-activity; sid:91234738; rev:1;)
alert tcp $HOME_NET any -> [190.123.44.240] 80  (msg:"ThreatFox BlackNET RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234737; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beylikotomasyon.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234736; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mycontrolpanel29.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234735; rev:1;)
alert tcp $HOME_NET any -> [45.128.232.4] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234734; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.103] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234733; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.90] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234732; rev:1;)
alert tcp $HOME_NET any -> [52.3.173.99] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234731; rev:1;)
alert tcp $HOME_NET any -> [44.196.101.127] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234730; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.infallible-lichterman.45-141-215-173.plesk.page"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234729; rev:1;)
alert tcp $HOME_NET any -> [89.208.103.177] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234728; rev:1;)
alert tcp $HOME_NET any -> [193.233.254.138] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234727; rev:1;)
alert tcp $HOME_NET any -> [38.180.94.161] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234725; rev:1;)
alert tcp $HOME_NET any -> [193.149.187.48] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234726; rev:1;)
alert tcp $HOME_NET any -> [185.167.63.27] 4443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234724; rev:1;)
alert tcp $HOME_NET any -> [197.119.141.49] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234723; rev:1;)
alert tcp $HOME_NET any -> [156.254.126.133] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234722; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.139-84-137-249.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234721; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.23] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234719; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.37] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234720; rev:1;)
alert tcp $HOME_NET any -> [181.161.3.56] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234718; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.156] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234717; rev:1;)
alert tcp $HOME_NET any -> [193.106.175.43] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234715; rev:1;)
alert tcp $HOME_NET any -> [86.38.204.153] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234716; rev:1;)
alert tcp $HOME_NET any -> [3.72.85.14] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234714; rev:1;)
alert tcp $HOME_NET any -> [52.222.96.153] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234713; rev:1;)
alert tcp $HOME_NET any -> [213.195.118.64] 5003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234712; rev:1;)
alert tcp $HOME_NET any -> [213.195.118.64] 5001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234711; rev:1;)
alert tcp $HOME_NET any -> [213.195.118.64] 4002  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234709; rev:1;)
alert tcp $HOME_NET any -> [213.195.118.64] 4003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234710; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.1] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234708; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.1] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234707; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.142] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234706; rev:1;)
alert tcp $HOME_NET any -> [136.243.151.123] 222  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234705; rev:1;)
alert tcp $HOME_NET any -> [37.27.17.204] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234704/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_26; classtype:trojan-activity; sid:91234704; rev:1;)
alert tcp $HOME_NET any -> [85.235.146.120] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234703/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_26; classtype:trojan-activity; sid:91234703; rev:1;)
alert tcp $HOME_NET any -> [35.180.99.59] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234702/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_26; classtype:trojan-activity; sid:91234702; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.60] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234701/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_26; classtype:trojan-activity; sid:91234701; rev:1;)
alert tcp $HOME_NET any -> [138.197.143.1] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234700/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_26; classtype:trojan-activity; sid:91234700; rev:1;)
alert tcp $HOME_NET any -> [79.36.28.36] 9999  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234699; rev:1;)
alert tcp $HOME_NET any -> [114.55.133.151] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234698; rev:1;)
alert tcp $HOME_NET any -> [8.146.201.157] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234697; rev:1;)
alert tcp $HOME_NET any -> [123.60.10.196] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234696; rev:1;)
alert tcp $HOME_NET any -> [43.139.225.179] 3001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234695; rev:1;)
alert tcp $HOME_NET any -> [1.117.93.65] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234694; rev:1;)
alert tcp $HOME_NET any -> [43.139.177.77] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234692; rev:1;)
alert tcp $HOME_NET any -> [120.24.70.197] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234693; rev:1;)
alert tcp $HOME_NET any -> [204.44.94.81] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234691; rev:1;)
alert tcp $HOME_NET any -> [116.62.130.96] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234690; rev:1;)
alert tcp $HOME_NET any -> [43.143.209.185] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234689; rev:1;)
alert tcp $HOME_NET any -> [107.174.228.79] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234688; rev:1;)
alert tcp $HOME_NET any -> [172.233.147.171] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234687; rev:1;)
alert tcp $HOME_NET any -> [43.136.122.227] 8084  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234686; rev:1;)
alert tcp $HOME_NET any -> [116.202.110.87] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234684; rev:1;)
alert tcp $HOME_NET any -> [77.73.39.175] 32103  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234685; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"andaluciabeach.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234679; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 15634  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234683; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 15634  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234682; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 15634  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/alpha/five/fre.php"; depth:19; nocase; http.host; content:"roof.spencerstuartllc.top"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234678/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_26; classtype:trojan-activity; sid:91234678; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.170] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234677/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234677; rev:1;)
alert tcp $HOME_NET any -> [5.255.113.67] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234676/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234676; rev:1;)
alert tcp $HOME_NET any -> [43.136.71.208] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"43.136.71.209"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234674; rev:1;)
alert tcp $HOME_NET any -> [91.149.237.145] 2086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234673; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.chrome-crash.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"ns.chrome-crash.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234671; rev:1;)
alert tcp $HOME_NET any -> [103.86.131.55] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234670/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234670; rev:1;)
alert tcp $HOME_NET any -> [34.88.42.175] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234669/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234669; rev:1;)
alert tcp $HOME_NET any -> [103.167.90.225] 4251  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234668; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"fwjfiwmail.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234667; rev:1;)
alert tcp $HOME_NET any -> [103.67.162.240] 2256  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234666; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server1.updateservice.store"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234664; rev:1;)
alert tcp $HOME_NET any -> [154.82.81.114] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234665; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/css/jp.css"; depth:11; nocase; http.host; content:"server1.updateservice.store"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"182.61.25.107"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"8.146.201.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"85.209.176.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/29136388_"; depth:45; nocase; http.host; content:"85.209.176.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.97.222.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/___utm.gif"; depth:11; nocase; http.host; content:"163.5.169.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.97.222.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"101.43.165.220"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"8.142.115.47"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"5.101.0.241"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234652; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.116] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234651/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"braidfadefriendklypk.site"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234649; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"conferenctdressingshrw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234650; rev:1;)
alert tcp $HOME_NET any -> [212.224.93.193] 8080  (msg:"ThreatFox SpyBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234620; rev:1;)
alert tcp $HOME_NET any -> [46.196.24.72] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_26; classtype:trojan-activity; sid:91234639; rev:1;)
alert tcp $HOME_NET any -> [192.3.98.47] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234648/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234648; rev:1;)
alert tcp $HOME_NET any -> [41.97.221.16] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234647/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234647; rev:1;)
alert tcp $HOME_NET any -> [24.181.50.51] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234646/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234646; rev:1;)
alert tcp $HOME_NET any -> [151.64.205.13] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234645; rev:1;)
alert tcp $HOME_NET any -> [206.189.139.96] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234644; rev:1;)
alert tcp $HOME_NET any -> [146.70.155.203] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234643; rev:1;)
alert tcp $HOME_NET any -> [188.166.9.214] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234642; rev:1;)
alert tcp $HOME_NET any -> [142.171.2.161] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_26; classtype:trojan-activity; sid:91234641; rev:1;)
alert tcp $HOME_NET any -> [163.5.169.2] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234640/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234640; rev:1;)
alert tcp $HOME_NET any -> [37.38.159.127] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234638/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234638; rev:1;)
alert tcp $HOME_NET any -> [45.154.98.217] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234637/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234637; rev:1;)
alert tcp $HOME_NET any -> [175.142.28.27] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234636/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234636; rev:1;)
alert tcp $HOME_NET any -> [110.43.39.40] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234635/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_26; classtype:trojan-activity; sid:91234635; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/requestsecurepacketservermultidefaulttrackpublicuploads.php"; depth:60; nocase; http.host; content:"852377cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234634; rev:1;)
alert tcp $HOME_NET any -> [178.33.57.153] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234633/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234633; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c4/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234632/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234632; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"3.75.178.44"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234631; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c4/fre.php"; depth:11; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234630; rev:1;)
alert tcp $HOME_NET any -> [5.75.211.197] 443  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234629; rev:1;)
alert tcp $HOME_NET any -> [38.255.40.137] 3451  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234628; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"1.117.232.76"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234627; rev:1;)
alert tcp $HOME_NET any -> [107.173.118.95] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234626; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"107.173.118.95"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234625; rev:1;)
alert tcp $HOME_NET any -> [146.70.158.28] 6882  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234623; rev:1;)
alert tcp $HOME_NET any -> [185.117.90.142] 6882  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234624; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.158] 3392  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234622; rev:1;)
alert tcp $HOME_NET any -> [43.136.71.209] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234621/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234621; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.230] 13781  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234619; rev:1;)
alert tcp $HOME_NET any -> [173.211.106.128] 7785  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234618/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234618; rev:1;)
alert tcp $HOME_NET any -> [198.46.203.245] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234617/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234617; rev:1;)
alert tcp $HOME_NET any -> [41.99.250.66] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234616/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234616; rev:1;)
alert tcp $HOME_NET any -> [154.246.208.179] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234615/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234615; rev:1;)
alert tcp $HOME_NET any -> [5.163.116.174] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234614/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234614; rev:1;)
alert tcp $HOME_NET any -> [38.147.189.149] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234613/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234613; rev:1;)
alert tcp $HOME_NET any -> [193.42.25.233] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234612/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234612; rev:1;)
alert tcp $HOME_NET any -> [79.132.128.47] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234611/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234611; rev:1;)
alert tcp $HOME_NET any -> [18.201.215.198] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234610/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234610; rev:1;)
alert tcp $HOME_NET any -> [158.160.124.3] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234609/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234609; rev:1;)
alert tcp $HOME_NET any -> [89.245.139.188] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234608/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234608; rev:1;)
alert tcp $HOME_NET any -> [137.117.205.207] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234607/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234607; rev:1;)
alert tcp $HOME_NET any -> [154.118.230.140] 30098  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234606/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234606; rev:1;)
alert tcp $HOME_NET any -> [52.222.96.153] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234605/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234605; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.46] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234604/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234604; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"124.221.184.239"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234603; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 12517  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234602; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 12517  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234600; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 12517  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234601; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 12517  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234599; rev:1;)
alert tcp $HOME_NET any -> [34.140.232.110] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234598/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234598; rev:1;)
alert tcp $HOME_NET any -> [213.226.112.58] 81  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234597; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"strongdomainsercgerhhost.com"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1234595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234595; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"strongdomainsercgerhhost.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234594; rev:1;)
alert tcp $HOME_NET any -> [89.116.100.148] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234596/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234596; rev:1;)
alert tcp $HOME_NET any -> [203.20.113.158] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234593/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234593; rev:1;)
alert tcp $HOME_NET any -> [203.20.113.158] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234592/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234592; rev:1;)
alert tcp $HOME_NET any -> [203.20.113.158] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234591; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f50a15cc.php"; depth:13; nocase; http.host; content:"a0910594.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234590; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cmytfvga.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234524; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"civilarys.store"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234523; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"corenavered.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234525; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cafung.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234521; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cedoras.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234522; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"btcstack.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234520; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"binavers.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234516; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bnlopdlc.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234518; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bolun.site"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234519; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bindeo.tech"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234517; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baconer.site"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234514; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"berysu.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234515; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aluces.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234512; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api-talks.cedoras.store"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234513; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aiaitu.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234510; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"akites.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234511; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aderto.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234507; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"afixer.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234508; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ahesus.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234509; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cutagor.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234526; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dacrorns.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234527; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"decasy.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234528; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"docloakc.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234529; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"docpoc.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234530; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.akites.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234531; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fomhl.fun"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234532; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kololphcnv.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234533; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lcscorn.cedoras.store"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234534; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lfpa.website"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234535; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"locslf.website"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234536; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lopaswec.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234537; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lopdgv.fun"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234538; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.naverservice.site"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234539; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailcorn.cedoras.store"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234540; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mailcorp.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234541; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malilsopx.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234542; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mclvhoc.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234543; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mlodkf.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234544; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moldoep.website"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234545; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"molgono.tech"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234546; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mollcocmd.tech"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234547; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mollsovop.fun"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234548; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"molsycl.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234549; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"motivenaver.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234550; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navecorps.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234551; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navei.online"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234552; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naver-config.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234553; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naver-delivers.site"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234554; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naveralert.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234556; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naveralarm.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234555; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"navercafe.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234557; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naverpro.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234558; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naverservice.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234559; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"necxo.tech"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234560; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nhopess.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234561; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nicorps.website"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234562; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nid.cafung.online"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234563; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nid.civilarys.store"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234564; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidcorp.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234566; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidcorn.cedoras.store"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234565; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidcorp.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234567; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidnaver.help"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234568; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidnaver.info"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234569; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidnavercorp.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234570; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidpilk.cedoras.store"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234571; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nidpon.cedoras.store"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234572; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obmonspc.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234573; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"octos.store"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234574; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"olcocmsl.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234575; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"poskoca.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234577; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ploslacv.website"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234576; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proteco.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234578; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"riavercorped.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234579; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sedlco.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234580; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"socrpa.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234581; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soduci.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234582; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"staticnidcorn.cedoras.store"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234585; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"solep.online"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234583; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sslcorn.cedoras.store"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234584; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"supwlmall.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234586; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wedwec.online"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234587; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wobsodm.tech"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234588; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xclosldp.shop"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234589; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acopfvy.store"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234505; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"acrob.shop"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234506; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.228] 19267  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234393; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.84] 55123  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234504; rev:1;)
alert tcp $HOME_NET any -> [41.227.246.175] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234503; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"duckfoundation.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234502; rev:1;)
alert tcp $HOME_NET any -> [13.49.65.162] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234501; rev:1;)
alert tcp $HOME_NET any -> [3.92.62.149] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234500; rev:1;)
alert tcp $HOME_NET any -> [18.194.27.80] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234499; rev:1;)
alert tcp $HOME_NET any -> [47.128.181.113] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234498; rev:1;)
alert tcp $HOME_NET any -> [31.210.51.99] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234497; rev:1;)
alert tcp $HOME_NET any -> [34.128.84.233] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234496; rev:1;)
alert tcp $HOME_NET any -> [15.161.144.188] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234495; rev:1;)
alert tcp $HOME_NET any -> [37.32.21.150] 8085  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234494; rev:1;)
alert tcp $HOME_NET any -> [16.170.251.233] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234493; rev:1;)
alert tcp $HOME_NET any -> [20.193.44.167] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234492; rev:1;)
alert tcp $HOME_NET any -> [20.240.184.16] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234491; rev:1;)
alert tcp $HOME_NET any -> [43.139.38.66] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234490; rev:1;)
alert tcp $HOME_NET any -> [124.71.184.96] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234489; rev:1;)
alert tcp $HOME_NET any -> [38.46.30.207] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234488; rev:1;)
alert tcp $HOME_NET any -> [49.235.182.24] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234487; rev:1;)
alert tcp $HOME_NET any -> [119.3.231.104] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234486; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.pay-3ds.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234485; rev:1;)
alert tcp $HOME_NET any -> [217.196.107.29] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234484; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"r4dc3btbyzip0edkbykb1qteulwb.de"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234483; rev:1;)
alert tcp $HOME_NET any -> [103.77.240.62] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234482; rev:1;)
alert tcp $HOME_NET any -> [3.208.95.157] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234481; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carte-vitale-assurance.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234480; rev:1;)
alert tcp $HOME_NET any -> [194.163.178.229] 56325  (msg:"ThreatFox Ares botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234479/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_25; classtype:trojan-activity; sid:91234479; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.230] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234478; rev:1;)
alert tcp $HOME_NET any -> [195.85.114.206] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234476; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.110] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234477; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.170] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234475; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.102] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234474; rev:1;)
alert tcp $HOME_NET any -> [163.5.64.8] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234472; rev:1;)
alert tcp $HOME_NET any -> [89.23.102.60] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234473; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.23] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234471; rev:1;)
alert tcp $HOME_NET any -> [18.159.210.80] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234469; rev:1;)
alert tcp $HOME_NET any -> [154.53.166.167] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234470; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.121] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234468; rev:1;)
alert tcp $HOME_NET any -> [185.78.76.159] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234467; rev:1;)
alert tcp $HOME_NET any -> [163.5.169.4] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234465; rev:1;)
alert tcp $HOME_NET any -> [164.68.119.38] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234466; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.103] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234464; rev:1;)
alert tcp $HOME_NET any -> [163.5.210.87] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234463; rev:1;)
alert tcp $HOME_NET any -> [165.227.246.129] 443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234462; rev:1;)
alert tcp $HOME_NET any -> [34.154.103.104] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234461; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.161-35-239-147.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234460; rev:1;)
alert tcp $HOME_NET any -> [188.153.77.109] 4781  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234459; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.129] 8808  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234458; rev:1;)
alert tcp $HOME_NET any -> [175.16.184.111] 8089  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234457; rev:1;)
alert tcp $HOME_NET any -> [45.87.153.107] 443  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234456; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sleepyawn2.fvds.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234454; rev:1;)
alert tcp $HOME_NET any -> [45.87.153.107] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234455; rev:1;)
alert tcp $HOME_NET any -> [37.46.130.210] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234453; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"227.lan-vg1-1.static.rozabg.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234452; rev:1;)
alert tcp $HOME_NET any -> [149.154.65.14] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234450; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev3.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234451; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.91] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234449; rev:1;)
alert tcp $HOME_NET any -> [54.255.57.58] 81  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234447; rev:1;)
alert tcp $HOME_NET any -> [172.205.202.156] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234448; rev:1;)
alert tcp $HOME_NET any -> [20.0.100.134] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234446; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"servertgbotvds.fvds.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234445; rev:1;)
alert tcp $HOME_NET any -> [185.209.29.72] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234444; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.227] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234443; rev:1;)
alert tcp $HOME_NET any -> [185.187.169.34] 17443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234442; rev:1;)
alert tcp $HOME_NET any -> [3.31.40.188] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234441; rev:1;)
alert tcp $HOME_NET any -> [186.112.205.208] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234440; rev:1;)
alert tcp $HOME_NET any -> [104.243.37.176] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234439; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.142] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234438; rev:1;)
alert tcp $HOME_NET any -> [163.5.64.75] 7391  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234437; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.1] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234435; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"competent-elion.193-142-59-177.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234436; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.129] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234434; rev:1;)
alert tcp $HOME_NET any -> [91.109.178.4] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234433; rev:1;)
alert tcp $HOME_NET any -> [136.243.179.5] 82  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234432; rev:1;)
alert tcp $HOME_NET any -> [46.4.37.212] 81  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234431; rev:1;)
alert tcp $HOME_NET any -> [178.17.170.180] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234430/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_25; classtype:trojan-activity; sid:91234430; rev:1;)
alert tcp $HOME_NET any -> [35.93.24.71] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234429/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_25; classtype:trojan-activity; sid:91234429; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.46] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234428/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_25; classtype:trojan-activity; sid:91234428; rev:1;)
alert tcp $HOME_NET any -> [8.138.96.41] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234427/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_25; classtype:trojan-activity; sid:91234427; rev:1;)
alert tcp $HOME_NET any -> [178.17.170.194] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234426/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_25; classtype:trojan-activity; sid:91234426; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.121] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234425; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.121] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234424; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.121] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234422; rev:1;)
alert tcp $HOME_NET any -> [187.135.146.121] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234423; rev:1;)
alert tcp $HOME_NET any -> [160.177.155.67] 6699  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234421; rev:1;)
alert tcp $HOME_NET any -> [85.209.176.146] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234420; rev:1;)
alert tcp $HOME_NET any -> [108.165.113.54] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234419; rev:1;)
alert tcp $HOME_NET any -> [101.36.111.175] 2052  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234418; rev:1;)
alert tcp $HOME_NET any -> [20.196.198.116] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234417; rev:1;)
alert tcp $HOME_NET any -> [122.9.49.14] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234415; rev:1;)
alert tcp $HOME_NET any -> [8.130.18.124] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234416; rev:1;)
alert tcp $HOME_NET any -> [43.143.130.124] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234414; rev:1;)
alert tcp $HOME_NET any -> [43.143.95.143] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234413; rev:1;)
alert tcp $HOME_NET any -> [1.94.17.115] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234411; rev:1;)
alert tcp $HOME_NET any -> [149.104.26.126] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234412; rev:1;)
alert tcp $HOME_NET any -> [117.72.13.42] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234410; rev:1;)
alert tcp $HOME_NET any -> [107.173.118.95] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234409; rev:1;)
alert tcp $HOME_NET any -> [39.106.26.184] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234407; rev:1;)
alert tcp $HOME_NET any -> [47.243.180.75] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234408; rev:1;)
alert tcp $HOME_NET any -> [47.106.138.25] 30001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234406; rev:1;)
alert tcp $HOME_NET any -> [154.82.81.114] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234405; rev:1;)
alert tcp $HOME_NET any -> [120.79.88.89] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234404; rev:1;)
alert tcp $HOME_NET any -> [84.45.122.150] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234403; rev:1;)
alert tcp $HOME_NET any -> [123.60.60.29] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234402; rev:1;)
alert tcp $HOME_NET any -> [158.247.233.195] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234401; rev:1;)
alert tcp $HOME_NET any -> [47.116.115.242] 50001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234400; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a1ea3a79a94605ef.php"; depth:21; nocase; http.host; content:"91.206.178.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gdf8jejdkd/index.php"; depth:21; nocase; http.host; content:"91.92.250.20"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.198.191.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234397; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.243.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234396; rev:1;)
alert tcp $HOME_NET any -> [65.109.243.18] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234394; rev:1;)
alert tcp $HOME_NET any -> [88.198.191.199] 2920  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234395; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/download"; depth:9; nocase; http.host; content:"onedrive.live.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"8.130.79.120"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234392; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.93.254.171"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234391; rev:1;)
alert tcp $HOME_NET any -> [162.221.204.234] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"mcfupdservice.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234389; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.138.182.25"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234388; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"check.cloudupdateserver.cloudns.org"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"39.104.52.1"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"124.223.64.107"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.136.58.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"3.75.178.44"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234383; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 25505  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234381; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 25505  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234380; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 25505  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234379; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"orjin.duckdns.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234374; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.242] 6051  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234376; rev:1;)
alert tcp $HOME_NET any -> [46.246.80.19] 8889  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234375/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234375; rev:1;)
alert tcp $HOME_NET any -> [101.36.111.47] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234373; rev:1;)
alert tcp $HOME_NET any -> [176.96.138.158] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmr.index-gpt.pro"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234371; rev:1;)
alert tcp $HOME_NET any -> [13.211.149.176] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234370; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.inpex589.info"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234369; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 16495  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234368; rev:1;)
alert tcp $HOME_NET any -> [3.127.253.86] 16495  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234367; rev:1;)
alert tcp $HOME_NET any -> [52.28.112.211] 16495  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234366; rev:1;)
alert tcp $HOME_NET any -> [35.158.159.254] 16495  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234365; rev:1;)
alert tcp $HOME_NET any -> [3.121.139.82] 16495  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"113.250.188.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"cdn-014.epsonupdate.uk"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"167.99.75.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234361; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.130.133.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234360; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"120.55.82.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/1.2/e4c954ae"; depth:17; nocase; http.host; content:"cs1.dbgblack.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234358; rev:1;)
alert tcp $HOME_NET any -> [172.94.12.73] 1979  (msg:"ThreatFox Remcos payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ak"; depth:3; nocase; http.host; content:"52.70.254.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234356; rev:1;)
alert tcp $HOME_NET any -> [91.109.180.10] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234355/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"newdomainfortesteenestle.com"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1234352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234352; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"newdomainfortesteenestle.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ekurorem.duckdns.org"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234354; rev:1;)
alert tcp $HOME_NET any -> [122.117.11.1] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234353/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234353; rev:1;)
alert tcp $HOME_NET any -> [64.188.20.186] 5050  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234350/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234350; rev:1;)
alert tcp $HOME_NET any -> [62.102.148.185] 9771  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234349/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_25; classtype:trojan-activity; sid:91234349; rev:1;)
alert tcp $HOME_NET any -> [112.126.81.157] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234348/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234348; rev:1;)
alert tcp $HOME_NET any -> [66.42.57.158] 18808  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234347/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234347; rev:1;)
alert tcp $HOME_NET any -> [172.111.136.105] 2016  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234346/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234346; rev:1;)
alert tcp $HOME_NET any -> [201.137.206.52] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234345/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234345; rev:1;)
alert tcp $HOME_NET any -> [136.243.185.106] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234344/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234344; rev:1;)
alert tcp $HOME_NET any -> [31.192.235.164] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234343/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234343; rev:1;)
alert tcp $HOME_NET any -> [3.21.227.143] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234342/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234342; rev:1;)
alert tcp $HOME_NET any -> [15.235.130.29] 10443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234341/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234341; rev:1;)
alert tcp $HOME_NET any -> [94.103.87.88] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234340/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234340; rev:1;)
alert tcp $HOME_NET any -> [85.13.119.42] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234339/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234339; rev:1;)
alert tcp $HOME_NET any -> [154.118.230.141] 30098  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234338/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234338; rev:1;)
alert tcp $HOME_NET any -> [13.251.49.40] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234337; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.62] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234336; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.62] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234335; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.10] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234334; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.10] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234333; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.164] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"visitclouds.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234327; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ac-analytics.js"; depth:16; nocase; http.host; content:"visitclouds.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234328; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"217.29.53.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234329; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.33] 8924  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234331; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"novlkyy.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_25; classtype:trojan-activity; sid:91234332; rev:1;)
alert tcp $HOME_NET any -> [39.100.66.159] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234330/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234330; rev:1;)
alert tcp $HOME_NET any -> [45.140.146.239] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234326/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234326; rev:1;)
alert tcp $HOME_NET any -> [103.185.249.231] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234325; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 14937  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234324; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 14937  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234323; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 14937  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_25; classtype:trojan-activity; sid:91234322; rev:1;)
alert tcp $HOME_NET any -> [109.116.169.17] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234321/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_25; classtype:trojan-activity; sid:91234321; rev:1;)
alert tcp $HOME_NET any -> [157.230.233.178] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234320/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.137.5.20"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234319; rev:1;)
alert tcp $HOME_NET any -> [23.155.8.220] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234318/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/php_multidblocal.php"; depth:21; nocase; http.host; content:"172969cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234317; rev:1;)
alert tcp $HOME_NET any -> [20.2.219.165] 3389  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234315/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234315; rev:1;)
alert tcp $HOME_NET any -> [8.130.79.120] 8002  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/trefald.zip"; depth:22; nocase; http.host; content:"5.181.159.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/callerboost.zip"; depth:26; nocase; http.host; content:"5.181.159.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/prtyhguafelif.zip"; depth:28; nocase; http.host; content:"5.181.159.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234294; rev:1;)
alert tcp $HOME_NET any -> [181.131.217.74] 1998  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234298; rev:1;)
alert tcp $HOME_NET any -> [78.47.233.121] 443  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234313/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234313; rev:1;)
alert tcp $HOME_NET any -> [101.133.226.75] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234312/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234312; rev:1;)
alert tcp $HOME_NET any -> [2.88.192.215] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234311; rev:1;)
alert tcp $HOME_NET any -> [108.173.85.144] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234310; rev:1;)
alert tcp $HOME_NET any -> [2.50.44.179] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234309; rev:1;)
alert tcp $HOME_NET any -> [31.117.179.232] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234308; rev:1;)
alert tcp $HOME_NET any -> [74.12.146.31] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234307; rev:1;)
alert tcp $HOME_NET any -> [70.27.15.149] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234306; rev:1;)
alert tcp $HOME_NET any -> [5.188.228.224] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234305; rev:1;)
alert tcp $HOME_NET any -> [38.147.189.199] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234304; rev:1;)
alert tcp $HOME_NET any -> [38.147.189.173] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234303; rev:1;)
alert tcp $HOME_NET any -> [15.206.164.202] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234302; rev:1;)
alert tcp $HOME_NET any -> [34.123.166.220] 6667  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234301; rev:1;)
alert tcp $HOME_NET any -> [40.113.134.142] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234300/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234300; rev:1;)
alert tcp $HOME_NET any -> [35.72.81.251] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234299/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234299; rev:1;)
alert tcp $HOME_NET any -> [147.50.253.9] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234297/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234297; rev:1;)
alert tcp $HOME_NET any -> [124.221.17.198] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234296/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234296; rev:1;)
alert tcp $HOME_NET any -> [34.88.16.45] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234295/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234295; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/downloads/8gmgv5a1fslkxv.zip/"; depth:30; nocase; http.host; content:"5.181.159.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234290; rev:1;)
alert tcp $HOME_NET any -> [5.181.159.64] 80  (msg:"ThreatFox DarkGate payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234291; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"groannysoapblockedstiw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"copyrightspareddcitwew.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"paperambiguonusphoterew.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234276; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"expenditureddisumilarwo.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234277; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"weedpairfolkloredheryw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"combinethemepiggerygoj.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"qualifiedbehaviorrykej.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"dragonporterloudjettyw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234281; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"groannysoapblockedstiw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"copyrightspareddcitwew.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234283; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paperambiguonusphoterew.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"expenditureddisumilarwo.site"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234285; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"combinethemepiggerygoj.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234287; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weedpairfolkloredheryw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234286; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qualifiedbehaviorrykej.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234288; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dragonporterloudjettyw.site"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234289; rev:1;)
alert tcp $HOME_NET any -> [212.118.52.86] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234273/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_24; classtype:trojan-activity; sid:91234273; rev:1;)
alert tcp $HOME_NET any -> [213.196.40.4] 1792  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234272; rev:1;)
alert tcp $HOME_NET any -> [38.242.151.1] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234271/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async4/request/flower/to/2universal_/public46async/requestgame/update4/pollflower6/secureuniversalsql/temp88/flowerpythonmulti/process0/trackexternaltrack/protectgeneratorline9/wp/4/betterbigloadflowerauth/lineupdatedefaultbasecdndownloadstemporary.php"; depth:253; nocase; http.host; content:"185.185.68.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234270; rev:1;)
alert tcp $HOME_NET any -> [2.50.16.143] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234269; rev:1;)
alert tcp $HOME_NET any -> [88.229.78.112] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234267; rev:1;)
alert tcp $HOME_NET any -> [62.15.129.5] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234268; rev:1;)
alert tcp $HOME_NET any -> [43.143.22.238] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234266; rev:1;)
alert tcp $HOME_NET any -> [164.92.206.133] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234265; rev:1;)
alert tcp $HOME_NET any -> [43.205.22.198] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234264; rev:1;)
alert tcp $HOME_NET any -> [34.172.43.190] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234263; rev:1;)
alert tcp $HOME_NET any -> [15.206.174.2] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234262; rev:1;)
alert tcp $HOME_NET any -> [8.218.137.213] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234260; rev:1;)
alert tcp $HOME_NET any -> [86.246.194.49] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234261; rev:1;)
alert tcp $HOME_NET any -> [110.42.249.150] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234259; rev:1;)
alert tcp $HOME_NET any -> [103.234.72.216] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234258; rev:1;)
alert tcp $HOME_NET any -> [91.194.135.254] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fanklubziuta.pl"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234257; rev:1;)
alert tcp $HOME_NET any -> [172.233.24.59] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234255; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.87] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234254; rev:1;)
alert tcp $HOME_NET any -> [87.98.185.14] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234253; rev:1;)
alert tcp $HOME_NET any -> [5.42.92.98] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234252; rev:1;)
alert tcp $HOME_NET any -> [20.199.14.181] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234251; rev:1;)
alert tcp $HOME_NET any -> [185.98.61.220] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234250; rev:1;)
alert tcp $HOME_NET any -> [89.23.101.149] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234249; rev:1;)
alert tcp $HOME_NET any -> [149.100.138.254] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234248; rev:1;)
alert tcp $HOME_NET any -> [79.143.182.133] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234247; rev:1;)
alert tcp $HOME_NET any -> [185.221.198.98] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234246; rev:1;)
alert tcp $HOME_NET any -> [87.229.6.192] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234245; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.140] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234244; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.164] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234243; rev:1;)
alert tcp $HOME_NET any -> [58.187.115.100] 4444  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234242; rev:1;)
alert tcp $HOME_NET any -> [188.27.189.141] 8080  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234241; rev:1;)
alert tcp $HOME_NET any -> [91.222.236.50] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234240; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev2.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234239; rev:1;)
alert tcp $HOME_NET any -> [104.131.162.146] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234238; rev:1;)
alert tcp $HOME_NET any -> [186.112.204.173] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234237; rev:1;)
alert tcp $HOME_NET any -> [45.32.106.247] 8080  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234236/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234236; rev:1;)
alert tcp $HOME_NET any -> [5.252.178.189] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234235/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234235; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.233] 22001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234234/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234234; rev:1;)
alert tcp $HOME_NET any -> [101.36.111.175] 123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234233; rev:1;)
alert tcp $HOME_NET any -> [23.224.61.122] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234232; rev:1;)
alert tcp $HOME_NET any -> [45.32.252.8] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234231; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.62] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234230; rev:1;)
alert tcp $HOME_NET any -> [47.115.212.213] 83  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234229; rev:1;)
alert tcp $HOME_NET any -> [62.234.41.101] 6001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234228; rev:1;)
alert tcp $HOME_NET any -> [5.78.40.0] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234227; rev:1;)
alert tcp $HOME_NET any -> [45.62.123.165] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234226; rev:1;)
alert tcp $HOME_NET any -> [8.137.39.212] 83  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234225; rev:1;)
alert tcp $HOME_NET any -> [39.107.79.21] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234223; rev:1;)
alert tcp $HOME_NET any -> [8.137.39.212] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234224; rev:1;)
alert tcp $HOME_NET any -> [45.207.49.251] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234222; rev:1;)
alert tcp $HOME_NET any -> [206.237.23.185] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234221; rev:1;)
alert tcp $HOME_NET any -> [120.26.216.200] 3541  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234220; rev:1;)
alert tcp $HOME_NET any -> [124.221.30.83] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234219; rev:1;)
alert tcp $HOME_NET any -> [39.106.26.184] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234218; rev:1;)
alert tcp $HOME_NET any -> [47.108.84.84] 4441  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234217; rev:1;)
alert tcp $HOME_NET any -> [149.28.105.251] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234216; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.trackgroup.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234215; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.140.147.149"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234213; rev:1;)
alert tcp $HOME_NET any -> [81.70.43.159] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234214; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"47.96.70.41"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234212; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"81.70.43.159"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234211; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"175.178.103.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234210; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"123.249.114.61"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234209; rev:1;)
alert tcp $HOME_NET any -> [176.49.126.178] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234208/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234208; rev:1;)
alert tcp $HOME_NET any -> [101.132.182.180] 5110  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234207; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"novlkyy.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234206/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_24; classtype:trojan-activity; sid:91234206; rev:1;)
alert tcp $HOME_NET any -> [101.132.182.180] 59990  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234204; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pws/fre.php"; depth:12; nocase; http.host; content:"novlkyy.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234205; rev:1;)
alert tcp $HOME_NET any -> [43.134.183.43] 30001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loja5.seugrupotodimo.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234200; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.dunedincasino.co.nz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234201; rev:1;)
alert tcp $HOME_NET any -> [159.65.13.239] 55680  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234202; rev:1;)
alert tcp $HOME_NET any -> [156.253.12.10] 8123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234199/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234199; rev:1;)
alert tcp $HOME_NET any -> [3.67.15.169] 14434  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234198; rev:1;)
alert tcp $HOME_NET any -> [3.68.56.232] 14434  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234197; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.veriernano.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234196; rev:1;)
alert tcp $HOME_NET any -> [45.204.13.45] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234195; rev:1;)
alert tcp $HOME_NET any -> [163.172.35.224] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dev/console/c0u481xgp"; depth:22; nocase; http.host; content:"163.172.35.224"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"156.253.12.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234191; rev:1;)
alert tcp $HOME_NET any -> [45.204.13.45] 8234  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234192; rev:1;)
alert tcp $HOME_NET any -> [77.105.166.121] 81  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"101.43.12.111"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234189; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.121] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234188/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"federalstudentaid-usdepartmentofeducation.tandemcyberops.co"; depth:59; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234187; rev:1;)
alert tcp $HOME_NET any -> [35.240.61.64] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234186/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234186; rev:1;)
alert tcp $HOME_NET any -> [124.223.64.107] 9443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234185/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"194.32.149.227"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234184; rev:1;)
alert tcp $HOME_NET any -> [85.192.41.74] 7771  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234183/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_24; classtype:trojan-activity; sid:91234183; rev:1;)
alert tcp $HOME_NET any -> [209.145.58.236] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234117; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.207] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234116; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.116] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234115; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.88] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234114; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.61] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234113; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.49] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234112; rev:1;)
alert tcp $HOME_NET any -> [193.163.170.166] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234111; rev:1;)
alert tcp $HOME_NET any -> [92.246.138.90] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234110; rev:1;)
alert tcp $HOME_NET any -> [91.212.166.206] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234109; rev:1;)
alert tcp $HOME_NET any -> [87.121.87.59] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234108; rev:1;)
alert tcp $HOME_NET any -> [45.153.242.202] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234107; rev:1;)
alert tcp $HOME_NET any -> [5.101.1.60] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234106; rev:1;)
alert tcp $HOME_NET any -> [5.101.0.60] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234105; rev:1;)
alert tcp $HOME_NET any -> [168.119.242.255] 7742  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234090; rev:1;)
alert tcp $HOME_NET any -> [191.88.251.13] 7770  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"5.101.0.245"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234182; rev:1;)
alert tcp $HOME_NET any -> [23.155.8.220] 14344  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234181/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234181; rev:1;)
alert tcp $HOME_NET any -> [34.92.57.130] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234180/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234180; rev:1;)
alert tcp $HOME_NET any -> [147.78.103.10] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234179/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234173; rev:1;)
alert tcp $HOME_NET any -> [47.108.220.47] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234172/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234172; rev:1;)
alert tcp $HOME_NET any -> [94.130.49.62] 6214  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234171/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234171; rev:1;)
alert tcp $HOME_NET any -> [74.12.146.80] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234170/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234170; rev:1;)
alert tcp $HOME_NET any -> [74.12.146.80] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234169/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234169; rev:1;)
alert tcp $HOME_NET any -> [41.96.48.146] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234168/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234168; rev:1;)
alert tcp $HOME_NET any -> [35.209.123.246] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234167/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234167; rev:1;)
alert tcp $HOME_NET any -> [34.171.56.109] 6667  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234166/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234166; rev:1;)
alert tcp $HOME_NET any -> [34.123.166.220] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234164/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234164; rev:1;)
alert tcp $HOME_NET any -> [34.123.166.220] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234165/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234165; rev:1;)
alert tcp $HOME_NET any -> [157.230.175.190] 6595  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234163/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_24; classtype:trojan-activity; sid:91234163; rev:1;)
alert tcp $HOME_NET any -> [89.247.50.125] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234162/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234162; rev:1;)
alert tcp $HOME_NET any -> [8.130.82.167] 2087  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234161/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234161; rev:1;)
alert tcp $HOME_NET any -> [45.66.248.135] 4308  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234160; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yop918kiss.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234158; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"736632.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234159; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.1319556.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234157; rev:1;)
alert tcp $HOME_NET any -> [34.34.149.44] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234155; rev:1;)
alert tcp $HOME_NET any -> [89.223.124.74] 5555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234156; rev:1;)
alert tcp $HOME_NET any -> [38.147.170.29] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234154; rev:1;)
alert tcp $HOME_NET any -> [117.85.8.12] 8008  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234153; rev:1;)
alert tcp $HOME_NET any -> [154.12.28.198] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234152; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"stupefied-wing.37-220-86-100.plesk.page"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234151/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_24; classtype:trojan-activity; sid:91234151; rev:1;)
alert tcp $HOME_NET any -> [195.242.218.22] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234150; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexs404.fvds.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234149; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.230] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234148; rev:1;)
alert tcp $HOME_NET any -> [193.233.255.253] 8080  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234147; rev:1;)
alert tcp $HOME_NET any -> [185.224.81.252] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234146; rev:1;)
alert tcp $HOME_NET any -> [193.233.254.6] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234145; rev:1;)
alert tcp $HOME_NET any -> [49.13.130.129] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234143; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.88] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234144; rev:1;)
alert tcp $HOME_NET any -> [89.23.100.205] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234142; rev:1;)
alert tcp $HOME_NET any -> [87.98.185.175] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234141; rev:1;)
alert tcp $HOME_NET any -> [197.119.135.90] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234140; rev:1;)
alert tcp $HOME_NET any -> [154.244.175.192] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234139; rev:1;)
alert tcp $HOME_NET any -> [161.97.102.40] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234138; rev:1;)
alert tcp $HOME_NET any -> [45.77.112.196] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234137; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev5.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234136; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.169] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234135; rev:1;)
alert tcp $HOME_NET any -> [179.13.3.199] 8020  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234134; rev:1;)
alert tcp $HOME_NET any -> [103.234.72.213] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234132; rev:1;)
alert tcp $HOME_NET any -> [47.108.228.241] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234133; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.219] 22000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234131/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234131; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.161] 22007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234130/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234130; rev:1;)
alert tcp $HOME_NET any -> [20.237.111.240] 8444  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234129/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234129; rev:1;)
alert tcp $HOME_NET any -> [64.23.154.205] 30099  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234128/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_24; classtype:trojan-activity; sid:91234128; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234127; rev:1;)
alert tcp $HOME_NET any -> [175.178.103.238] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234126; rev:1;)
alert tcp $HOME_NET any -> [43.248.188.73] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234125; rev:1;)
alert tcp $HOME_NET any -> [192.227.165.82] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234124; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.w33s1.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234123; rev:1;)
alert tcp $HOME_NET any -> [52.74.58.193] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234122/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234122; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.116] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234121/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234121; rev:1;)
alert tcp $HOME_NET any -> [18.229.248.167] 18912  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_24; classtype:trojan-activity; sid:91234120; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 1926  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234119/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234119; rev:1;)
alert tcp $HOME_NET any -> [3.75.178.44] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234118/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_24; classtype:trojan-activity; sid:91234118; rev:1;)
alert tcp $HOME_NET any -> [219.92.90.51] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234104/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234104; rev:1;)
alert tcp $HOME_NET any -> [5.188.86.23] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234103; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zx.reg32.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/remove"; depth:7; nocase; http.host; content:"zx.reg32.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profile"; depth:8; nocase; http.host; content:"as.reg32.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234098; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"as.reg32.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234099; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qw.reg32.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profile"; depth:8; nocase; http.host; content:"qw.reg32.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234096; rev:1;)
alert tcp $HOME_NET any -> [52.28.112.211] 19378  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234095; rev:1;)
alert tcp $HOME_NET any -> [3.127.59.75] 19378  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234094; rev:1;)
alert tcp $HOME_NET any -> [3.127.253.86] 19378  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234093; rev:1;)
alert tcp $HOME_NET any -> [45.77.43.90] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234092/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234092; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.233] 9443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234091/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234091; rev:1;)
alert tcp $HOME_NET any -> [176.96.138.158] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234089; rev:1;)
alert tcp $HOME_NET any -> [47.154.165.193] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234088/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234088; rev:1;)
alert tcp $HOME_NET any -> [85.54.165.23] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234087; rev:1;)
alert tcp $HOME_NET any -> [2.6.248.148] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234086; rev:1;)
alert tcp $HOME_NET any -> [69.156.55.183] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234085; rev:1;)
alert tcp $HOME_NET any -> [201.137.233.225] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234084; rev:1;)
alert tcp $HOME_NET any -> [175.110.196.163] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234083; rev:1;)
alert tcp $HOME_NET any -> [90.4.191.148] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234082; rev:1;)
alert tcp $HOME_NET any -> [45.150.198.25] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234081/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234081; rev:1;)
alert tcp $HOME_NET any -> [154.118.230.142] 30098  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234080/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234080; rev:1;)
alert tcp $HOME_NET any -> [64.23.170.203] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234079/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234079; rev:1;)
alert tcp $HOME_NET any -> [64.23.170.203] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234078/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"193.233.132.152"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234077; rev:1;)
alert tcp $HOME_NET any -> [107.174.142.70] 10090  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234076/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_23; classtype:trojan-activity; sid:91234076; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ba91ff2f6a996325.php"; depth:21; nocase; http.host; content:"185.17.40.133"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234075; rev:1;)
alert tcp $HOME_NET any -> [43.136.58.193] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234074/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234074; rev:1;)
alert tcp $HOME_NET any -> [5.42.66.0] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234073/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91234073; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud-dnssync.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"www.xiongge.space"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"114.115.220.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"zcasscasszcasz.site"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234060/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"cascsasacsacascasca.pics"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234061/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"qweqweqweqweqweq.tech"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234062/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"asdasdasdasdasad.pw"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234063/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"aysgduyasgduyas.store"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234064/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"aksjdhsakdhakjshd.online"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234065/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"cascacascascascascas.hk"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234066/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtbiytaymtk0nzjj/"; depth:18; nocase; http.host; content:"qweqweqweqweqwewww.hk"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234067/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91234067; rev:1;)
alert tcp $HOME_NET any -> [94.156.67.176] 13781  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234059; rev:1;)
alert tcp $HOME_NET any -> [5.101.0.245] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/check"; depth:6; nocase; http.host; content:"secure-cama.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1234057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234057; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 14834  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234056; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 14834  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234055; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 14834  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234054; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 14834  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234053; rev:1;)
alert tcp $HOME_NET any -> [178.128.122.83] 1724  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234052; rev:1;)
alert tcp $HOME_NET any -> [88.94.183.108] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234051; rev:1;)
alert tcp $HOME_NET any -> [18.194.27.80] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234050; rev:1;)
alert tcp $HOME_NET any -> [119.91.26.109] 31220  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234049; rev:1;)
alert tcp $HOME_NET any -> [193.35.204.6] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234048; rev:1;)
alert tcp $HOME_NET any -> [139.60.151.21] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234047; rev:1;)
alert tcp $HOME_NET any -> [139.60.151.21] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234046; rev:1;)
alert tcp $HOME_NET any -> [98.66.153.140] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234045; rev:1;)
alert tcp $HOME_NET any -> [111.229.206.244] 9000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234044; rev:1;)
alert tcp $HOME_NET any -> [79.137.36.193] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234043; rev:1;)
alert tcp $HOME_NET any -> [121.41.118.76] 81  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234042; rev:1;)
alert tcp $HOME_NET any -> [152.53.34.44] 3334  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234041; rev:1;)
alert tcp $HOME_NET any -> [104.238.214.68] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234040; rev:1;)
alert tcp $HOME_NET any -> [34.34.149.44] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234039; rev:1;)
alert tcp $HOME_NET any -> [172.177.39.31] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234038; rev:1;)
alert tcp $HOME_NET any -> [188.166.156.32] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234037; rev:1;)
alert tcp $HOME_NET any -> [170.64.210.158] 1724  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234036; rev:1;)
alert tcp $HOME_NET any -> [85.215.180.148] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234035; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"expedia-realtime.expeida.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234033; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.dnl-l.ooguy.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234034; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.deenpel.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234032; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.deenpel.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234030; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"onboarding.expeida.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234031; rev:1;)
alert tcp $HOME_NET any -> [180.178.44.236] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234029; rev:1;)
alert tcp $HOME_NET any -> [180.178.44.238] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234028; rev:1;)
alert tcp $HOME_NET any -> [180.178.44.234] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234027; rev:1;)
alert tcp $HOME_NET any -> [180.178.44.235] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234025; rev:1;)
alert tcp $HOME_NET any -> [8.219.171.176] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234026; rev:1;)
alert tcp $HOME_NET any -> [180.178.44.237] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234024; rev:1;)
alert tcp $HOME_NET any -> [61.171.80.71] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234023; rev:1;)
alert tcp $HOME_NET any -> [37.220.86.100] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234022/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_23; classtype:trojan-activity; sid:91234022; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2-58-113-172.cprapid.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234021; rev:1;)
alert tcp $HOME_NET any -> [102.50.247.129] 84  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234020; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"f0867029.xsph.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1234019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234019; rev:1;)
alert tcp $HOME_NET any -> [18.206.73.190] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234018; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.42] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234017; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.116] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234015; rev:1;)
alert tcp $HOME_NET any -> [91.212.166.206] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234016; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 56323  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234014; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 51783  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234013; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 51091  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234012; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 2080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234010; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 9205  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234011; rev:1;)
alert tcp $HOME_NET any -> [105.75.30.83] 62491  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234009; rev:1;)
alert tcp $HOME_NET any -> [105.75.30.83] 48106  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234008; rev:1;)
alert tcp $HOME_NET any -> [105.75.30.83] 25050  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234007; rev:1;)
alert tcp $HOME_NET any -> [105.75.30.83] 6362  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234005; rev:1;)
alert tcp $HOME_NET any -> [105.75.30.83] 18029  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234006; rev:1;)
alert tcp $HOME_NET any -> [105.75.30.83] 1080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234004; rev:1;)
alert tcp $HOME_NET any -> [105.75.30.83] 63889  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234002; rev:1;)
alert tcp $HOME_NET any -> [105.75.30.83] 502  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234003; rev:1;)
alert tcp $HOME_NET any -> [103.97.177.62] 8888  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234001; rev:1;)
alert tcp $HOME_NET any -> [103.164.62.9] 6666  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1234000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91234000; rev:1;)
alert tcp $HOME_NET any -> [45.88.9.100] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233999; rev:1;)
alert tcp $HOME_NET any -> [98.71.223.72] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233998; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lmanage.net"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233997; rev:1;)
alert tcp $HOME_NET any -> [4.246.234.87] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233996; rev:1;)
alert tcp $HOME_NET any -> [92.118.235.253] 4545  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233995; rev:1;)
alert tcp $HOME_NET any -> [187.101.166.245] 5000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233994; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.134] 8081  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233993; rev:1;)
alert tcp $HOME_NET any -> [45.147.231.88] 80  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233992; rev:1;)
alert tcp $HOME_NET any -> [59.14.118.202] 80  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233991; rev:1;)
alert tcp $HOME_NET any -> [181.162.155.84] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233990; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev6.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233989; rev:1;)
alert tcp $HOME_NET any -> [91.107.125.148] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233988; rev:1;)
alert tcp $HOME_NET any -> [185.250.243.209] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233987; rev:1;)
alert tcp $HOME_NET any -> [78.111.89.2] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233986; rev:1;)
alert tcp $HOME_NET any -> [54.255.57.58] 82  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233985; rev:1;)
alert tcp $HOME_NET any -> [94.250.253.1] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233984; rev:1;)
alert tcp $HOME_NET any -> [193.201.126.69] 45632  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233983; rev:1;)
alert tcp $HOME_NET any -> [4.198.112.20] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233981; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"snf-893982.vm.okeanos.grnet.gr"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233982; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159.89.8.28.sslip.io"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233980; rev:1;)
alert tcp $HOME_NET any -> [142.67.130.172] 31415  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233979; rev:1;)
alert tcp $HOME_NET any -> [104.243.37.176] 6666  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233978; rev:1;)
alert tcp $HOME_NET any -> [8.222.130.235] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233977; rev:1;)
alert tcp $HOME_NET any -> [119.45.17.224] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233976; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.219] 22001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233975/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233975; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.219] 22007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233974/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233974; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.219] 22004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233973/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233973; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.219] 22003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233972/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233972; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.161] 22006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233970/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233970; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.161] 22000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233971/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233971; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.161] 22005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233969/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233969; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.161] 22003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233967/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233967; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.161] 22004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233968/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233968; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.161] 22002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233966/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233966; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.161] 22001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233965/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233965; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.144] 22004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233964/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233964; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.144] 22003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233963/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233963; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.144] 22002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233962/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233962; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.144] 22000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233961/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233961; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.144] 22007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233960/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233960; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"ip-89-38-131-70-98573.vps.hosted-by-mvps.net"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233959/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233959; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.229] 22000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233958/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233958; rev:1;)
alert tcp $HOME_NET any -> [46.101.202.59] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233957/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233957; rev:1;)
alert tcp $HOME_NET any -> [95.164.69.179] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233956/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233956; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.214] 53  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233955/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_23; classtype:trojan-activity; sid:91233955; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233953; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2211  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233954; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233951; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 1633  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233952; rev:1;)
alert tcp $HOME_NET any -> [93.67.167.104] 88  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233950; rev:1;)
alert tcp $HOME_NET any -> [105.98.159.141] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233949; rev:1;)
alert tcp $HOME_NET any -> [103.165.81.82] 10086  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233948/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_23; classtype:trojan-activity; sid:91233948; rev:1;)
alert tcp $HOME_NET any -> [46.101.82.184] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233946; rev:1;)
alert tcp $HOME_NET any -> [8.130.81.128] 8787  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233947; rev:1;)
alert tcp $HOME_NET any -> [82.157.255.112] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233945; rev:1;)
alert tcp $HOME_NET any -> [47.243.207.204] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233944; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.233] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233943; rev:1;)
alert tcp $HOME_NET any -> [5.35.88.39] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233942; rev:1;)
alert tcp $HOME_NET any -> [119.3.190.89] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233941; rev:1;)
alert tcp $HOME_NET any -> [39.98.174.154] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233940; rev:1;)
alert tcp $HOME_NET any -> [103.251.89.93] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233939; rev:1;)
alert tcp $HOME_NET any -> [43.138.182.25] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233938; rev:1;)
alert tcp $HOME_NET any -> [47.92.153.72] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233937; rev:1;)
alert tcp $HOME_NET any -> [166.1.190.118] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233936; rev:1;)
alert tcp $HOME_NET any -> [49.232.149.43] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233934; rev:1;)
alert tcp $HOME_NET any -> [49.232.149.43] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233935; rev:1;)
alert tcp $HOME_NET any -> [43.138.148.85] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233933; rev:1;)
alert tcp $HOME_NET any -> [43.138.62.36] 7001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233932; rev:1;)
alert tcp $HOME_NET any -> [107.172.89.198] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233931; rev:1;)
alert tcp $HOME_NET any -> [148.135.67.51] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233930; rev:1;)
alert tcp $HOME_NET any -> [152.136.116.44] 8096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233929; rev:1;)
alert tcp $HOME_NET any -> [85.195.79.163] 9854  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233927; rev:1;)
alert tcp $HOME_NET any -> [103.158.36.16] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233928; rev:1;)
alert tcp $HOME_NET any -> [47.104.232.113] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233926; rev:1;)
alert tcp $HOME_NET any -> [148.135.99.106] 58000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233925; rev:1;)
alert tcp $HOME_NET any -> [103.56.17.198] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233924; rev:1;)
alert tcp $HOME_NET any -> [39.100.78.58] 9823  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233923; rev:1;)
alert tcp $HOME_NET any -> [115.159.204.229] 10786  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233922; rev:1;)
alert tcp $HOME_NET any -> [98.66.155.68] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233920; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"107-172-89-198.nip.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233921; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.idn15r69vh3fwhzclfoeuaoy.today"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233919; rev:1;)
alert tcp $HOME_NET any -> [139.84.229.159] 2017  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233918/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_23; classtype:trojan-activity; sid:91233918; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.16] 6269  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233909; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"macgains.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233910; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u6vhsc3ppq/index.php"; depth:21; nocase; http.host; content:"185.172.128.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233902; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f7vkbh7x/index.php"; depth:19; nocase; http.host; content:"5.42.66.0"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233903; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jd9dd3vw/index.php"; depth:19; nocase; http.host; content:"second.amadgood.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f5dkvdsbc/index.php"; depth:20; nocase; http.host; content:"dot.tipinfolist.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233905; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.109.58.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"120.55.12.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233916; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"dig.fuli-oa.cn"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233915; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"buy-dnd.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"buy-dnd.shop"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"service-2o2bxyq2-1308102940.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233911; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2o2bxyq2-1308102940.gz.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233912; rev:1;)
alert tcp $HOME_NET any -> [72.11.158.94] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233908; rev:1;)
alert tcp $HOME_NET any -> [118.195.236.44] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233907/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233907; rev:1;)
alert tcp $HOME_NET any -> [3.75.178.44] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233906/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233906; rev:1;)
alert tcp $HOME_NET any -> [175.178.225.71] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233901; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"175.178.225.71"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233900; rev:1;)
alert tcp $HOME_NET any -> [103.251.89.93] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233899; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoftwindows.one"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"microsoftwindows.one"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233897; rev:1;)
alert tcp $HOME_NET any -> [212.231.198.234] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.222.82.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"122.51.68.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233894; rev:1;)
alert tcp $HOME_NET any -> [54.218.66.207] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233893/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233893; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jogard.duckdns.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233892; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.54] 6513  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233891; rev:1;)
alert tcp $HOME_NET any -> [139.99.153.82] 80  (msg:"ThreatFox Loki Password Stealer (PWS) botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233890/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233890; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.152] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233887; rev:1;)
alert tcp $HOME_NET any -> [49.12.118.185] 2920  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.118.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bogotatg"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199621829149"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233884; rev:1;)
alert tcp $HOME_NET any -> [89.230.242.214] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233883/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233883; rev:1;)
alert tcp $HOME_NET any -> [80.92.204.239] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233882/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pp/fre.php"; depth:11; nocase; http.host; content:"139.99.153.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.220.164.254"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233879; rev:1;)
alert tcp $HOME_NET any -> [124.220.164.254] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233880; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"124.220.164.254"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233878; rev:1;)
alert tcp $HOME_NET any -> [8.140.147.149] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233877/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233877; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.121] 65517  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233860; rev:1;)
alert tcp $HOME_NET any -> [212.116.121.37] 24092  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233844; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"de.zephyr.herominers.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-cs/cache.php"; depth:17; nocase; http.host; content:"suezey.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"appboltonik.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233564; rev:1;)
alert tcp $HOME_NET any -> [176.124.32.39] 51033  (msg:"ThreatFox SpyBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233772; rev:1;)
alert tcp $HOME_NET any -> [176.124.32.39] 51144  (msg:"ThreatFox SpyBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233773; rev:1;)
alert tcp $HOME_NET any -> [176.124.32.39] 52997  (msg:"ThreatFox SpyBanker botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"suezey.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233562; rev:1;)
alert tcp $HOME_NET any -> [5.181.156.45] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"appboltonik.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"suezey.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"suezey.com"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.85.191"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233557/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233557; rev:1;)
alert tcp $HOME_NET any -> [20.113.35.45] 38357  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233504; rev:1;)
alert tcp $HOME_NET any -> [77.91.124.92] 3989  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233494; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"duorhytm.fun"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233487; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"epsilon-spaceworld.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233484; rev:1;)
alert tcp $HOME_NET any -> [45.74.7.87] 8898  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233876/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233876; rev:1;)
alert tcp $HOME_NET any -> [87.223.83.229] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233875/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233875; rev:1;)
alert tcp $HOME_NET any -> [193.92.197.7] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233874/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233874; rev:1;)
alert tcp $HOME_NET any -> [2.88.137.97] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233873/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233873; rev:1;)
alert tcp $HOME_NET any -> [2.50.16.175] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233872/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233872; rev:1;)
alert tcp $HOME_NET any -> [190.28.106.88] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233871/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233871; rev:1;)
alert tcp $HOME_NET any -> [13.235.247.85] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233870/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233870; rev:1;)
alert tcp $HOME_NET any -> [83.97.20.211] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233869/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233869; rev:1;)
alert tcp $HOME_NET any -> [137.184.9.46] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233868/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233868; rev:1;)
alert tcp $HOME_NET any -> [164.92.159.114] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233867/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233867; rev:1;)
alert tcp $HOME_NET any -> [5.255.97.126] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233865/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233865; rev:1;)
alert tcp $HOME_NET any -> [5.255.97.126] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233866/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233866; rev:1;)
alert tcp $HOME_NET any -> [5.255.97.126] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233864/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233864; rev:1;)
alert tcp $HOME_NET any -> [5.255.97.126] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233863/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_23; classtype:trojan-activity; sid:91233863; rev:1;)
alert tcp $HOME_NET any -> [38.87.196.74] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233862/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233862; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2121  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233861/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233861; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 1741  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233858/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233858; rev:1;)
alert tcp $HOME_NET any -> [124.222.149.52] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.222.149.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_23; classtype:trojan-activity; sid:91233856; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 1935  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233855/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233855; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2067  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233854/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233854; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2233  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233853; rev:1;)
alert tcp $HOME_NET any -> [62.234.13.73] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233852/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233852; rev:1;)
alert tcp $HOME_NET any -> [64.23.170.241] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233851/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233851; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 1925  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233850/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233850; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233849/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233849; rev:1;)
alert tcp $HOME_NET any -> [94.131.102.241] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233848/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233848; rev:1;)
alert tcp $HOME_NET any -> [45.129.14.102] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233847/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233847; rev:1;)
alert tcp $HOME_NET any -> [125.141.136.172] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_23; classtype:trojan-activity; sid:91233846; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233845/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233845; rev:1;)
alert tcp $HOME_NET any -> [120.55.12.41] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233843/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233843; rev:1;)
alert tcp $HOME_NET any -> [212.113.116.110] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233842/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233842; rev:1;)
alert tcp $HOME_NET any -> [138.201.125.92] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233841; rev:1;)
alert tcp $HOME_NET any -> [103.214.141.206] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/search/"; depth:8; nocase; http.host; content:"156.253.12.10"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233839; rev:1;)
alert tcp $HOME_NET any -> [163.5.169.23] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"163.5.169.23"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233837; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233836/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233836; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233835/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233835; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 12954  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/security.jsp"; depth:13; nocase; http.host; content:"162.14.77.157"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"121.89.212.43"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"113.250.188.15"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"1.116.74.174"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233830; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"172.67.158.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233829; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.su57.fun"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233827; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"104.21.41.14"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233828; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"api.su57.fun"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233826; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/zc"; depth:3; nocase; http.host; content:"service-8cdlt0mn-1310256589.bj.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233825; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"124.222.149.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233824; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233823; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233822; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233821/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233821; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2081  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233820/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233820; rev:1;)
alert tcp $HOME_NET any -> [123.249.114.61] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233818/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c2b6ff67.php"; depth:13; nocase; http.host; content:"a0907744.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233817; rev:1;)
alert tcp $HOME_NET any -> [167.71.214.56] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233816; rev:1;)
alert tcp $HOME_NET any -> [2.88.193.91] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233815; rev:1;)
alert tcp $HOME_NET any -> [151.30.60.232] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233814; rev:1;)
alert tcp $HOME_NET any -> [37.210.138.173] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233813; rev:1;)
alert tcp $HOME_NET any -> [72.27.66.189] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233812; rev:1;)
alert tcp $HOME_NET any -> [74.12.146.79] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233811; rev:1;)
alert tcp $HOME_NET any -> [39.51.167.185] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233810; rev:1;)
alert tcp $HOME_NET any -> [188.116.26.246] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233809; rev:1;)
alert tcp $HOME_NET any -> [75.173.35.32] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233808; rev:1;)
alert tcp $HOME_NET any -> [31.117.79.172] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233807/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233807; rev:1;)
alert tcp $HOME_NET any -> [92.97.118.181] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233806/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233806; rev:1;)
alert tcp $HOME_NET any -> [78.17.205.246] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233805/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233805; rev:1;)
alert tcp $HOME_NET any -> [45.150.198.36] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233804/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233804; rev:1;)
alert tcp $HOME_NET any -> [5.188.228.15] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233803/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233803; rev:1;)
alert tcp $HOME_NET any -> [168.119.225.154] 1194  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233802; rev:1;)
alert tcp $HOME_NET any -> [5.255.97.126] 8000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233801/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233801; rev:1;)
alert tcp $HOME_NET any -> [154.223.20.226] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233800/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233800; rev:1;)
alert tcp $HOME_NET any -> [65.153.151.130] 8855  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233799/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233799; rev:1;)
alert tcp $HOME_NET any -> [18.223.156.30] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.jsp"; depth:10; nocase; http.host; content:"service-8rv78e5d-1319481525.sh.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233796; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-8rv78e5d-1319481525.sh.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233797; rev:1;)
alert tcp $HOME_NET any -> [62.234.13.73] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"dig.fuli-oa.cn"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233793; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dig.fuli-oa.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lb341/index.php"; depth:16; nocase; http.host; content:"lbxl.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233792; rev:1;)
alert tcp $HOME_NET any -> [18.229.146.63] 14744  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233770; rev:1;)
alert tcp $HOME_NET any -> [54.94.248.37] 14744  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233769; rev:1;)
alert tcp $HOME_NET any -> [18.229.248.167] 14744  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233768; rev:1;)
alert tcp $HOME_NET any -> [18.231.93.153] 14744  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233767; rev:1;)
alert tcp $HOME_NET any -> [18.229.146.63] 17000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233765; rev:1;)
alert tcp $HOME_NET any -> [18.228.115.60] 17000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233766; rev:1;)
alert tcp $HOME_NET any -> [54.94.248.37] 17000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233764; rev:1;)
alert tcp $HOME_NET any -> [18.231.93.153] 17000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233763; rev:1;)
alert tcp $HOME_NET any -> [79.107.138.125] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233762; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.imoneymy.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233761; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.1319559.cc"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233759; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.2280678.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233760; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shangri3.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233758; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ritestowritemyword.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233757; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4160  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233755; rev:1;)
alert tcp $HOME_NET any -> [104.198.39.197] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233756; rev:1;)
alert tcp $HOME_NET any -> [138.197.116.212] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233754; rev:1;)
alert tcp $HOME_NET any -> [89.90.226.9] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233753; rev:1;)
alert tcp $HOME_NET any -> [34.102.111.222] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233751; rev:1;)
alert tcp $HOME_NET any -> [96.255.55.18] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233752; rev:1;)
alert tcp $HOME_NET any -> [167.0.190.97] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233750; rev:1;)
alert tcp $HOME_NET any -> [3.92.62.149] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233749; rev:1;)
alert tcp $HOME_NET any -> [195.35.25.208] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233748; rev:1;)
alert tcp $HOME_NET any -> [3.20.29.236] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233747; rev:1;)
alert tcp $HOME_NET any -> [15.237.194.170] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233746; rev:1;)
alert tcp $HOME_NET any -> [151.106.113.5] 37889  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233745; rev:1;)
alert tcp $HOME_NET any -> [3.137.113.77] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233743; rev:1;)
alert tcp $HOME_NET any -> [34.16.187.219] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233744; rev:1;)
alert tcp $HOME_NET any -> [87.106.120.198] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233742; rev:1;)
alert tcp $HOME_NET any -> [128.199.30.19] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233741; rev:1;)
alert tcp $HOME_NET any -> [141.94.206.75] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233740; rev:1;)
alert tcp $HOME_NET any -> [198.46.199.103] 2052  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233739; rev:1;)
alert tcp $HOME_NET any -> [59.13.157.16] 4433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233738; rev:1;)
alert tcp $HOME_NET any -> [18.215.223.59] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233737; rev:1;)
alert tcp $HOME_NET any -> [52.58.182.211] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233735; rev:1;)
alert tcp $HOME_NET any -> [52.58.182.211] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233736; rev:1;)
alert tcp $HOME_NET any -> [101.35.44.164] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233734; rev:1;)
alert tcp $HOME_NET any -> [44.194.64.43] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233733; rev:1;)
alert tcp $HOME_NET any -> [157.230.46.205] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233732; rev:1;)
alert tcp $HOME_NET any -> [134.122.36.184] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233731; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.dnl-l.ooguy.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233730; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mediaim.expeida.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233728; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcalendars.dnl-l.ooguy.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233729; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"expedia-rest.expeida.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233726; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oms.expeida.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233727; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outlook.deenpel.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233724; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vap.expeida.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233725; rev:1;)
alert tcp $HOME_NET any -> [192.119.110.233] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233723; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnl-l.ooguy.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233721; rev:1;)
alert tcp $HOME_NET any -> [192.119.110.233] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233722; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-15-207-223-179.ap-south-1.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233720; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webmail.dnl-l.ooguy.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233718; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.expeida.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233719; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.dnl-l.ooguy.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233716; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"redirect-r1.pay.expeida.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233717; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.pay.expeida.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233715; rev:1;)
alert tcp $HOME_NET any -> [143.198.64.151] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233713; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hwsrv-1125909.hostwindsdns.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233714; rev:1;)
alert tcp $HOME_NET any -> [15.207.223.179] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233712; rev:1;)
alert tcp $HOME_NET any -> [188.166.209.186] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233711; rev:1;)
alert tcp $HOME_NET any -> [154.9.26.245] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233710; rev:1;)
alert tcp $HOME_NET any -> [58.59.222.18] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233709; rev:1;)
alert tcp $HOME_NET any -> [23.95.41.74] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233708; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"downhimse.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233706; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cdnupdateservice.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233707; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intro.su"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233705; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shikkiy.fvds.ru"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233703; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gptchatpro.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233704; rev:1;)
alert tcp $HOME_NET any -> [188.120.232.53] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233702; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.r4dc3btbyzip0edkbykb1qteulwb.de"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233701; rev:1;)
alert tcp $HOME_NET any -> [103.74.100.192] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233700; rev:1;)
alert tcp $HOME_NET any -> [54.242.198.244] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233699; rev:1;)
alert tcp $HOME_NET any -> [18.213.145.76] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233698; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kharej.goldelya.tech"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233697; rev:1;)
alert tcp $HOME_NET any -> [20.25.180.188] 8889  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233696; rev:1;)
alert tcp $HOME_NET any -> [193.233.254.64] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233695; rev:1;)
alert tcp $HOME_NET any -> [45.131.108.123] 22  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233694; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 63523  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233693; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 44861  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233692; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 44467  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233691; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 20201  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233689; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 37262  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233690; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 7375  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233688; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 60845  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233686; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 1231  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233687; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 51178  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233685; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 28389  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233683; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 44369  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233684; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 22081  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233682; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cooltk.asia"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233681; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jamesdesign.blog"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233679; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"longkey.02561854.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233680; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ha.redethics.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233678; rev:1;)
alert tcp $HOME_NET any -> [103.149.91.138] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233676; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lucarne-films.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233677; rev:1;)
alert tcp $HOME_NET any -> [192.46.228.106] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233675; rev:1;)
alert tcp $HOME_NET any -> [98.71.223.72] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233674; rev:1;)
alert tcp $HOME_NET any -> [118.195.235.103] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233672; rev:1;)
alert tcp $HOME_NET any -> [139.159.221.73] 8443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233673; rev:1;)
alert tcp $HOME_NET any -> [154.12.30.94] 8880  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233671; rev:1;)
alert tcp $HOME_NET any -> [191.82.193.90] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233670; rev:1;)
alert tcp $HOME_NET any -> [181.162.142.77] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233668; rev:1;)
alert tcp $HOME_NET any -> [107.172.76.140] 8080  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233669; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.103] 9090  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233667; rev:1;)
alert tcp $HOME_NET any -> [73.72.200.242] 8081  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233666; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpcontacts.94-156-66-187.cprapid.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233665; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reksiaeksinov5.fvds.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233663; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"beta.to-kgb.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233664; rev:1;)
alert tcp $HOME_NET any -> [94.250.254.234] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233662; rev:1;)
alert tcp $HOME_NET any -> [46.29.239.26] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233661; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev5.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233659; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.spacestar.su"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233660; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"matthiasellison.autos"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233658; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reksiaeksinov2.fvds.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233657; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kasenmeyer.autos"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233655; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jakobtaylor.autos"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233656; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nickbaseev.fvds.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233653; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whm.94-156-66-187.cprapid.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233654; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emileewang.autos"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233651; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jakobtaylor.autos"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233652; rev:1;)
alert tcp $HOME_NET any -> [159.100.22.120] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233650; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.52] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233649; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.4] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233647; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.77] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233648; rev:1;)
alert tcp $HOME_NET any -> [143.244.191.193] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233646; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.82] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233645; rev:1;)
alert tcp $HOME_NET any -> [45.87.80.164] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233644; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.107] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233643; rev:1;)
alert tcp $HOME_NET any -> [86.110.194.125] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233642; rev:1;)
alert tcp $HOME_NET any -> [5.189.132.250] 3000  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233641; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.124] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233640; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"practical-hawking.159-89-8-28.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233639; rev:1;)
alert tcp $HOME_NET any -> [45.74.34.32] 1994  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233638; rev:1;)
alert tcp $HOME_NET any -> [45.80.158.60] 2003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233637; rev:1;)
alert tcp $HOME_NET any -> [45.80.158.60] 2004  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233636; rev:1;)
alert tcp $HOME_NET any -> [1.14.206.144] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233634; rev:1;)
alert tcp $HOME_NET any -> [193.142.59.177] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elofizetesitearea.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233633; rev:1;)
alert tcp $HOME_NET any -> [141.255.156.121] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233632; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.159] 8088  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233631; rev:1;)
alert tcp $HOME_NET any -> [51.195.94.209] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233630; rev:1;)
alert tcp $HOME_NET any -> [51.195.94.209] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233629; rev:1;)
alert tcp $HOME_NET any -> [207.32.219.78] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233628; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.51] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233626; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.51] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233627; rev:1;)
alert tcp $HOME_NET any -> [181.235.94.107] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233625; rev:1;)
alert tcp $HOME_NET any -> [91.109.186.6] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233623; rev:1;)
alert tcp $HOME_NET any -> [181.235.94.107] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233624; rev:1;)
alert tcp $HOME_NET any -> [187.24.65.44] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233622; rev:1;)
alert tcp $HOME_NET any -> [91.109.182.12] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233620; rev:1;)
alert tcp $HOME_NET any -> [141.255.156.150] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233621; rev:1;)
alert tcp $HOME_NET any -> [154.91.255.136] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233619; rev:1;)
alert tcp $HOME_NET any -> [155.138.154.203] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233618/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_22; classtype:trojan-activity; sid:91233618; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.144] 22005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233617/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_22; classtype:trojan-activity; sid:91233617; rev:1;)
alert tcp $HOME_NET any -> [27.44.204.233] 22002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233616/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_22; classtype:trojan-activity; sid:91233616; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.18] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233615/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_22; classtype:trojan-activity; sid:91233615; rev:1;)
alert tcp $HOME_NET any -> [143.110.252.207] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233614/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_22; classtype:trojan-activity; sid:91233614; rev:1;)
alert tcp $HOME_NET any -> [103.45.128.143] 8000  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233613/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_22; classtype:trojan-activity; sid:91233613; rev:1;)
alert tcp $HOME_NET any -> [43.136.78.18] 8000  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233612/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_22; classtype:trojan-activity; sid:91233612; rev:1;)
alert tcp $HOME_NET any -> [121.36.198.30] 8010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233611; rev:1;)
alert tcp $HOME_NET any -> [122.51.232.227] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233610; rev:1;)
alert tcp $HOME_NET any -> [154.31.26.97] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233609; rev:1;)
alert tcp $HOME_NET any -> [147.182.234.229] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233608; rev:1;)
alert tcp $HOME_NET any -> [47.96.70.41] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233606; rev:1;)
alert tcp $HOME_NET any -> [52.148.136.164] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233607; rev:1;)
alert tcp $HOME_NET any -> [118.195.247.92] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233605; rev:1;)
alert tcp $HOME_NET any -> [207.148.88.228] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233604; rev:1;)
alert tcp $HOME_NET any -> [124.220.6.158] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233602; rev:1;)
alert tcp $HOME_NET any -> [118.24.128.204] 8021  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233603; rev:1;)
alert tcp $HOME_NET any -> [148.135.74.234] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233601; rev:1;)
alert tcp $HOME_NET any -> [43.139.60.87] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233600; rev:1;)
alert tcp $HOME_NET any -> [116.204.88.137] 40000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233599; rev:1;)
alert tcp $HOME_NET any -> [149.104.25.66] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233597; rev:1;)
alert tcp $HOME_NET any -> [81.70.43.159] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233598; rev:1;)
alert tcp $HOME_NET any -> [149.104.25.66] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233596; rev:1;)
alert tcp $HOME_NET any -> [101.36.111.175] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233595; rev:1;)
alert tcp $HOME_NET any -> [64.23.174.74] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233594; rev:1;)
alert tcp $HOME_NET any -> [124.70.140.36] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233593; rev:1;)
alert tcp $HOME_NET any -> [60.204.134.21] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233592; rev:1;)
alert tcp $HOME_NET any -> [43.136.58.193] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233591; rev:1;)
alert tcp $HOME_NET any -> [157.230.44.125] 42340  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233590; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.230] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233588; rev:1;)
alert tcp $HOME_NET any -> [45.144.29.29] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233589; rev:1;)
alert tcp $HOME_NET any -> [206.237.23.96] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233587; rev:1;)
alert tcp $HOME_NET any -> [206.237.23.96] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233586; rev:1;)
alert tcp $HOME_NET any -> [47.109.70.49] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233585; rev:1;)
alert tcp $HOME_NET any -> [82.146.63.17] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233584; rev:1;)
alert tcp $HOME_NET any -> [172.96.185.119] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233583; rev:1;)
alert tcp $HOME_NET any -> [1.94.17.115] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233582; rev:1;)
alert tcp $HOME_NET any -> [139.84.137.249] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233581; rev:1;)
alert tcp $HOME_NET any -> [47.108.115.174] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233579; rev:1;)
alert tcp $HOME_NET any -> [8.130.12.76] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233580; rev:1;)
alert tcp $HOME_NET any -> [116.62.123.217] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233578; rev:1;)
alert tcp $HOME_NET any -> [47.99.171.179] 7000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233577; rev:1;)
alert tcp $HOME_NET any -> [123.253.108.131] 8999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233576; rev:1;)
alert tcp $HOME_NET any -> [81.70.163.17] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233575; rev:1;)
alert tcp $HOME_NET any -> [134.122.164.213] 5566  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233574; rev:1;)
alert tcp $HOME_NET any -> [148.135.4.219] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233572; rev:1;)
alert tcp $HOME_NET any -> [123.60.93.251] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233573; rev:1;)
alert tcp $HOME_NET any -> [140.143.142.93] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233571; rev:1;)
alert tcp $HOME_NET any -> [47.92.31.53] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233570; rev:1;)
alert tcp $HOME_NET any -> [120.26.50.160] 9647  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233568; rev:1;)
alert tcp $HOME_NET any -> [134.122.164.221] 5566  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233569; rev:1;)
alert tcp $HOME_NET any -> [142.171.228.19] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233567; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.ciscointernship.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pythonsecurepacketauthgameservertemptemporary.php"; depth:50; nocase; http.host; content:"647249cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233565; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.203] 13781  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233556; rev:1;)
alert tcp $HOME_NET any -> [18.220.59.241] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233555; rev:1;)
alert tcp $HOME_NET any -> [20.104.172.62] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233554; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.tgu-future.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233552; rev:1;)
alert tcp $HOME_NET any -> [119.91.214.104] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233553; rev:1;)
alert tcp $HOME_NET any -> [45.32.94.53] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233551; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnsb.checkinfomation.tk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233550; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dnsa.checkinfomation.tk"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233549; rev:1;)
alert tcp $HOME_NET any -> [178.79.130.174] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233548; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"network-checkin.info"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233547; rev:1;)
alert tcp $HOME_NET any -> [108.61.165.29] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233546; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.azurewinservice.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233545; rev:1;)
alert tcp $HOME_NET any -> [139.59.239.123] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233544; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.triumphp.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233543; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.triumphp.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"123.56.217.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"45.152.67.162"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"xgcs.ceshi897.cn"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"139.9.134.28"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233537; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heiyejiang.tpddns.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1233535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233535; rev:1;)
alert tcp $HOME_NET any -> [125.70.238.155] 8123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233536; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"heiyejiang.tpddns.cn"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/methon/scan"; depth:16; nocase; http.host; content:"43.136.71.208"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"110.42.248.7"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"194.32.149.227"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233531; rev:1;)
alert tcp $HOME_NET any -> [103.186.67.227] 80  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233530/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233530; rev:1;)
alert tcp $HOME_NET any -> [101.37.117.0] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233529; rev:1;)
alert tcp $HOME_NET any -> [47.120.47.43] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"111.229.163.225"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233526; rev:1;)
alert tcp $HOME_NET any -> [49.12.86.61] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233525/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_22; classtype:trojan-activity; sid:91233525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233524; rev:1;)
alert tcp $HOME_NET any -> [122.176.133.66] 2667  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233523/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_22; classtype:trojan-activity; sid:91233523; rev:1;)
alert tcp $HOME_NET any -> [122.176.133.66] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233522/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_22; classtype:trojan-activity; sid:91233522; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.21] 29871  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233521; rev:1;)
alert tcp $HOME_NET any -> [121.40.175.169] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233520/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233520; rev:1;)
alert tcp $HOME_NET any -> [154.36.187.54] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233519/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233519; rev:1;)
alert tcp $HOME_NET any -> [212.70.106.243] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233518; rev:1;)
alert tcp $HOME_NET any -> [85.110.187.176] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233517/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233517; rev:1;)
alert tcp $HOME_NET any -> [72.27.133.57] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233516/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233516; rev:1;)
alert tcp $HOME_NET any -> [45.150.198.47] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233515/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233515; rev:1;)
alert tcp $HOME_NET any -> [195.90.223.120] 40056  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233514/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233514; rev:1;)
alert tcp $HOME_NET any -> [34.142.44.93] 10443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233513/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233513; rev:1;)
alert tcp $HOME_NET any -> [185.16.43.59] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233512/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233512; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.166.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233511; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.13.131.64"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233510; rev:1;)
alert tcp $HOME_NET any -> [49.13.131.64] 7575  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233508; rev:1;)
alert tcp $HOME_NET any -> [95.217.166.29] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233509; rev:1;)
alert tcp $HOME_NET any -> [23.106.121.172] 2026  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233507; rev:1;)
alert tcp $HOME_NET any -> [175.178.161.139] 6668  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233506; rev:1;)
alert tcp $HOME_NET any -> [18.193.68.253] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233505; rev:1;)
alert tcp $HOME_NET any -> [172.96.185.119] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233503; rev:1;)
alert tcp $HOME_NET any -> [3.125.188.168] 10369  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233502; rev:1;)
alert tcp $HOME_NET any -> [3.67.15.169] 10369  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233501; rev:1;)
alert tcp $HOME_NET any -> [3.126.224.214] 10369  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233500; rev:1;)
alert tcp $HOME_NET any -> [3.124.67.191] 10369  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233499; rev:1;)
alert tcp $HOME_NET any -> [45.152.209.234] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233498; rev:1;)
alert tcp $HOME_NET any -> [91.208.127.168] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233497/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_22; classtype:trojan-activity; sid:91233497; rev:1;)
alert tcp $HOME_NET any -> [91.208.127.168] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_22; classtype:trojan-activity; sid:91233496; rev:1;)
alert tcp $HOME_NET any -> [109.116.169.17] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233495/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_22; classtype:trojan-activity; sid:91233495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/panel/gate.php"; depth:21; nocase; http.host; content:"www.ventriocorp.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91233493; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.204] 80  (msg:"ThreatFox Mars Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233492/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91233492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpprocessorlinuxwindowsflowertemptemporary.php"; depth:48; nocase; http.host; content:"691908cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91233491; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.190] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233489/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91233489; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.136] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233490/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91233490; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.172] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233488/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91233488; rev:1;)
alert tcp $HOME_NET any -> [38.181.15.1] 28294  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91233486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e42a6515.php"; depth:13; nocase; http.host; content:"a0908021.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1233485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91233485; rev:1;)
alert tcp $HOME_NET any -> [112.74.184.37] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1233483/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91233483; rev:1;)
alert tcp $HOME_NET any -> [106.55.179.199] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232740/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/gate.php"; depth:9; nocase; http.host; content:"fygbib44.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232551; rev:1;)
alert tcp $HOME_NET any -> [141.255.159.169] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpsqlauth/trackdatalife/datalifecdn/videotemp6/processorauth8/better3/3/2auth3/low/testwp4_/protonapiwordpresspoll/proton/javascriptrequestprotectuniversalpubliccentraluploads.php"; depth:181; nocase; http.host; content:"185.221.198.108"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232544; rev:1;)
alert tcp $HOME_NET any -> [173.249.202.75] 5200  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"8.219.229.99"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.222.82.248"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"175.178.161.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"91.92.249.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"150.158.181.243"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232538; rev:1;)
alert tcp $HOME_NET any -> [192.121.82.119] 5553  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232537; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232536; rev:1;)
alert tcp $HOME_NET any -> [138.124.180.159] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232535; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sys.tcc-internal.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232534; rev:1;)
alert tcp $HOME_NET any -> [5.188.88.54] 81  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232533; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.104.179.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232532; rev:1;)
alert tcp $HOME_NET any -> [20.234.71.164] 1021  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232531; rev:1;)
alert tcp $HOME_NET any -> [163.5.64.15] 57844  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232530; rev:1;)
alert tcp $HOME_NET any -> [54.242.225.0] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232529; rev:1;)
alert tcp $HOME_NET any -> [201.230.41.34] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"185.103.101.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"185.103.101.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232524; rev:1;)
alert tcp $HOME_NET any -> [185.103.101.163] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232525; rev:1;)
alert tcp $HOME_NET any -> [213.248.43.103] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232526; rev:1;)
alert tcp $HOME_NET any -> [213.248.43.105] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/assets/js/xml.php"; depth:18; nocase; http.host; content:"www.miltonhouse.nl"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pub/opt/processor.php"; depth:22; nocase; http.host; content:"www.miltonhouse.nl"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232516; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"evil-pinky.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232518/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232518; rev:1;)
alert tcp $HOME_NET any -> [94.130.130.51] 55  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232517; rev:1;)
alert tcp $HOME_NET any -> [37.186.127.9] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232515/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232515; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2082  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232513/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232513; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232512/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232512; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232511/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232511; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232510/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232510; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232509/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232509; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232508; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232507; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232506; rev:1;)
alert tcp $HOME_NET any -> [62.68.55.25] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232505; rev:1;)
alert tcp $HOME_NET any -> [54.173.139.166] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"109.107.178.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"175.178.14.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232501; rev:1;)
alert tcp $HOME_NET any -> [146.70.158.220] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232497; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mcfupdservice.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232496; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-modp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232498; rev:1;)
alert tcp $HOME_NET any -> [18.156.13.209] 13957  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232500; rev:1;)
alert tcp $HOME_NET any -> [3.126.37.18] 13957  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"81.19.141.9"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232495; rev:1;)
alert tcp $HOME_NET any -> [212.98.224.58] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232494; rev:1;)
alert tcp $HOME_NET any -> [94.228.162.140] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232493; rev:1;)
alert tcp $HOME_NET any -> [2.59.119.102] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232492; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.86] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232491; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.85] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232490; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.67] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232489/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_21; classtype:trojan-activity; sid:91232489; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.54] 4782  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232488/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_21; classtype:trojan-activity; sid:91232488; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.fl0ating.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232487; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.tianchengshengshi.cn"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tianchengshengshi.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.firefox.wang"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232480; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.autohome.com.cn.firefox.wang"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232481; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"google.firefox.wang"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232482; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.firefox.wang"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232483; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tz.firefox.wang"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232484; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.67] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232486; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.67] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232485; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.jibril.cn"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jibril.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232472; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s81141-tjqy.shzbkj.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232473; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d0fe709e41.windows-defender.services"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232476; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"medstar.azureedge.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.221.198.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232474; rev:1;)
alert tcp $HOME_NET any -> [124.221.198.68] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232475; rev:1;)
alert tcp $HOME_NET any -> [123.60.57.13] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232470/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232470; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.67] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b18/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232468/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_21; classtype:trojan-activity; sid:91232468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b18/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xgcs.ceshi897.cn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232457; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceshi897.cn"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232458; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ceshi897.cn"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232459; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.upm8p8ooh1klfdfmgroup.top"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232460; rev:1;)
alert tcp $HOME_NET any -> [121.43.43.161] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232461; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-8cdlt0mn-1310256589.bj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232462; rev:1;)
alert tcp $HOME_NET any -> [123.207.56.214] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232464; rev:1;)
alert tcp $HOME_NET any -> [47.113.205.124] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232463; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232465; rev:1;)
alert tcp $HOME_NET any -> [14.225.210.97] 12024  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232466; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"glock.monster"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232331; rev:1;)
alert tcp $HOME_NET any -> [24.137.215.159] 6677  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232334; rev:1;)
alert tcp $HOME_NET any -> [72.142.102.158] 6677  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232335; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs1-tulalip.azureedge.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232336; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs1.dbgblack.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232337; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"panlinlin.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232341; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.panlinlin.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232342; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.wishunter1.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232340; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"track.gocasio.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232339; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grpc.nm.192-3-255-42.nip.io"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232343; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.nm.192-3-255-42.nip.io"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232344; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dsm-sea.softether.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232345; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dashboard.nm.192-3-255-42.nip.io"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232346; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"192-3-255-42.nip.io"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232347; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"make-hex-32332e39352e39302e3633-rr.1u.ms"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232348; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jjronaldo.club"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232349; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.mygooddream.cn"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232356; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kstz5.cn"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232357; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn637782190.softether.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232358; rev:1;)
alert tcp $HOME_NET any -> [45.93.20.242] 445  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232365; rev:1;)
alert tcp $HOME_NET any -> [101.32.115.220] 3389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/longpollsecure/7async5/wpcpulocalcpu/7geoprovider/5universal/cdntempdbjs/2requestsecureprotect/central/cdnmulti/generatorbetter2universal/6flowerapitrack/default/20/7api/updategenerator3geo/private/imagevmphpjs_sqlbaselocalcentraltemporary.php"; depth:250; nocase; http.host; content:"3.79.245.165"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232456; rev:1;)
alert tcp $HOME_NET any -> [123.254.107.235] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232455/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232455; rev:1;)
alert tcp $HOME_NET any -> [167.56.198.104] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232454/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232454; rev:1;)
alert tcp $HOME_NET any -> [70.107.200.247] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232453/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232453; rev:1;)
alert tcp $HOME_NET any -> [209.94.57.221] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232452/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232452; rev:1;)
alert tcp $HOME_NET any -> [52.76.234.184] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232451/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232451; rev:1;)
alert tcp $HOME_NET any -> [85.239.52.71] 7940  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232450/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232450; rev:1;)
alert tcp $HOME_NET any -> [18.183.137.140] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232449/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232449; rev:1;)
alert tcp $HOME_NET any -> [70.39.90.80] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232448/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_21; classtype:trojan-activity; sid:91232448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"j6yla0n2hm.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232447; rev:1;)
alert tcp $HOME_NET any -> [162.0.225.166] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232446; rev:1;)
alert tcp $HOME_NET any -> [45.152.67.162] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232445/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_21; classtype:trojan-activity; sid:91232445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externaleternalphpupdatetesttemporary.php"; depth:42; nocase; http.host; content:"192565cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232444; rev:1;)
alert tcp $HOME_NET any -> [154.26.134.64] 25261  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232443; rev:1;)
alert tcp $HOME_NET any -> [191.233.27.50] 5552  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_21; classtype:trojan-activity; sid:91232442; rev:1;)
alert tcp $HOME_NET any -> [193.163.170.166] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232441/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232441; rev:1;)
alert tcp $HOME_NET any -> [185.217.197.175] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232440/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232440; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.34] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232439/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232439; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.68] 1334  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232438; rev:1;)
alert tcp $HOME_NET any -> [93.123.39.68] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232437/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_20; classtype:trojan-activity; sid:91232437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/www/handle/doc"; depth:15; nocase; http.host; content:"47.106.230.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232436; rev:1;)
alert tcp $HOME_NET any -> [162.19.192.193] 1555  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232435/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232435; rev:1;)
alert tcp $HOME_NET any -> [43.138.41.32] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232434/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232434; rev:1;)
alert tcp $HOME_NET any -> [3.127.253.86] 10929  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232433; rev:1;)
alert tcp $HOME_NET any -> [35.158.159.254] 10929  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232432; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 10929  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232431; rev:1;)
alert tcp $HOME_NET any -> [92.246.138.90] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232430/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232430; rev:1;)
alert tcp $HOME_NET any -> [154.245.115.235] 80  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232429/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232429; rev:1;)
alert tcp $HOME_NET any -> [77.105.166.247] 443  (msg:"ThreatFox solarmarker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232428/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232428; rev:1;)
alert tcp $HOME_NET any -> [92.118.112.216] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232427/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232427; rev:1;)
alert tcp $HOME_NET any -> [94.228.169.161] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232426/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232426; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.71] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232425/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232425; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.63] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232424/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232424; rev:1;)
alert tcp $HOME_NET any -> [62.113.114.93] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232423/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232423; rev:1;)
alert tcp $HOME_NET any -> [77.105.166.247] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232422/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232422; rev:1;)
alert tcp $HOME_NET any -> [37.49.230.219] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232421/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232421; rev:1;)
alert tcp $HOME_NET any -> [146.70.106.73] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232420/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232420; rev:1;)
alert tcp $HOME_NET any -> [139.99.236.139] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232419/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232419; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.155] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232418/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232418; rev:1;)
alert tcp $HOME_NET any -> [167.235.154.243] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232417/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232417; rev:1;)
alert tcp $HOME_NET any -> [89.44.9.86] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232416/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232416; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.118] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232415/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232415; rev:1;)
alert tcp $HOME_NET any -> [109.107.178.133] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232414/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232414; rev:1;)
alert tcp $HOME_NET any -> [78.153.130.188] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232413; rev:1;)
alert tcp $HOME_NET any -> [91.92.136.236] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232412; rev:1;)
alert tcp $HOME_NET any -> [159.100.29.45] 80  (msg:"ThreatFox RecordBreaker botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232411/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232411; rev:1;)
alert tcp $HOME_NET any -> [159.69.102.168] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232410/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232410; rev:1;)
alert tcp $HOME_NET any -> [159.69.102.168] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232409/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232409; rev:1;)
alert tcp $HOME_NET any -> [65.109.240.203] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232408/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232408; rev:1;)
alert tcp $HOME_NET any -> [49.13.6.118] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232407/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232407; rev:1;)
alert tcp $HOME_NET any -> [49.13.6.118] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232406/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232406; rev:1;)
alert tcp $HOME_NET any -> [5.75.215.163] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232405/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232405; rev:1;)
alert tcp $HOME_NET any -> [5.75.215.163] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232404/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232404; rev:1;)
alert tcp $HOME_NET any -> [95.216.183.138] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232403/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232403; rev:1;)
alert tcp $HOME_NET any -> [95.216.183.138] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232402/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232402; rev:1;)
alert tcp $HOME_NET any -> [95.217.240.143] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232401/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232401; rev:1;)
alert tcp $HOME_NET any -> [95.217.243.230] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232400/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232400; rev:1;)
alert tcp $HOME_NET any -> [65.21.187.53] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232399/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232399; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/newfolder/index.php"; depth:20; nocase; http.host; content:"51.15.226.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b8sdjsdks/index.php"; depth:20; nocase; http.host; content:"185.196.10.34"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232397; rev:1;)
alert tcp $HOME_NET any -> [185.16.39.245] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232396/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232396; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/traffic/apijavascriptprivatewindows/apitodb/asyncdb/secure3/central/low/processor/longpoll/trafficsql/privatevoiddbgenerator/updateline/javascriptsecuredatalife/linuxdb2/betterpacket/eternalimagevideopacketlinux.php"; depth:216; nocase; http.host; content:"46.29.237.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232395; rev:1;)
alert tcp $HOME_NET any -> [138.197.36.226] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232394/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232394; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pub/fon/index.php"; depth:18; nocase; http.host; content:"cafirepacks.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232393; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cpuexternalphp/9update7private/579/securelongpollmultiwpuploads.php"; depth:68; nocase; http.host; content:"94.156.65.94"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232392; rev:1;)
alert tcp $HOME_NET any -> [191.242.28.210] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232391; rev:1;)
alert tcp $HOME_NET any -> [74.12.146.79] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232390/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232390; rev:1;)
alert tcp $HOME_NET any -> [210.245.86.148] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232389/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232389; rev:1;)
alert tcp $HOME_NET any -> [64.23.154.205] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232388/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232388; rev:1;)
alert tcp $HOME_NET any -> [49.51.68.151] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232387/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232387; rev:1;)
alert tcp $HOME_NET any -> [42.190.107.115] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232386/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"185.196.9.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"116.198.46.64"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232384; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"15.207.223.7"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232383; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232382; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232381; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232380; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232379; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232378; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"43.138.179.199"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232377; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"150.158.181.243"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232376; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2016/12/51350824_"; depth:45; nocase; http.host; content:"163.5.169.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"176.32.38.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"45.128.96.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232373; rev:1;)
alert tcp $HOME_NET any -> [74.48.162.145] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"74.48.162.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"92.118.36.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232370; rev:1;)
alert tcp $HOME_NET any -> [216.83.51.175] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"216.83.51.175"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232368; rev:1;)
alert tcp $HOME_NET any -> [5.75.209.145] 443  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/937b6157.php"; depth:13; nocase; http.host; content:"edsfeejsdbfelefaubdiaslfedafd.000webhostapp.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232364; rev:1;)
alert tcp $HOME_NET any -> [101.43.149.199] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232363/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232363; rev:1;)
alert tcp $HOME_NET any -> [1.92.100.211] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232362/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.217.197.175"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232361; rev:1;)
alert tcp $HOME_NET any -> [149.104.25.66] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232360/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232360; rev:1;)
alert tcp $HOME_NET any -> [138.128.223.220] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232359/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232359; rev:1;)
alert tcp $HOME_NET any -> [149.56.240.44] 2409  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232354/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_20; classtype:trojan-activity; sid:91232354; rev:1;)
alert tcp $HOME_NET any -> [178.236.247.90] 4050  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232353; rev:1;)
alert tcp $HOME_NET any -> [13.211.68.91] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232352/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232352; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.211] 12798  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232351; rev:1;)
alert tcp $HOME_NET any -> [113.4.19.3] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232333/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232333; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v1nh"; depth:5; nocase; http.host; content:"121.4.67.78"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232332/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_20; classtype:trojan-activity; sid:91232332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"91.92.249.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232330; rev:1;)
alert tcp $HOME_NET any -> [38.180.29.146] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232329; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devise/v7.13/dbe4ydcy84f"; depth:25; nocase; http.host; content:"cloudflairly.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232327; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloudflairly.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232328; rev:1;)
alert tcp $HOME_NET any -> [89.163.148.48] 28842  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232326; rev:1;)
alert tcp $HOME_NET any -> [110.42.248.7] 87  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232325/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232325; rev:1;)
alert tcp $HOME_NET any -> [43.154.51.250] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232324/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232324; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test2/get.php"; depth:14; nocase; http.host; content:"habrafa.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"1.116.74.174"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232322; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"20.2.223.43"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232321; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"101.46.48.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232320; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"101.46.48.24"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"182.43.71.62"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232318; rev:1;)
alert tcp $HOME_NET any -> [18.167.180.192] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232317; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.130.48.46"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232316; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"162.14.109.90"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232315; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"111.230.42.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232314; rev:1;)
alert tcp $HOME_NET any -> [93.242.10.67] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232313/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232313; rev:1;)
alert tcp $HOME_NET any -> [107.175.0.167] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232312/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232312; rev:1;)
alert tcp $HOME_NET any -> [78.17.151.18] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232311/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232311; rev:1;)
alert tcp $HOME_NET any -> [41.99.222.68] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232310/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232310; rev:1;)
alert tcp $HOME_NET any -> [142.154.126.174] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232309/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232309; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.195] 8000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232308/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232308; rev:1;)
alert tcp $HOME_NET any -> [162.252.175.240] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232307/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232307; rev:1;)
alert tcp $HOME_NET any -> [162.252.175.240] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232305/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232305; rev:1;)
alert tcp $HOME_NET any -> [162.252.175.240] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232306/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232306; rev:1;)
alert tcp $HOME_NET any -> [162.252.175.240] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232304/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232304; rev:1;)
alert tcp $HOME_NET any -> [162.252.175.240] 8000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232303/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232303; rev:1;)
alert tcp $HOME_NET any -> [185.198.140.179] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232302/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232302; rev:1;)
alert tcp $HOME_NET any -> [58.27.188.30] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232301/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_20; classtype:trojan-activity; sid:91232301; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.d-n-s.name"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232294; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dcgems.net"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232295; rev:1;)
alert tcp $HOME_NET any -> [146.0.228.66] 1080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232291; rev:1;)
alert tcp $HOME_NET any -> [146.0.228.66] 8111  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232292; rev:1;)
alert tcp $HOME_NET any -> [152.32.128.64] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232293; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/error.jpg"; depth:10; nocase; http.host; content:"185.161.248.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232290; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bart.jpg"; depth:9; nocase; http.host; content:"185.161.248.185"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232289; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cpanel.netbar.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232274; rev:1;)
alert tcp $HOME_NET any -> [67.205.154.243] 3399  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232259; rev:1;)
alert tcp $HOME_NET any -> [67.205.154.243] 56785  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232260; rev:1;)
alert tcp $HOME_NET any -> [80.85.143.7] 5533  (msg:"ThreatFox SpyNote botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232261; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jaitrikuta.portmap.host"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232257; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nyc1.portmap.io"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232258; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iredelltx.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232252; rev:1;)
alert tcp $HOME_NET any -> [146.70.169.166] 2227  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232255; rev:1;)
alert tcp $HOME_NET any -> [142.11.237.239] 32029  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232253; rev:1;)
alert tcp $HOME_NET any -> [170.130.55.151] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232254; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"binder-sa.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232262; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"assay.porchlightcommunity.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"pluralism.themancav.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232264; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/digital.js"; depth:11; nocase; http.host; content:"acuiplast.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232265; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.200] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232267; rev:1;)
alert tcp $HOME_NET any -> [37.228.129.15] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232268; rev:1;)
alert tcp $HOME_NET any -> [91.208.197.30] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232269; rev:1;)
alert tcp $HOME_NET any -> [45.81.232.176] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232300/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232300; rev:1;)
alert tcp $HOME_NET any -> [18.228.115.60] 19025  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_20; classtype:trojan-activity; sid:91232299; rev:1;)
alert tcp $HOME_NET any -> [187.135.91.206] 2154  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232298/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232298; rev:1;)
alert tcp $HOME_NET any -> [120.79.154.38] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232297/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232297; rev:1;)
alert tcp $HOME_NET any -> [18.198.241.136] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232296/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_20; classtype:trojan-activity; sid:91232296; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.20] 61188  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232285; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.18] 1445  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"198.251.88.196"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"78.153.130.188"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b20/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232271/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_19; classtype:trojan-activity; sid:91232271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b20/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232270; rev:1;)
alert tcp $HOME_NET any -> [104.129.182.226] 8099  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232256/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"searchgear.pro"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232251; rev:1;)
alert tcp $HOME_NET any -> [45.15.156.60] 12050  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232235; rev:1;)
alert tcp $HOME_NET any -> [82.146.40.165] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232237; rev:1;)
alert tcp $HOME_NET any -> [78.128.112.205] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232238; rev:1;)
alert tcp $HOME_NET any -> [91.238.181.237] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232239; rev:1;)
alert tcp $HOME_NET any -> [207.244.251.87] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232241; rev:1;)
alert tcp $HOME_NET any -> [209.145.55.141] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232242; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"blamefade.com.br"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phppacket/low/generatordatalifepython/8flower/8/protect/betterlinelow/phpcdn/3/pythonpacket/baseexternal2video/downloads4/testprivate/mariadb/trafficimagecentraltemporary/8/javascripthttp80/javascriptprovidermulti/asyncjavascripttestpython/tocpuapiservergeneratordownloads.php"; depth:277; nocase; http.host; content:"80.66.89.148"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232250; rev:1;)
alert tcp $HOME_NET any -> [41.103.252.193] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232249/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232249; rev:1;)
alert tcp $HOME_NET any -> [72.27.169.183] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232248/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232248; rev:1;)
alert tcp $HOME_NET any -> [217.165.232.250] 22  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232247/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232247; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.233] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232246/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232246; rev:1;)
alert tcp $HOME_NET any -> [62.216.92.151] 8443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232245/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232245; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.39] 39001  (msg:"ThreatFox  X-Files Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232240; rev:1;)
alert tcp $HOME_NET any -> [64.74.160.148] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232236/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232236; rev:1;)
alert tcp $HOME_NET any -> [18.231.93.153] 12706  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232234; rev:1;)
alert tcp $HOME_NET any -> [35.230.156.200] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232233/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232233; rev:1;)
alert tcp $HOME_NET any -> [45.76.156.95] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232232/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"federalstudentaid-usdepartmentofeducation.tandemcyberops.co"; depth:59; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232110; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"subns.oss-ttech.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232111; rev:1;)
alert tcp $HOME_NET any -> [46.149.76.101] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232231; rev:1;)
alert tcp $HOME_NET any -> [185.243.112.245] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232230; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.233] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232229; rev:1;)
alert tcp $HOME_NET any -> [34.125.99.229] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232228; rev:1;)
alert tcp $HOME_NET any -> [18.117.74.179] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232226; rev:1;)
alert tcp $HOME_NET any -> [43.142.84.53] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232227; rev:1;)
alert tcp $HOME_NET any -> [69.28.84.142] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232225; rev:1;)
alert tcp $HOME_NET any -> [51.75.206.78] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232224; rev:1;)
alert tcp $HOME_NET any -> [15.206.205.20] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232223; rev:1;)
alert tcp $HOME_NET any -> [194.206.234.235] 1443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232222; rev:1;)
alert tcp $HOME_NET any -> [35.157.46.237] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232221; rev:1;)
alert tcp $HOME_NET any -> [160.119.252.122] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232220; rev:1;)
alert tcp $HOME_NET any -> [138.68.102.105] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232219; rev:1;)
alert tcp $HOME_NET any -> [52.91.141.176] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232218; rev:1;)
alert tcp $HOME_NET any -> [123.63.101.94] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232217; rev:1;)
alert tcp $HOME_NET any -> [23.254.202.48] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232216; rev:1;)
alert tcp $HOME_NET any -> [43.138.223.60] 31220  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232215; rev:1;)
alert tcp $HOME_NET any -> [117.84.78.203] 8008  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232214; rev:1;)
alert tcp $HOME_NET any -> [124.71.208.237] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232213; rev:1;)
alert tcp $HOME_NET any -> [103.54.57.251] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232212; rev:1;)
alert tcp $HOME_NET any -> [103.54.57.251] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232211; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.43] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232210; rev:1;)
alert tcp $HOME_NET any -> [175.24.197.196] 808  (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232209; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3psil0n.fr"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232208; rev:1;)
alert tcp $HOME_NET any -> [77.73.131.73] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232206; rev:1;)
alert tcp $HOME_NET any -> [193.233.255.60] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232207; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.73] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232205; rev:1;)
alert tcp $HOME_NET any -> [34.173.15.174] 5986  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232204; rev:1;)
alert tcp $HOME_NET any -> [45.153.242.202] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232203; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 21  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232202; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 44886  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232201; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 2079  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232199; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 4087  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232200; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 54252  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232198; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 1883  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232197; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 2375  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232195; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 52435  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232196; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232194; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 2376  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232193; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 25  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232191; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 1080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232192; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 36401  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232190; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 30617  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232189; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 57287  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232188; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 60000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232186; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 49502  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232187; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 27017  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232185; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 14120  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232184; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 62577  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232183; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 8085  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232182; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 6006  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232180; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 6918  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232181; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 6001  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232179; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 23630  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232177; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 2222  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232178; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 11933  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232176; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 60402  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232175; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 6697  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232173; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 33913  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232174; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 6003  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232172; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 28080  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232170; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 81  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232171; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 8010  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232169; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 1200  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232168; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 179  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232167; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 9543  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232166; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 2761  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232165; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 2004  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232164; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 587  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232163; rev:1;)
alert tcp $HOME_NET any -> [18.117.107.132] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232162; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-13-235-247-85.ap-south-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232161; rev:1;)
alert tcp $HOME_NET any -> [20.197.230.164] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232160; rev:1;)
alert tcp $HOME_NET any -> [209.97.131.69] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232159; rev:1;)
alert tcp $HOME_NET any -> [192.99.168.172] 8082  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232158; rev:1;)
alert tcp $HOME_NET any -> [141.98.112.145] 1604  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232156; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"obsidia.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232157; rev:1;)
alert tcp $HOME_NET any -> [45.154.98.240] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232155; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.195] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232154; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ff.africankido.design"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232153; rev:1;)
alert tcp $HOME_NET any -> [45.141.85.216] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232151; rev:1;)
alert tcp $HOME_NET any -> [20.75.90.103] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232152; rev:1;)
alert tcp $HOME_NET any -> [194.87.31.137] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232150; rev:1;)
alert tcp $HOME_NET any -> [185.186.25.92] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232149; rev:1;)
alert tcp $HOME_NET any -> [149.154.69.190] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232148; rev:1;)
alert tcp $HOME_NET any -> [193.201.126.69] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232147; rev:1;)
alert tcp $HOME_NET any -> [20.56.52.211] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232146; rev:1;)
alert tcp $HOME_NET any -> [94.156.68.120] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232144; rev:1;)
alert tcp $HOME_NET any -> [158.247.235.51] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232145; rev:1;)
alert tcp $HOME_NET any -> [51.195.94.209] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232143; rev:1;)
alert tcp $HOME_NET any -> [193.26.115.51] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232142; rev:1;)
alert tcp $HOME_NET any -> [118.123.1.178] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232141; rev:1;)
alert tcp $HOME_NET any -> [5.252.178.189] 8443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232140/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_19; classtype:trojan-activity; sid:91232140; rev:1;)
alert tcp $HOME_NET any -> [94.131.112.139] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232138/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_19; classtype:trojan-activity; sid:91232138; rev:1;)
alert tcp $HOME_NET any -> [64.176.58.13] 8443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232139/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_19; classtype:trojan-activity; sid:91232139; rev:1;)
alert tcp $HOME_NET any -> [82.64.15.197] 51100  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232136; rev:1;)
alert tcp $HOME_NET any -> [82.64.15.197] 51101  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232137; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 16890  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232135; rev:1;)
alert tcp $HOME_NET any -> [175.178.14.59] 10081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232134; rev:1;)
alert tcp $HOME_NET any -> [121.36.198.30] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232133; rev:1;)
alert tcp $HOME_NET any -> [123.57.85.206] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232132; rev:1;)
alert tcp $HOME_NET any -> [43.153.34.124] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232131; rev:1;)
alert tcp $HOME_NET any -> [129.226.83.129] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232130; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.186] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232128; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.186] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232129; rev:1;)
alert tcp $HOME_NET any -> [101.133.148.66] 802  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232127; rev:1;)
alert tcp $HOME_NET any -> [45.63.121.30] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232126; rev:1;)
alert tcp $HOME_NET any -> [43.156.80.158] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232125; rev:1;)
alert tcp $HOME_NET any -> [49.235.191.182] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232124; rev:1;)
alert tcp $HOME_NET any -> [80.78.22.159] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232123; rev:1;)
alert tcp $HOME_NET any -> [116.205.226.86] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232121; rev:1;)
alert tcp $HOME_NET any -> [182.202.176.6] 60202  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232122; rev:1;)
alert tcp $HOME_NET any -> [121.199.72.190] 4587  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232120; rev:1;)
alert tcp $HOME_NET any -> [198.251.88.196] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232119; rev:1;)
alert tcp $HOME_NET any -> [47.115.230.159] 5000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232118; rev:1;)
alert tcp $HOME_NET any -> [114.132.91.182] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232117; rev:1;)
alert tcp $HOME_NET any -> [20.255.63.126] 8086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232116; rev:1;)
alert tcp $HOME_NET any -> [38.180.10.123] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232115; rev:1;)
alert tcp $HOME_NET any -> [1.94.11.154] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232114; rev:1;)
alert tcp $HOME_NET any -> [8.134.207.214] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232113; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-139-9-196-215.compute.hwclouds-dns.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232112; rev:1;)
alert tcp $HOME_NET any -> [38.132.103.114] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232109/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232109; rev:1;)
alert tcp $HOME_NET any -> [45.59.70.99] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232108/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232108; rev:1;)
alert tcp $HOME_NET any -> [80.79.4.61] 18236  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232107; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.198] 13781  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nyashsupport.php"; depth:17; nocase; http.host; content:"852287cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232105; rev:1;)
alert tcp $HOME_NET any -> [185.149.146.75] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232103/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232103; rev:1;)
alert tcp $HOME_NET any -> [5.42.65.44] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232102/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232102; rev:1;)
alert tcp $HOME_NET any -> [132.145.194.134] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232101/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232101; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"tan.kalnet.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/oplugmanzx.exe"; depth:27; nocase; http.host; content:"tan.kalnet.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232097; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"kalnet.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232099; rev:1;)
alert tcp $HOME_NET any -> [47.106.171.201] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232100/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"85.209.176.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.236.28.58"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"85.209.176.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"15.207.223.7"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"www.xiongge.space"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232091; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.xiongge.space"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"82.157.64.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"172.67.130.131"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"82.157.64.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232088; rev:1;)
alert tcp $HOME_NET any -> [185.215.113.68] 80  (msg:"ThreatFox Amadey botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"120.26.196.41"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"121.40.175.169"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"45.128.96.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/aaaaaaaaa"; depth:10; nocase; http.host; content:"129.226.83.129"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232082; rev:1;)
alert tcp $HOME_NET any -> [129.226.83.129] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"85.209.176.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"82.157.64.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"3.10.251.35"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"45.128.96.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232078; rev:1;)
alert tcp $HOME_NET any -> [45.159.50.128] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232077; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.dnsdnsdns.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232076; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.dnsdnsdns.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232075; rev:1;)
alert tcp $HOME_NET any -> [185.149.146.75] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232074; rev:1;)
alert tcp $HOME_NET any -> [139.99.23.9] 12024  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"federalstudentaid-usdepartmentofeducation.tandemcyberops.co"; depth:59; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232072; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"175.178.161.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232071; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/messages/oqnyvw6pwzmn2lhng4lggu9g-opkgdoenlw"; depth:45; nocase; http.host; content:"citrix-update.centralus.cloudapp.azure.com"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232069; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.130.133.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"ck70571.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cloud.huawel.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud.huawel.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232066; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/46636ed2.php"; depth:13; nocase; http.host; content:"cj23497.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imagevideoline_requestgeoauthdbtraffictest.php"; depth:47; nocase; http.host; content:"45.32.153.79"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232063; rev:1;)
alert tcp $HOME_NET any -> [167.235.64.195] 31839  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232062; rev:1;)
alert tcp $HOME_NET any -> [122.176.133.66] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232061/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232061; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/look/gate.php"; depth:14; nocase; http.host; content:"nsslawcollege.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232060; rev:1;)
alert tcp $HOME_NET any -> [8.130.82.167] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232059/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"85.209.176.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232057; rev:1;)
alert tcp $HOME_NET any -> [85.209.176.146] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232058; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.186] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232056; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2020/10/29136388_"; depth:45; nocase; http.host; content:"45.128.96.186"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232055; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/5d4f090c730016b1.php"; depth:21; nocase; http.host; content:"45.87.153.135"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232054; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.136] 80  (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232053/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232053; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"abode-dashboard-media.s3.ap-south-1.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232049; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"archivevalley-media.s3.amazonaws.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232050; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blooming.s3.amazonaws.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232051; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shapefiles.fews.net.s3.amazonaws.com"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1232052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232052; rev:1;)
alert tcp $HOME_NET any -> [192.252.183.116] 8089  (msg:"ThreatFox Unknown malware payload delivery (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232048/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_19; classtype:trojan-activity; sid:91232048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u/123/100123/202401/sshd"; depth:25; nocase; http.host; content:"192.252.183.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u/123/100123/202401/d9a10f4568b649acae7bc2fe51fb5a98.sh"; depth:56; nocase; http.host; content:"192.252.183.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/u/123/100123/202401/31a5f4ceae1e45e1a3cd30f5d7604d89.json"; depth:58; nocase; http.host; content:"192.252.183.116"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g6cygaxht4jc1"; depth:14; nocase; http.host; content:"shapefiles.fews.net.s3.amazonaws.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232044; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bbu5yn3yayttv"; depth:14; nocase; http.host; content:"archivevalley-media.s3.amazonaws.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232042; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ea7fbw98cym5o"; depth:14; nocase; http.host; content:"blooming.s3.amazonaws.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232043; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kaffmm40rntkg"; depth:14; nocase; http.host; content:"abode-dashboard-media.s3.ap-south-1.amazonaws.com"; depth:49; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232041; rev:1;)
alert tcp $HOME_NET any -> [82.157.64.227] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232023/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz17350.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232022; rev:1;)
alert tcp $HOME_NET any -> [173.24.8.121] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232021/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232021; rev:1;)
alert tcp $HOME_NET any -> [87.223.83.1] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232020/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232020; rev:1;)
alert tcp $HOME_NET any -> [189.140.33.134] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232019/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232019; rev:1;)
alert tcp $HOME_NET any -> [24.181.50.151] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232018/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232018; rev:1;)
alert tcp $HOME_NET any -> [151.30.46.168] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232017/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232017; rev:1;)
alert tcp $HOME_NET any -> [142.247.101.201] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232016/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232016; rev:1;)
alert tcp $HOME_NET any -> [190.28.110.115] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232015/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232015; rev:1;)
alert tcp $HOME_NET any -> [157.245.29.228] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232014/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232014; rev:1;)
alert tcp $HOME_NET any -> [23.26.55.9] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232013/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232013; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.195] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232012/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232012; rev:1;)
alert tcp $HOME_NET any -> [45.55.132.52] 5060  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232011/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232011; rev:1;)
alert tcp $HOME_NET any -> [45.55.132.52] 587  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232010/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232010; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.133] 65500  (msg:"ThreatFox  botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91231998; rev:1;)
alert tcp $HOME_NET any -> [5.161.112.212] 29606  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232003; rev:1;)
alert tcp $HOME_NET any -> [13.248.204.3] 10007  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232009/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232009; rev:1;)
alert tcp $HOME_NET any -> [43.198.187.66] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232008/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232008; rev:1;)
alert tcp $HOME_NET any -> [40.67.215.229] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232007/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232007; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/harmless/inc/2c6d40d7cc1ad3.php"; depth:32; nocase; http.host; content:"91.92.250.136"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1232006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232006; rev:1;)
alert tcp $HOME_NET any -> [62.109.22.162] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232005/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_19; classtype:trojan-activity; sid:91232005; rev:1;)
alert tcp $HOME_NET any -> [101.133.172.90] 8787  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232004/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232004; rev:1;)
alert tcp $HOME_NET any -> [147.50.253.167] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232002/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232002; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.40] 61715  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_19; classtype:trojan-activity; sid:91232001; rev:1;)
alert tcp $HOME_NET any -> [8.130.48.46] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1232000/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91232000; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.233] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231999/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_19; classtype:trojan-activity; sid:91231999; rev:1;)
alert tcp $HOME_NET any -> [212.227.26.128] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231997; rev:1;)
alert tcp $HOME_NET any -> [1.116.74.174] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231996/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231996; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/1210776429.php"; depth:15; nocase; http.host; content:"gigaload.info"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231995; rev:1;)
alert tcp $HOME_NET any -> [103.151.5.233] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231994; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/devise/v7.13/dbe4ydcy84f"; depth:25; nocase; http.host; content:"103.151.5.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231993; rev:1;)
alert tcp $HOME_NET any -> [105.99.46.148] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231992/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231992; rev:1;)
alert tcp $HOME_NET any -> [154.26.136.227] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231991/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231991; rev:1;)
alert tcp $HOME_NET any -> [64.188.20.177] 1053  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231990/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231990; rev:1;)
alert tcp $HOME_NET any -> [82.157.64.227] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231989/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231989; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cs1-tulalip.azureedge.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231962; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ms-api-cs1.azureedge.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231961; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"make-hex-32332e39352e39302e3633-rr.1u.ms"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231960; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"45-56-105-235.ip.linodeusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231959; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d3l4l87i1ykapf.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231963; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.maixunkeji.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231965; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-bauue492-1309306755.gz.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231964; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.wuxiaoyun.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231966; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 15184  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231988; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 15184  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231987; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 15184  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231986; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.195] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231985/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231985; rev:1;)
alert tcp $HOME_NET any -> [178.62.214.55] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231984/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231984; rev:1;)
alert tcp $HOME_NET any -> [185.70.104.90] 8080  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231983/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231983; rev:1;)
alert tcp $HOME_NET any -> [185.70.104.90] 465  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231982/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231982; rev:1;)
alert tcp $HOME_NET any -> [185.70.104.90] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231981/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231981; rev:1;)
alert tcp $HOME_NET any -> [44.31.248.7] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231980; rev:1;)
alert tcp $HOME_NET any -> [77.8.38.235] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231979/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231979; rev:1;)
alert tcp $HOME_NET any -> [41.111.0.243] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231978/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231978; rev:1;)
alert tcp $HOME_NET any -> [37.56.101.159] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231977/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231977; rev:1;)
alert tcp $HOME_NET any -> [90.4.242.46] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231976/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231976; rev:1;)
alert tcp $HOME_NET any -> [79.130.54.8] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231975/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231975; rev:1;)
alert tcp $HOME_NET any -> [74.12.146.19] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231974/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231974; rev:1;)
alert tcp $HOME_NET any -> [99.153.7.177] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231973/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231973; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.233] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231972; rev:1;)
alert tcp $HOME_NET any -> [2.58.15.126] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231971; rev:1;)
alert tcp $HOME_NET any -> [43.198.203.238] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231970; rev:1;)
alert tcp $HOME_NET any -> [74.208.172.242] 3000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231969/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231969; rev:1;)
alert tcp $HOME_NET any -> [74.208.172.242] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231968/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231968; rev:1;)
alert tcp $HOME_NET any -> [185.245.182.209] 3000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231967/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231967; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"124.222.54.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231958; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"40.124.87.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231957; rev:1;)
alert tcp $HOME_NET any -> [45.246.210.193] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231956; rev:1;)
alert tcp $HOME_NET any -> [197.14.170.144] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231955; rev:1;)
alert tcp $HOME_NET any -> [34.70.180.79] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231954; rev:1;)
alert tcp $HOME_NET any -> [34.173.15.174] 3389  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231953; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 20000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231952; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 631  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231951; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 60143  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231950; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 27585  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231948; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 5903  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231949; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 6379  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231947; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231946; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 33416  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231945; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 10070  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231943; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 15825  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231944; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 48742  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231942; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 26589  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231941; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 24233  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231940; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 1433  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231939; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 61105  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231938; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 26808  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231937; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 12445  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231936; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 833  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231935; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vibrant-proskuriakova.185-228-234-171.plesk.page"; depth:48; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231934; rev:1;)
alert tcp $HOME_NET any -> [38.54.93.184] 9999  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231933; rev:1;)
alert tcp $HOME_NET any -> [77.21.10.243] 29041  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231932; rev:1;)
alert tcp $HOME_NET any -> [47.245.114.11] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231931; rev:1;)
alert tcp $HOME_NET any -> [85.209.176.146] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231930; rev:1;)
alert tcp $HOME_NET any -> [27.102.130.160] 8889  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231929; rev:1;)
alert tcp $HOME_NET any -> [95.68.152.232] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231928/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231928; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.249] 1334  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231927; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"education.mccoe.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231925; rev:1;)
alert tcp $HOME_NET any -> [40.124.87.200] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"set.urlz.ws"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231923; rev:1;)
alert tcp $HOME_NET any -> [38.54.86.90] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231924; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"su.urlz.ws"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231922; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad.urlz.ws"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231921; rev:1;)
alert tcp $HOME_NET any -> [80.78.22.159] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231920; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.stoneco.network"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231919; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0903703.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231918; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.195] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231917; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.195] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231916; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.233] 8000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231915; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2280678.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231914; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"team-speak.r2283.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231913; rev:1;)
alert tcp $HOME_NET any -> [168.99.76.43] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231912; rev:1;)
alert tcp $HOME_NET any -> [116.232.52.79] 8090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231911; rev:1;)
alert tcp $HOME_NET any -> [37.9.8.115] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231910; rev:1;)
alert tcp $HOME_NET any -> [35.205.188.96] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231909; rev:1;)
alert tcp $HOME_NET any -> [35.187.249.232] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231908; rev:1;)
alert tcp $HOME_NET any -> [84.247.136.19] 4443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231907; rev:1;)
alert tcp $HOME_NET any -> [101.32.220.131] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231906; rev:1;)
alert tcp $HOME_NET any -> [43.135.5.121] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231905; rev:1;)
alert tcp $HOME_NET any -> [64.176.47.131] 9205  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231904; rev:1;)
alert tcp $HOME_NET any -> [3.81.113.118] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231903; rev:1;)
alert tcp $HOME_NET any -> [20.54.148.239] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231902; rev:1;)
alert tcp $HOME_NET any -> [54.210.110.31] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231901; rev:1;)
alert tcp $HOME_NET any -> [154.144.246.8] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231900; rev:1;)
alert tcp $HOME_NET any -> [223.167.229.112] 8200  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231898; rev:1;)
alert tcp $HOME_NET any -> [34.168.202.236] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231899; rev:1;)
alert tcp $HOME_NET any -> [149.28.199.177] 6286  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231897; rev:1;)
alert tcp $HOME_NET any -> [35.157.46.237] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231896; rev:1;)
alert tcp $HOME_NET any -> [43.136.27.224] 31220  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231895; rev:1;)
alert tcp $HOME_NET any -> [87.251.66.41] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231894/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231894; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"78.lan-so2-1.static.rozabg.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231892; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanasuuakiaa.host"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231893; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"doobiefly.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231891; rev:1;)
alert tcp $HOME_NET any -> [210.211.117.205] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231890; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-23-33-245.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231888; rev:1;)
alert tcp $HOME_NET any -> [89.208.105.191] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231887; rev:1;)
alert tcp $HOME_NET any -> [94.228.162.3] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231886; rev:1;)
alert tcp $HOME_NET any -> [39.170.62.143] 8082  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231885; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.88] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231884; rev:1;)
alert tcp $HOME_NET any -> [209.145.58.236] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231883; rev:1;)
alert tcp $HOME_NET any -> [3.79.229.48] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231882; rev:1;)
alert tcp $HOME_NET any -> [42.114.153.12] 4444  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231881; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 23803  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231880; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 57002  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231878; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 1026  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231879; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 53782  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231877; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 33742  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231875; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 53346  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231876; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 33389  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231874; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 46571  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231873; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 11778  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231871; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 23515  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231872; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 1311  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231870; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 6000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231868; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231869; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 3306  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231867; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 110  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231866; rev:1;)
alert tcp $HOME_NET any -> [118.107.41.120] 30360  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231865; rev:1;)
alert tcp $HOME_NET any -> [206.166.251.107] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231864; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"primalbrainhacks.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231863; rev:1;)
alert tcp $HOME_NET any -> [187.59.65.160] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231862; rev:1;)
alert tcp $HOME_NET any -> [91.224.92.194] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231861; rev:1;)
alert tcp $HOME_NET any -> [45.141.85.181] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231860; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1561484.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231859; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ipmotinov.fvds.ru"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231858; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"artre3.fvds.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231856; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"polina.to-kgb.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231857; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.195] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231855; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-26-24-38.ap-southeast-2.compute.amazonaws.com"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231853; rev:1;)
alert tcp $HOME_NET any -> [160.1.6.79] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231854; rev:1;)
alert tcp $HOME_NET any -> [3.27.149.232] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231852; rev:1;)
alert tcp $HOME_NET any -> [164.90.209.184] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231851; rev:1;)
alert tcp $HOME_NET any -> [186.168.66.85] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231850; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 42358  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231848; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 50126  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231849; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 40249  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231847; rev:1;)
alert tcp $HOME_NET any -> [176.40.9.245] 62822  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231846; rev:1;)
alert tcp $HOME_NET any -> [194.213.3.123] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231845; rev:1;)
alert tcp $HOME_NET any -> [194.213.3.123] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231844; rev:1;)
alert tcp $HOME_NET any -> [207.32.217.14] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231843; rev:1;)
alert tcp $HOME_NET any -> [107.150.23.137] 8020  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231842; rev:1;)
alert tcp $HOME_NET any -> [39.105.231.94] 2096  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231841; rev:1;)
alert tcp $HOME_NET any -> [159.223.130.150] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231840/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_18; classtype:trojan-activity; sid:91231840; rev:1;)
alert tcp $HOME_NET any -> [172.96.137.224] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231839/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_18; classtype:trojan-activity; sid:91231839; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.233] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231837; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.233] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231838; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.233] 1701  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231836; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.233] 2281  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231835; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.233] 2167  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231833; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.233] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231834; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.233] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231832; rev:1;)
alert tcp $HOME_NET any -> [187.135.85.233] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231831; rev:1;)
alert tcp $HOME_NET any -> [105.98.169.29] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231830; rev:1;)
alert tcp $HOME_NET any -> [124.220.6.158] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231829; rev:1;)
alert tcp $HOME_NET any -> [123.57.85.206] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231828; rev:1;)
alert tcp $HOME_NET any -> [47.245.82.226] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231827; rev:1;)
alert tcp $HOME_NET any -> [121.43.33.41] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231826; rev:1;)
alert tcp $HOME_NET any -> [157.230.44.125] 8083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231825; rev:1;)
alert tcp $HOME_NET any -> [47.93.254.171] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231824; rev:1;)
alert tcp $HOME_NET any -> [139.196.10.154] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231823; rev:1;)
alert tcp $HOME_NET any -> [154.90.62.92] 3333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231822; rev:1;)
alert tcp $HOME_NET any -> [43.137.6.175] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231820; rev:1;)
alert tcp $HOME_NET any -> [121.43.97.52] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231821; rev:1;)
alert tcp $HOME_NET any -> [124.222.54.66] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231819; rev:1;)
alert tcp $HOME_NET any -> [47.96.67.231] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231818; rev:1;)
alert tcp $HOME_NET any -> [139.224.33.120] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231817; rev:1;)
alert tcp $HOME_NET any -> [147.78.47.185] 5347  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231816; rev:1;)
alert tcp $HOME_NET any -> [47.99.171.179] 5000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231815; rev:1;)
alert tcp $HOME_NET any -> [139.9.134.28] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231814; rev:1;)
alert tcp $HOME_NET any -> [175.178.103.194] 40000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231813; rev:1;)
alert tcp $HOME_NET any -> [123.57.135.228] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231811; rev:1;)
alert tcp $HOME_NET any -> [8.219.121.245] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231812; rev:1;)
alert tcp $HOME_NET any -> [82.157.64.227] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231810; rev:1;)
alert tcp $HOME_NET any -> [8.137.115.200] 3390  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231808; rev:1;)
alert tcp $HOME_NET any -> [139.159.221.73] 8085  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231809; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ad.ttss66.co"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231807; rev:1;)
alert tcp $HOME_NET any -> [212.254.178.181] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231806; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.112] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231805; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-15-207-223-7.ap-south-1.compute.amazonaws.com"; depth:49; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231803; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.ttss66.co"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231804; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"164-90-169-184.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/hahaha/yomobing"; depth:16; nocase; http.host; content:"42.193.1.241"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.120.47.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.220.164.254"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"175.178.103.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"118.195.236.44"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pingjs/ext2020/configf2017/5d09e4c5.js"; depth:39; nocase; http.host; content:"47.57.12.167"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dc"; depth:3; nocase; http.host; content:"103.1.40.217"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.99.171.179"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231794; rev:1;)
alert tcp $HOME_NET any -> [172.67.130.131] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231793/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231793; rev:1;)
alert tcp $HOME_NET any -> [3.127.181.115] 15617  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231792; rev:1;)
alert tcp $HOME_NET any -> [18.158.58.205] 15617  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231791; rev:1;)
alert tcp $HOME_NET any -> [3.67.161.133] 15617  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231790; rev:1;)
alert tcp $HOME_NET any -> [3.67.62.142] 15617  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"42.81.86.62"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231788; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-9cs9xxk6-1259711277.gz.tencentapigw.com.cn"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-9cs9xxk6-1259711277.gz.tencentapigw.com.cn"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"101.42.172.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"111.231.21.83"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.222.54.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"111.229.163.225"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"110.43.34.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"106.52.244.189"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231779; rev:1;)
alert tcp $HOME_NET any -> [62.234.54.38] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231778; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231777; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231776; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.baidusec.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.228.169.161"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231774; rev:1;)
alert tcp $HOME_NET any -> [111.230.1.229] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231773; rev:1;)
alert tcp $HOME_NET any -> [47.97.63.211] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231772/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231772; rev:1;)
alert tcp $HOME_NET any -> [185.189.112.27] 2529  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231771/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231771; rev:1;)
alert tcp $HOME_NET any -> [54.151.129.213] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231770/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231770; rev:1;)
alert tcp $HOME_NET any -> [162.218.122.24] 5707  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231769/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"175.178.161.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231768; rev:1;)
alert tcp $HOME_NET any -> [5.75.215.163] 7575  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.163"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231765; rev:1;)
alert tcp $HOME_NET any -> [95.217.240.143] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.240.143"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231764; rev:1;)
alert tcp $HOME_NET any -> [45.153.230.56] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231763/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231763; rev:1;)
alert tcp $HOME_NET any -> [182.43.81.4] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231762/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231762; rev:1;)
alert tcp $HOME_NET any -> [101.43.175.148] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231761/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231761; rev:1;)
alert tcp $HOME_NET any -> [64.176.35.5] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231760/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231760; rev:1;)
alert tcp $HOME_NET any -> [38.60.200.88] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231759/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231759; rev:1;)
alert tcp $HOME_NET any -> [45.131.108.123] 2003  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231758/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231758; rev:1;)
alert tcp $HOME_NET any -> [107.150.23.137] 8010  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231757/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231757; rev:1;)
alert tcp $HOME_NET any -> [40.112.134.176] 1024  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231756; rev:1;)
alert tcp $HOME_NET any -> [31.117.111.217] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231755; rev:1;)
alert tcp $HOME_NET any -> [74.12.146.19] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231754; rev:1;)
alert tcp $HOME_NET any -> [70.107.200.6] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231753; rev:1;)
alert tcp $HOME_NET any -> [209.163.151.210] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231752; rev:1;)
alert tcp $HOME_NET any -> [34.135.30.146] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231751; rev:1;)
alert tcp $HOME_NET any -> [206.237.1.36] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231749; rev:1;)
alert tcp $HOME_NET any -> [206.237.1.36] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231750; rev:1;)
alert tcp $HOME_NET any -> [43.138.25.26] 4431  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231748; rev:1;)
alert tcp $HOME_NET any -> [51.81.110.44] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231747; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.46] 8000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231746; rev:1;)
alert tcp $HOME_NET any -> [103.11.1.147] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231745; rev:1;)
alert tcp $HOME_NET any -> [103.83.31.209] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231744; rev:1;)
alert tcp $HOME_NET any -> [43.230.161.37] 5432  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_18; classtype:trojan-activity; sid:91231743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"984794727cm.whiteproducts.ru"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231742; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"broler.shop"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231734; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yadongrec.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231733; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.broler.shop"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231735; rev:1;)
alert tcp $HOME_NET any -> [3.10.251.35] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231741/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/amje"; depth:5; nocase; http.host; content:"121.40.63.121"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231740/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_18; classtype:trojan-activity; sid:91231740; rev:1;)
alert tcp $HOME_NET any -> [121.40.63.121] 58431  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_18; classtype:trojan-activity; sid:91231739; rev:1;)
alert tcp $HOME_NET any -> [94.96.102.52] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231738/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231738; rev:1;)
alert tcp $HOME_NET any -> [160.1.6.79] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231737/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231737; rev:1;)
alert tcp $HOME_NET any -> [18.219.185.11] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231736/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_18; classtype:trojan-activity; sid:91231736; rev:1;)
alert tcp $HOME_NET any -> [90.156.226.218] 81  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231732; rev:1;)
alert tcp $HOME_NET any -> [124.222.145.84] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcloud/main/scripts/release"; depth:28; nocase; http.host; content:"124.222.145.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"120.55.12.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qcloud/main/scripts/release"; depth:28; nocase; http.host; content:"124.222.145.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231727; rev:1;)
alert tcp $HOME_NET any -> [124.222.145.84] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231728; rev:1;)
alert tcp $HOME_NET any -> [44.206.79.79] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231726; rev:1;)
alert tcp $HOME_NET any -> [139.180.217.19] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231725; rev:1;)
alert tcp $HOME_NET any -> [31.220.107.19] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231724; rev:1;)
alert tcp $HOME_NET any -> [170.64.163.53] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231722; rev:1;)
alert tcp $HOME_NET any -> [46.36.40.36] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231723; rev:1;)
alert tcp $HOME_NET any -> [3.91.122.253] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231721; rev:1;)
alert tcp $HOME_NET any -> [186.114.35.34] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231720; rev:1;)
alert tcp $HOME_NET any -> [94.200.31.94] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231719; rev:1;)
alert tcp $HOME_NET any -> [44.204.34.117] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231718; rev:1;)
alert tcp $HOME_NET any -> [104.192.83.105] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231717; rev:1;)
alert tcp $HOME_NET any -> [101.200.36.30] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231716; rev:1;)
alert tcp $HOME_NET any -> [47.116.65.124] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231715; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"practical-goldwasser.2-58-113-220.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231714; rev:1;)
alert tcp $HOME_NET any -> [77.105.146.199] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231713; rev:1;)
alert tcp $HOME_NET any -> [190.123.44.233] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231712; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tradeplayz.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231711; rev:1;)
alert tcp $HOME_NET any -> [84.247.161.111] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231710; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.spacestar.su"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231709; rev:1;)
alert tcp $HOME_NET any -> [24.199.72.221] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231708; rev:1;)
alert tcp $HOME_NET any -> [120.55.12.41] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231707; rev:1;)
alert tcp $HOME_NET any -> [47.106.230.109] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231706; rev:1;)
alert tcp $HOME_NET any -> [47.106.230.109] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231705; rev:1;)
alert tcp $HOME_NET any -> [47.245.82.226] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231704; rev:1;)
alert tcp $HOME_NET any -> [27.102.130.160] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231703; rev:1;)
alert tcp $HOME_NET any -> [103.97.176.112] 5588  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231702; rev:1;)
alert tcp $HOME_NET any -> [49.12.98.191] 14499  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231701; rev:1;)
alert tcp $HOME_NET any -> [43.139.94.117] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231699; rev:1;)
alert tcp $HOME_NET any -> [121.43.62.136] 5000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231700; rev:1;)
alert tcp $HOME_NET any -> [42.192.45.240] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231698; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hei.ttss66.co"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231697; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sacacaa.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231696; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1.ttss66.co"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231695; rev:1;)
alert tcp $HOME_NET any -> [188.17.46.163] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231694/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231694; rev:1;)
alert tcp $HOME_NET any -> [85.206.169.88] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231693/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231693; rev:1;)
alert tcp $HOME_NET any -> [159.69.179.151] 12807  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231692; rev:1;)
alert tcp $HOME_NET any -> [44.31.248.7] 1800  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231691/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231691; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.169] 1334  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231690; rev:1;)
alert tcp $HOME_NET any -> [94.156.66.169] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231689/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_17; classtype:trojan-activity; sid:91231689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"worrystitchsounddywuwp.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"copyrightspareddcitwew.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"groannysoapblockedstiw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231654; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"paperambiguonusphoterew.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231656; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"expenditureddisumilarwo.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"weedpairfolkloredheryw.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"combinethemepiggerygoj.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"qualifiedbehaviorrykej.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"transparenteunlawfullyp.site"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231661; rev:1;)
alert tcp $HOME_NET any -> [20.2.223.147] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231688/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231688; rev:1;)
alert tcp $HOME_NET any -> [31.117.127.145] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231687/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231687; rev:1;)
alert tcp $HOME_NET any -> [74.124.191.6] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231686; rev:1;)
alert tcp $HOME_NET any -> [41.99.28.89] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231685/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231685; rev:1;)
alert tcp $HOME_NET any -> [187.211.85.9] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231684/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231684; rev:1;)
alert tcp $HOME_NET any -> [185.198.121.148] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231683/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231683; rev:1;)
alert tcp $HOME_NET any -> [74.12.146.183] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231682/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231682; rev:1;)
alert tcp $HOME_NET any -> [108.173.84.82] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231681/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231681; rev:1;)
alert tcp $HOME_NET any -> [95.215.108.41] 1194  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231680/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231680; rev:1;)
alert tcp $HOME_NET any -> [31.46.55.159] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231679/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231679; rev:1;)
alert tcp $HOME_NET any -> [79.131.125.119] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231678/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231678; rev:1;)
alert tcp $HOME_NET any -> [39.40.158.169] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231677; rev:1;)
alert tcp $HOME_NET any -> [75.134.202.126] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231676/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231676; rev:1;)
alert tcp $HOME_NET any -> [185.117.90.142] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231675/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231675; rev:1;)
alert tcp $HOME_NET any -> [24.45.151.251] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231674/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231674; rev:1;)
alert tcp $HOME_NET any -> [2.82.9.245] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231673/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231673; rev:1;)
alert tcp $HOME_NET any -> [64.23.165.240] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231672/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231672; rev:1;)
alert tcp $HOME_NET any -> [54.205.140.17] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231671/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231671; rev:1;)
alert tcp $HOME_NET any -> [136.40.23.25] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231670/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231670; rev:1;)
alert tcp $HOME_NET any -> [20.84.6.140] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231669/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231669; rev:1;)
alert tcp $HOME_NET any -> [172.172.163.9] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231668; rev:1;)
alert tcp $HOME_NET any -> [172.172.163.9] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231667; rev:1;)
alert tcp $HOME_NET any -> [167.172.80.227] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231666; rev:1;)
alert tcp $HOME_NET any -> [103.11.3.170] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231665; rev:1;)
alert tcp $HOME_NET any -> [209.105.242.245] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231664; rev:1;)
alert tcp $HOME_NET any -> [103.15.105.29] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231663; rev:1;)
alert tcp $HOME_NET any -> [103.85.110.13] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigloadmultidefaultuploadsdownloads.php"; depth:40; nocase; http.host; content:"977789cm.nyashland.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b8sdjsdks/index.php"; depth:20; nocase; http.host; content:"5.42.65.44"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231651; rev:1;)
alert tcp $HOME_NET any -> [8.130.82.167] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231650/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231650; rev:1;)
alert tcp $HOME_NET any -> [193.233.50.13] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231648; rev:1;)
alert tcp $HOME_NET any -> [193.233.50.13] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231649; rev:1;)
alert tcp $HOME_NET any -> [81.19.140.50] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231647; rev:1;)
alert tcp $HOME_NET any -> [95.216.37.49] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231645; rev:1;)
alert tcp $HOME_NET any -> [81.19.140.50] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231646; rev:1;)
alert tcp $HOME_NET any -> [95.216.37.49] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231644; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud5.5-systems.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231642; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hel.syscare.sk"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231643; rev:1;)
alert tcp $HOME_NET any -> [116.202.214.113] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231640; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"node103.5-systems.ru"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231641; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.49.37.216.95.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231639; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dev.5-systems.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231637; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vault.5-systems.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231638; rev:1;)
alert tcp $HOME_NET any -> [85.239.34.8] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn3-kit1.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231636; rev:1;)
alert tcp $HOME_NET any -> [194.110.247.198] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231634; rev:1;)
alert tcp $HOME_NET any -> [88.151.192.34] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231632; rev:1;)
alert tcp $HOME_NET any -> [193.233.203.153] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231633; rev:1;)
alert tcp $HOME_NET any -> [213.232.235.210] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231631; rev:1;)
alert tcp $HOME_NET any -> [193.233.18.169] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231630; rev:1;)
alert tcp $HOME_NET any -> [37.220.86.73] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231629; rev:1;)
alert tcp $HOME_NET any -> [176.123.2.55] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231627; rev:1;)
alert tcp $HOME_NET any -> [81.19.140.204] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231628; rev:1;)
alert tcp $HOME_NET any -> [185.84.163.105] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231626; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bl3mder3d.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231624; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.113.214.202.116.clients.your-server.de"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231625; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"free-cdn.tech"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231623; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn3.ru"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231622; rev:1;)
alert tcp $HOME_NET any -> [85.98.101.67] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231621; rev:1;)
alert tcp $HOME_NET any -> [2.50.16.38] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231620; rev:1;)
alert tcp $HOME_NET any -> [168.149.58.6] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231619; rev:1;)
alert tcp $HOME_NET any -> [2.58.15.111] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231617; rev:1;)
alert tcp $HOME_NET any -> [62.84.103.154] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231618; rev:1;)
alert tcp $HOME_NET any -> [2.58.15.111] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231616; rev:1;)
alert tcp $HOME_NET any -> [2.58.15.111] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231615; rev:1;)
alert tcp $HOME_NET any -> [156.236.76.243] 8000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231613; rev:1;)
alert tcp $HOME_NET any -> [2.58.15.111] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231614; rev:1;)
alert tcp $HOME_NET any -> [156.236.76.243] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231612; rev:1;)
alert tcp $HOME_NET any -> [156.236.76.243] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231610; rev:1;)
alert tcp $HOME_NET any -> [156.236.76.243] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231611; rev:1;)
alert tcp $HOME_NET any -> [156.236.76.243] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231609; rev:1;)
alert tcp $HOME_NET any -> [151.236.16.27] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231607; rev:1;)
alert tcp $HOME_NET any -> [151.236.16.27] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231608; rev:1;)
alert tcp $HOME_NET any -> [151.236.16.27] 8000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231606; rev:1;)
alert tcp $HOME_NET any -> [151.236.16.27] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231604; rev:1;)
alert tcp $HOME_NET any -> [151.236.16.27] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231605; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.46] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231603; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.46] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231601; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.46] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231602; rev:1;)
alert tcp $HOME_NET any -> [209.127.186.46] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231600; rev:1;)
alert tcp $HOME_NET any -> [61.247.164.51] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231599/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231599; rev:1;)
alert tcp $HOME_NET any -> [3.80.241.115] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231597; rev:1;)
alert tcp $HOME_NET any -> [3.230.14.10] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231598; rev:1;)
alert tcp $HOME_NET any -> [4.196.203.141] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231596; rev:1;)
alert tcp $HOME_NET any -> [137.184.204.254] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231595; rev:1;)
alert tcp $HOME_NET any -> [52.76.13.113] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231593; rev:1;)
alert tcp $HOME_NET any -> [149.28.59.118] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231594; rev:1;)
alert tcp $HOME_NET any -> [24.105.180.18] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231592; rev:1;)
alert tcp $HOME_NET any -> [142.171.108.61] 81  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231591; rev:1;)
alert tcp $HOME_NET any -> [203.154.83.164] 5555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231590; rev:1;)
alert tcp $HOME_NET any -> [157.245.108.22] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231589; rev:1;)
alert tcp $HOME_NET any -> [103.149.177.182] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231587; rev:1;)
alert tcp $HOME_NET any -> [34.232.20.132] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231588; rev:1;)
alert tcp $HOME_NET any -> [68.183.94.232] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231586; rev:1;)
alert tcp $HOME_NET any -> [3.27.165.207] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231585; rev:1;)
alert tcp $HOME_NET any -> [120.48.29.38] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231584; rev:1;)
alert tcp $HOME_NET any -> [44.218.238.214] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231583; rev:1;)
alert tcp $HOME_NET any -> [3.131.98.200] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231581; rev:1;)
alert tcp $HOME_NET any -> [13.64.102.17] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231582; rev:1;)
alert tcp $HOME_NET any -> [84.201.173.129] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231579; rev:1;)
alert tcp $HOME_NET any -> [44.196.151.67] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231580; rev:1;)
alert tcp $HOME_NET any -> [8.210.51.165] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231578; rev:1;)
alert tcp $HOME_NET any -> [175.178.221.124] 31220  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231577; rev:1;)
alert tcp $HOME_NET any -> [52.59.142.201] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231576; rev:1;)
alert tcp $HOME_NET any -> [52.59.142.201] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231575; rev:1;)
alert tcp $HOME_NET any -> [34.207.241.211] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231574; rev:1;)
alert tcp $HOME_NET any -> [66.135.26.24] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231572; rev:1;)
alert tcp $HOME_NET any -> [200.69.21.128] 8000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231573; rev:1;)
alert tcp $HOME_NET any -> [191.104.11.30] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231571; rev:1;)
alert tcp $HOME_NET any -> [101.226.173.195] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231570; rev:1;)
alert tcp $HOME_NET any -> [89.104.70.253] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231569; rev:1;)
alert tcp $HOME_NET any -> [120.133.50.182] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231568; rev:1;)
alert tcp $HOME_NET any -> [43.138.172.15] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231567; rev:1;)
alert tcp $HOME_NET any -> [8.140.123.165] 10000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231565; rev:1;)
alert tcp $HOME_NET any -> [103.149.177.198] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231566; rev:1;)
alert tcp $HOME_NET any -> [159.223.69.141] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231564; rev:1;)
alert tcp $HOME_NET any -> [43.228.89.248] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231563; rev:1;)
alert tcp $HOME_NET any -> [43.228.89.246] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231561; rev:1;)
alert tcp $HOME_NET any -> [43.228.89.245] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231562; rev:1;)
alert tcp $HOME_NET any -> [149.28.222.242] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231560; rev:1;)
alert tcp $HOME_NET any -> [124.221.183.95] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231559; rev:1;)
alert tcp $HOME_NET any -> [154.8.205.2] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231558; rev:1;)
alert tcp $HOME_NET any -> [115.126.107.244] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231556; rev:1;)
alert tcp $HOME_NET any -> [116.212.120.32] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231557; rev:1;)
alert tcp $HOME_NET any -> [47.108.144.205] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231555; rev:1;)
alert tcp $HOME_NET any -> [163.53.216.157] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231553; rev:1;)
alert tcp $HOME_NET any -> [43.228.89.247] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231554; rev:1;)
alert tcp $HOME_NET any -> [117.84.38.82] 8008  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231552; rev:1;)
alert tcp $HOME_NET any -> [120.26.168.94] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231551; rev:1;)
alert tcp $HOME_NET any -> [8.218.155.228] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231550; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.55] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231549; rev:1;)
alert tcp $HOME_NET any -> [94.156.71.78] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231548; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.14] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231547; rev:1;)
alert tcp $HOME_NET any -> [103.189.203.36] 80  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231546; rev:1;)
alert tcp $HOME_NET any -> [94.228.162.149] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231544; rev:1;)
alert tcp $HOME_NET any -> [51.195.28.168] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231545; rev:1;)
alert tcp $HOME_NET any -> [77.232.142.8] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231543; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.65] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231542; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.25] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231541; rev:1;)
alert tcp $HOME_NET any -> [5.182.87.142] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231540; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.224] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231539; rev:1;)
alert tcp $HOME_NET any -> [20.161.72.166] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231538; rev:1;)
alert tcp $HOME_NET any -> [45.204.82.82] 6606  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231537; rev:1;)
alert tcp $HOME_NET any -> [167.71.139.50] 22533  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231536; rev:1;)
alert tcp $HOME_NET any -> [115.79.234.191] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231535; rev:1;)
alert tcp $HOME_NET any -> [115.79.234.191] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231534; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.28] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231532; rev:1;)
alert tcp $HOME_NET any -> [3.6.115.64] 12480  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231533; rev:1;)
alert tcp $HOME_NET any -> [188.119.113.105] 2323  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231531; rev:1;)
alert tcp $HOME_NET any -> [103.241.66.73] 1604  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231530; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.cy-security.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231529; rev:1;)
alert tcp $HOME_NET any -> [138.197.4.123] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231528; rev:1;)
alert tcp $HOME_NET any -> [16.62.217.129] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231526; rev:1;)
alert tcp $HOME_NET any -> [45.126.127.218] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231527; rev:1;)
alert tcp $HOME_NET any -> [52.66.109.117] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231525; rev:1;)
alert tcp $HOME_NET any -> [93.177.167.240] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231523; rev:1;)
alert tcp $HOME_NET any -> [66.85.157.78] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231524; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 27212  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231522; rev:1;)
alert tcp $HOME_NET any -> [191.82.199.36] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231521; rev:1;)
alert tcp $HOME_NET any -> [40.81.26.134] 8443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231519; rev:1;)
alert tcp $HOME_NET any -> [103.127.80.52] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231520; rev:1;)
alert tcp $HOME_NET any -> [109.193.93.28] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231518; rev:1;)
alert tcp $HOME_NET any -> [110.148.223.254] 4444  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231517; rev:1;)
alert tcp $HOME_NET any -> [54.151.255.201] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231515; rev:1;)
alert tcp $HOME_NET any -> [54.151.255.201] 82  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231516; rev:1;)
alert tcp $HOME_NET any -> [91.108.240.144] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231514; rev:1;)
alert tcp $HOME_NET any -> [45.88.79.168] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231513; rev:1;)
alert tcp $HOME_NET any -> [81.19.137.68] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231512; rev:1;)
alert tcp $HOME_NET any -> [91.224.92.195] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231511; rev:1;)
alert tcp $HOME_NET any -> [185.146.157.121] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231510; rev:1;)
alert tcp $HOME_NET any -> [38.207.178.212] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231509; rev:1;)
alert tcp $HOME_NET any -> [176.123.169.240] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231507; rev:1;)
alert tcp $HOME_NET any -> [38.60.205.80] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231508; rev:1;)
alert tcp $HOME_NET any -> [13.245.207.111] 9922  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231506; rev:1;)
alert tcp $HOME_NET any -> [20.11.149.168] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231504; rev:1;)
alert tcp $HOME_NET any -> [154.90.49.23] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231505; rev:1;)
alert tcp $HOME_NET any -> [38.54.59.79] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231503; rev:1;)
alert tcp $HOME_NET any -> [91.109.188.9] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231501; rev:1;)
alert tcp $HOME_NET any -> [91.109.188.9] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231502; rev:1;)
alert tcp $HOME_NET any -> [172.234.95.198] 8443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231500; rev:1;)
alert tcp $HOME_NET any -> [158.220.83.114] 9909  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231499; rev:1;)
alert tcp $HOME_NET any -> [181.131.219.252] 4203  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231498; rev:1;)
alert tcp $HOME_NET any -> [91.109.184.6] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231497; rev:1;)
alert tcp $HOME_NET any -> [190.28.139.66] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231495; rev:1;)
alert tcp $HOME_NET any -> [91.109.184.6] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231496; rev:1;)
alert tcp $HOME_NET any -> [206.123.132.169] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231494; rev:1;)
alert tcp $HOME_NET any -> [101.43.162.6] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231493; rev:1;)
alert tcp $HOME_NET any -> [119.45.219.31] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231492; rev:1;)
alert tcp $HOME_NET any -> [159.75.180.29] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231491; rev:1;)
alert tcp $HOME_NET any -> [129.204.56.223] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231490; rev:1;)
alert tcp $HOME_NET any -> [1.92.91.219] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231489/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231489; rev:1;)
alert tcp $HOME_NET any -> [1.92.91.219] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231488/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231488; rev:1;)
alert tcp $HOME_NET any -> [1.92.91.219] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231487/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231487; rev:1;)
alert tcp $HOME_NET any -> [1.92.91.219] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231485/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231485; rev:1;)
alert tcp $HOME_NET any -> [1.92.91.219] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231486/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231486; rev:1;)
alert tcp $HOME_NET any -> [1.92.91.219] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231484/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231484; rev:1;)
alert tcp $HOME_NET any -> [1.92.91.219] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231483/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231483; rev:1;)
alert tcp $HOME_NET any -> [139.159.146.137] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231482/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231482; rev:1;)
alert tcp $HOME_NET any -> [139.159.146.137] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231481/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231481; rev:1;)
alert tcp $HOME_NET any -> [139.159.146.137] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231479/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231479; rev:1;)
alert tcp $HOME_NET any -> [139.159.146.137] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231480/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231480; rev:1;)
alert tcp $HOME_NET any -> [139.159.146.137] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231478/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231478; rev:1;)
alert tcp $HOME_NET any -> [124.71.218.160] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231477/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231477; rev:1;)
alert tcp $HOME_NET any -> [124.71.218.160] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231476/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231476; rev:1;)
alert tcp $HOME_NET any -> [124.71.218.160] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231475/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231475; rev:1;)
alert tcp $HOME_NET any -> [124.71.218.160] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231474/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231474; rev:1;)
alert tcp $HOME_NET any -> [124.71.218.160] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231473/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231473; rev:1;)
alert tcp $HOME_NET any -> [124.71.218.160] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231472/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231472; rev:1;)
alert tcp $HOME_NET any -> [155.138.154.203] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231471/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231471; rev:1;)
alert tcp $HOME_NET any -> [120.46.66.113] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231470/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231470; rev:1;)
alert tcp $HOME_NET any -> [120.46.66.113] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231469/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231469; rev:1;)
alert tcp $HOME_NET any -> [120.46.66.113] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231468/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231468; rev:1;)
alert tcp $HOME_NET any -> [120.46.66.113] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231467/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231467; rev:1;)
alert tcp $HOME_NET any -> [120.46.66.113] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231466/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231466; rev:1;)
alert tcp $HOME_NET any -> [120.46.66.113] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231465/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231465; rev:1;)
alert tcp $HOME_NET any -> [120.46.66.113] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231464/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231464; rev:1;)
alert tcp $HOME_NET any -> [139.9.180.3] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231463/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231463; rev:1;)
alert tcp $HOME_NET any -> [139.9.180.3] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231462/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231462; rev:1;)
alert tcp $HOME_NET any -> [139.9.180.3] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231461/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231461; rev:1;)
alert tcp $HOME_NET any -> [139.9.180.3] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231460/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231460; rev:1;)
alert tcp $HOME_NET any -> [1.92.75.200] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231459/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231459; rev:1;)
alert tcp $HOME_NET any -> [1.92.75.200] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231457/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231457; rev:1;)
alert tcp $HOME_NET any -> [1.92.75.200] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231458/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231458; rev:1;)
alert tcp $HOME_NET any -> [1.92.75.200] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231456/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231456; rev:1;)
alert tcp $HOME_NET any -> [1.92.75.200] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231454/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231454; rev:1;)
alert tcp $HOME_NET any -> [1.92.75.200] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231455/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231455; rev:1;)
alert tcp $HOME_NET any -> [1.92.75.200] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231453/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231453; rev:1;)
alert tcp $HOME_NET any -> [45.77.183.245] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231452/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231452; rev:1;)
alert tcp $HOME_NET any -> [103.140.187.122] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231451/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231451; rev:1;)
alert tcp $HOME_NET any -> [174.138.56.147] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231450/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231450; rev:1;)
alert tcp $HOME_NET any -> [43.157.27.174] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231449/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_17; classtype:trojan-activity; sid:91231449; rev:1;)
alert tcp $HOME_NET any -> [82.64.15.197] 51102  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231448; rev:1;)
alert tcp $HOME_NET any -> [82.64.15.197] 51005  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231447; rev:1;)
alert tcp $HOME_NET any -> [187.135.148.126] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231445; rev:1;)
alert tcp $HOME_NET any -> [187.135.148.126] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231446; rev:1;)
alert tcp $HOME_NET any -> [187.135.148.126] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231444; rev:1;)
alert tcp $HOME_NET any -> [129.204.53.10] 8081  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_17; classtype:trojan-activity; sid:91231443; rev:1;)
alert tcp $HOME_NET any -> [114.55.131.0] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231442; rev:1;)
alert tcp $HOME_NET any -> [114.55.131.0] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231441; rev:1;)
alert tcp $HOME_NET any -> [114.55.131.0] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231440; rev:1;)
alert tcp $HOME_NET any -> [47.254.233.5] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231439; rev:1;)
alert tcp $HOME_NET any -> [101.201.46.105] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231438; rev:1;)
alert tcp $HOME_NET any -> [180.101.45.84] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231437; rev:1;)
alert tcp $HOME_NET any -> [18.217.32.34] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231435; rev:1;)
alert tcp $HOME_NET any -> [116.204.24.189] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231436; rev:1;)
alert tcp $HOME_NET any -> [62.234.16.176] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231434; rev:1;)
alert tcp $HOME_NET any -> [47.92.246.30] 18080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231432; rev:1;)
alert tcp $HOME_NET any -> [62.234.16.176] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231433; rev:1;)
alert tcp $HOME_NET any -> [101.43.46.145] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231431; rev:1;)
alert tcp $HOME_NET any -> [47.92.205.12] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231430; rev:1;)
alert tcp $HOME_NET any -> [2.58.200.139] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231428; rev:1;)
alert tcp $HOME_NET any -> [2.58.200.139] 10443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231429; rev:1;)
alert tcp $HOME_NET any -> [101.46.48.24] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231426; rev:1;)
alert tcp $HOME_NET any -> [47.92.23.195] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231427; rev:1;)
alert tcp $HOME_NET any -> [101.46.48.24] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231425; rev:1;)
alert tcp $HOME_NET any -> [150.158.160.24] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231424; rev:1;)
alert tcp $HOME_NET any -> [121.36.209.227] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231422; rev:1;)
alert tcp $HOME_NET any -> [59.110.217.41] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231423; rev:1;)
alert tcp $HOME_NET any -> [165.22.220.70] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231421; rev:1;)
alert tcp $HOME_NET any -> [43.136.71.208] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231420; rev:1;)
alert tcp $HOME_NET any -> [8.218.79.11] 8899  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231418; rev:1;)
alert tcp $HOME_NET any -> [121.4.67.78] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231419; rev:1;)
alert tcp $HOME_NET any -> [23.94.233.96] 10001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231417; rev:1;)
alert tcp $HOME_NET any -> [114.55.90.236] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231416; rev:1;)
alert tcp $HOME_NET any -> [101.133.148.66] 801  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231415; rev:1;)
alert tcp $HOME_NET any -> [110.42.209.75] 881  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231413; rev:1;)
alert tcp $HOME_NET any -> [62.106.95.14] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231414; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.234] 8083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231412; rev:1;)
alert tcp $HOME_NET any -> [119.91.144.105] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231410; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.38] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231411; rev:1;)
alert tcp $HOME_NET any -> [114.55.72.52] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231409; rev:1;)
alert tcp $HOME_NET any -> [47.96.67.181] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231408; rev:1;)
alert tcp $HOME_NET any -> [45.142.166.24] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231407; rev:1;)
alert tcp $HOME_NET any -> [118.31.229.138] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231406; rev:1;)
alert tcp $HOME_NET any -> [194.26.135.115] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231404; rev:1;)
alert tcp $HOME_NET any -> [121.196.232.187] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231405; rev:1;)
alert tcp $HOME_NET any -> [149.104.23.171] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231403; rev:1;)
alert tcp $HOME_NET any -> [139.155.135.131] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231402; rev:1;)
alert tcp $HOME_NET any -> [8.219.170.54] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231400; rev:1;)
alert tcp $HOME_NET any -> [8.134.192.169] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231401; rev:1;)
alert tcp $HOME_NET any -> [107.148.32.236] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231399; rev:1;)
alert tcp $HOME_NET any -> [156.224.26.49] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231397; rev:1;)
alert tcp $HOME_NET any -> [123.56.217.32] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231398; rev:1;)
alert tcp $HOME_NET any -> [154.90.62.92] 8083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231396; rev:1;)
alert tcp $HOME_NET any -> [23.94.208.68] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231395; rev:1;)
alert tcp $HOME_NET any -> [43.139.37.252] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231393; rev:1;)
alert tcp $HOME_NET any -> [117.72.11.112] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231394; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.186] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231392; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zero3.kentest.fyi"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231391; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ntc-telecomcorporation.workers.dev"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231376; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-depo-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231377; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-dgdp-gov-pk.ntc-telecomcorporation.workers.dev"; depth:51; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231378; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-hit-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231379; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail-paf-gov-pk.ntc-telecomcorporation.workers.dev"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231380; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alfalahtransct-bank.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231381; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud-ntdc.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231382; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e-servicesptclnetpk.servehttp.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231383; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"e-supportntc.servehttp.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231384; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"financeptcl-govpk.servehttp.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231385; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flysmart-piac.servehttp.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231386; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ogdclcloud-mysharep.servehalflife.com"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231387; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"services-ptclnetpk.servehttp.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231388; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wetransfer.servehttp.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shiningmoons.org"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"39.100.95.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231375; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"101.37.85.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231374; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"120.79.154.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231373; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"120.79.154.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231372; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.113.185.53"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"175.24.175.59"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231370; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lib/v2/wcp-consent.js"; depth:22; nocase; http.host; content:"39.100.95.242"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231369; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"185.73.124.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"185.196.9.231"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"185.73.124.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231366; rev:1;)
alert tcp $HOME_NET any -> [45.141.136.133] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231365; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kr.i110.fun"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231364; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"kr.i110.fun"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231363; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 50%)"; dns_query; content:"saldanha.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231362/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231362; rev:1;)
alert tcp $HOME_NET any -> [87.121.87.143] 6696  (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231360; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"7070bc8.sytes.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231361; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"shomyo.secru.it"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231358; rev:1;)
alert tcp $HOME_NET any -> [20.49.255.240] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231359; rev:1;)
alert tcp $HOME_NET any -> [18.184.122.75] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231357/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231357; rev:1;)
alert tcp $HOME_NET any -> [45.86.86.197] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231346; rev:1;)
alert tcp $HOME_NET any -> [94.103.188.147] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd3wufkw/post.php"; depth:19; nocase; http.host; content:"45.86.86.197"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231348; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd3wufkw/log.php"; depth:18; nocase; http.host; content:"94.103.188.147"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"120.27.247.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231355; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"152.32.210.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231354; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/make/srv/o3xm3qybtz"; depth:20; nocase; http.host; content:"8.130.110.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231352; rev:1;)
alert tcp $HOME_NET any -> [8.130.110.101] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231353; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.130.60.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"43.130.60.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231350; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231345; rev:1;)
alert tcp $HOME_NET any -> [42.193.1.241] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231344/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231344; rev:1;)
alert tcp $HOME_NET any -> [129.211.31.181] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"129.211.31.181"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231342; rev:1;)
alert tcp $HOME_NET any -> [147.124.212.75] 2010  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231341; rev:1;)
alert tcp $HOME_NET any -> [130.0.238.42] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231340/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231340; rev:1;)
alert tcp $HOME_NET any -> [121.41.99.85] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231339/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"152.32.210.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231338; rev:1;)
alert tcp $HOME_NET any -> [13.248.204.3] 10006  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231337/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231337; rev:1;)
alert tcp $HOME_NET any -> [119.160.88.100] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231336/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231336; rev:1;)
alert tcp $HOME_NET any -> [92.116.91.237] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231335/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231335; rev:1;)
alert tcp $HOME_NET any -> [162.0.222.178] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231334/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231334; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.1] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231332/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231332; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.1] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231333/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231333; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.1] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231331/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231331; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.9] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231330/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231330; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.9] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231329/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231329; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.9] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231328/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231328; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.27] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231327/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231327; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.27] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231326/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231326; rev:1;)
alert tcp $HOME_NET any -> [156.245.11.27] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231325/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_17; classtype:trojan-activity; sid:91231325; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/telegram/personal/sendmessage.php"; depth:34; nocase; http.host; content:"217.197.107.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231310; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/telegram/pdf/sendmessage.php"; depth:29; nocase; http.host; content:"217.197.107.138"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231311; rev:1;)
alert tcp $HOME_NET any -> [217.197.107.138] 80  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f7vkbh7x/index.php"; depth:19; nocase; http.host; content:"87.121.87.199"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_17; classtype:trojan-activity; sid:91231324; rev:1;)
alert tcp $HOME_NET any -> [44.31.248.7] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231323/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231323; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ugopounds/five/fre.php"; depth:23; nocase; http.host; content:"saldanha.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231322/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_17; classtype:trojan-activity; sid:91231322; rev:1;)
alert tcp $HOME_NET any -> [45.58.35.5] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231321/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231321; rev:1;)
alert tcp $HOME_NET any -> [3.22.217.8] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231320/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231320; rev:1;)
alert tcp $HOME_NET any -> [194.87.31.166] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231319/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231319; rev:1;)
alert tcp $HOME_NET any -> [185.197.251.134] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231318/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231318; rev:1;)
alert tcp $HOME_NET any -> [185.73.124.230] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231317/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231317; rev:1;)
alert tcp $HOME_NET any -> [120.27.131.3] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_17; classtype:trojan-activity; sid:91231316; rev:1;)
alert tcp $HOME_NET any -> [195.154.172.233] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231315; rev:1;)
alert tcp $HOME_NET any -> [103.1.40.217] 9443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231314; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"192.168.126.128"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231313; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"34.96.149.127"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231309; rev:1;)
alert tcp $HOME_NET any -> [185.113.8.110] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231308/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231308; rev:1;)
alert tcp $HOME_NET any -> [38.41.53.160] 84  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231307/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231307; rev:1;)
alert tcp $HOME_NET any -> [175.178.103.238] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231306/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/attachments/1063900897270304770/1196763302303379496/npp.8.6.portable.x64.zip"; depth:77; nocase; http.host; content:"cdn.discordapp.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mydsv"; depth:6; nocase; http.host; content:"livespoints.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231304; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sso.dsv.com"; depth:12; nocase; http.host; content:"livespoints.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231303; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/8sjdtu.php"; depth:11; nocase; http.host; content:"thichgiban.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231302; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m1b7o3.php"; depth:11; nocase; http.host; content:"thekostenfamilys.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231301; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yv7clr.php"; depth:11; nocase; http.host; content:"multitraders.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231300; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ilw4kl.php"; depth:11; nocase; http.host; content:"kashmirworldwide.com"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231299; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"multitraders.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231296; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thekostenfamilys.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231297; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thichgiban.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231298; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kashmirworldwide.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231295; rev:1;)
alert tcp $HOME_NET any -> [15.235.166.169] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231294/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231294; rev:1;)
alert tcp $HOME_NET any -> [91.92.108.22] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231293/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231293; rev:1;)
alert tcp $HOME_NET any -> [101.43.169.161] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231292/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_16; classtype:trojan-activity; sid:91231292; rev:1;)
alert tcp $HOME_NET any -> [3.208.22.29] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231291/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_16; classtype:trojan-activity; sid:91231291; rev:1;)
alert tcp $HOME_NET any -> [5.161.223.88] 2101  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231290/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_16; classtype:trojan-activity; sid:91231290; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mahadev.loclx.io"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231287; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"mahadevcarrentals.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231286; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shriramcarrentals.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231288; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shriram.loclx.io"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231289; rev:1;)
alert tcp $HOME_NET any -> [179.43.191.162] 51020  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231285; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/polldb.php"; depth:11; nocase; http.host; content:"011781cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231284; rev:1;)
alert tcp $HOME_NET any -> [185.242.86.221] 1523  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/f3vn"; depth:5; nocase; http.host; content:"49.235.80.190"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231282/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_16; classtype:trojan-activity; sid:91231282; rev:1;)
alert tcp $HOME_NET any -> [95.216.98.218] 2023  (msg:"ThreatFox Socks5 Systemz botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231281; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wuxiaoyun.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231280; rev:1;)
alert tcp $HOME_NET any -> [140.246.157.86] 9091  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231279/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"choosetotruck.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231276; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d328.net"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231277; rev:1;)
alert tcp $HOME_NET any -> [3.120.209.174] 443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"scorelineupdate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231273; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"scorelineupdate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231274; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"phinetik.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231275; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"8.219.207.66"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231272; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ch341/index.php"; depth:16; nocase; http.host; content:"chr1zx.shop"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231271; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bba-217-165-232-41.alshamil.net.ae"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231270; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tpowe2.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231268; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"europapokal2024.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231269; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"imoneymy.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231266; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0280678.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231267; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.farmbilllawenterprise.org"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231264; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.hypocrisync.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231265; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.conferencecenters.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231263; rev:1;)
alert tcp $HOME_NET any -> [54.72.169.192] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231261; rev:1;)
alert tcp $HOME_NET any -> [145.131.30.136] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231262; rev:1;)
alert tcp $HOME_NET any -> [45.56.92.137] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231260; rev:1;)
alert tcp $HOME_NET any -> [168.80.175.40] 5443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231259; rev:1;)
alert tcp $HOME_NET any -> [203.154.83.176] 5555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231258; rev:1;)
alert tcp $HOME_NET any -> [47.242.159.138] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231257; rev:1;)
alert tcp $HOME_NET any -> [52.169.125.63] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231256; rev:1;)
alert tcp $HOME_NET any -> [4.180.77.220] 4433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231255; rev:1;)
alert tcp $HOME_NET any -> [203.154.83.98] 5555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231254; rev:1;)
alert tcp $HOME_NET any -> [43.136.65.119] 666  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231253; rev:1;)
alert tcp $HOME_NET any -> [3.7.46.33] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231251; rev:1;)
alert tcp $HOME_NET any -> [34.72.168.221] 1967  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231252; rev:1;)
alert tcp $HOME_NET any -> [54.210.42.239] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231250; rev:1;)
alert tcp $HOME_NET any -> [167.99.223.18] 33334  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231249; rev:1;)
alert tcp $HOME_NET any -> [103.82.227.138] 9205  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231248; rev:1;)
alert tcp $HOME_NET any -> [31.223.68.157] 82  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231247; rev:1;)
alert tcp $HOME_NET any -> [191.104.11.30] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231246; rev:1;)
alert tcp $HOME_NET any -> [20.117.170.132] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231245; rev:1;)
alert tcp $HOME_NET any -> [46.36.40.36] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231244; rev:1;)
alert tcp $HOME_NET any -> [4.227.224.67] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231242; rev:1;)
alert tcp $HOME_NET any -> [65.108.89.108] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231243; rev:1;)
alert tcp $HOME_NET any -> [15.206.159.65] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231241; rev:1;)
alert tcp $HOME_NET any -> [3.88.124.52] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231240; rev:1;)
alert tcp $HOME_NET any -> [20.224.167.144] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231238; rev:1;)
alert tcp $HOME_NET any -> [62.171.136.162] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231239; rev:1;)
alert tcp $HOME_NET any -> [20.224.167.144] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231237; rev:1;)
alert tcp $HOME_NET any -> [195.133.13.135] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231236; rev:1;)
alert tcp $HOME_NET any -> [78.22.49.175] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231235; rev:1;)
alert tcp $HOME_NET any -> [173.249.54.226] 49166  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231234; rev:1;)
alert tcp $HOME_NET any -> [74.234.17.73] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231233; rev:1;)
alert tcp $HOME_NET any -> [13.246.184.147] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231232; rev:1;)
alert tcp $HOME_NET any -> [159.146.122.238] 82  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231230; rev:1;)
alert tcp $HOME_NET any -> [149.102.128.54] 3334  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231231; rev:1;)
alert tcp $HOME_NET any -> [34.42.185.243] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231229; rev:1;)
alert tcp $HOME_NET any -> [43.139.177.244] 31220  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231228; rev:1;)
alert tcp $HOME_NET any -> [87.6.251.191] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231227; rev:1;)
alert tcp $HOME_NET any -> [20.185.229.32] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231226; rev:1;)
alert tcp $HOME_NET any -> [23.99.78.182] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231225; rev:1;)
alert tcp $HOME_NET any -> [68.183.229.230] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231224; rev:1;)
alert tcp $HOME_NET any -> [3.21.50.171] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231223; rev:1;)
alert tcp $HOME_NET any -> [13.80.100.219] 4433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231222; rev:1;)
alert tcp $HOME_NET any -> [34.203.222.198] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231221; rev:1;)
alert tcp $HOME_NET any -> [103.149.177.179] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231219; rev:1;)
alert tcp $HOME_NET any -> [3.77.146.252] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231220; rev:1;)
alert tcp $HOME_NET any -> [45.56.92.137] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231218; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"play.customerportalverify.store"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231216; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.recruiterteams.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231217; rev:1;)
alert tcp $HOME_NET any -> [220.173.26.16] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231215; rev:1;)
alert tcp $HOME_NET any -> [154.201.65.207] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231214; rev:1;)
alert tcp $HOME_NET any -> [103.228.108.247] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231213; rev:1;)
alert tcp $HOME_NET any -> [167.88.170.114] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231211; rev:1;)
alert tcp $HOME_NET any -> [163.197.217.172] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231212; rev:1;)
alert tcp $HOME_NET any -> [8.137.102.7] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231210; rev:1;)
alert tcp $HOME_NET any -> [47.94.56.161] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231209; rev:1;)
alert tcp $HOME_NET any -> [74.48.184.88] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231208; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.183] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231207; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.183] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231206; rev:1;)
alert tcp $HOME_NET any -> [64.23.168.181] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231205; rev:1;)
alert tcp $HOME_NET any -> [122.169.90.181] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231204; rev:1;)
alert tcp $HOME_NET any -> [24.199.71.49] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231203; rev:1;)
alert tcp $HOME_NET any -> [141.98.7.8] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231202; rev:1;)
alert tcp $HOME_NET any -> [119.6.239.18] 888  (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231201; rev:1;)
alert tcp $HOME_NET any -> [23.224.85.39] 8888  (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231200; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-87-191-236.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231199; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"77.105.146.152.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231198; rev:1;)
alert tcp $HOME_NET any -> [154.201.75.13] 8082  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231197; rev:1;)
alert tcp $HOME_NET any -> [82.64.91.111] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231195; rev:1;)
alert tcp $HOME_NET any -> [45.83.123.169] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231196; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.54] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231194; rev:1;)
alert tcp $HOME_NET any -> [94.156.65.54] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231193; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.84] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231192; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.93] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231191; rev:1;)
alert tcp $HOME_NET any -> [52.161.69.114] 3389  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231190; rev:1;)
alert tcp $HOME_NET any -> [193.233.255.253] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231189; rev:1;)
alert tcp $HOME_NET any -> [194.36.177.30] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231188; rev:1;)
alert tcp $HOME_NET any -> [61.92.130.64] 2053  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231187; rev:1;)
alert tcp $HOME_NET any -> [144.24.156.3] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231186; rev:1;)
alert tcp $HOME_NET any -> [154.39.152.134] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231184; rev:1;)
alert tcp $HOME_NET any -> [194.33.191.245] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231185; rev:1;)
alert tcp $HOME_NET any -> [85.209.176.48] 5000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231183; rev:1;)
alert tcp $HOME_NET any -> [194.33.191.171] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231182; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.berkeleyisyou.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231181; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.kesselfoodmarket.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231180; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"whoami.cy-security.de"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231179; rev:1;)
alert tcp $HOME_NET any -> [185.161.209.202] 29185  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231178; rev:1;)
alert tcp $HOME_NET any -> [87.138.218.214] 47000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231177; rev:1;)
alert tcp $HOME_NET any -> [191.82.214.147] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231175; rev:1;)
alert tcp $HOME_NET any -> [173.249.3.15] 8443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231176; rev:1;)
alert tcp $HOME_NET any -> [103.71.154.60] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231173; rev:1;)
alert tcp $HOME_NET any -> [186.222.176.105] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231174; rev:1;)
alert tcp $HOME_NET any -> [95.181.151.119] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231171; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"spacestar.su"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231172; rev:1;)
alert tcp $HOME_NET any -> [82.115.223.84] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231170; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vasvasniks6.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231169; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suivre-mon-colis.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231167; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"track-my-parcel.org"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231168; rev:1;)
alert tcp $HOME_NET any -> [91.224.92.211] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231165; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rb-c-clk.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231166; rev:1;)
alert tcp $HOME_NET any -> [91.224.92.211] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231164; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"htmljys.morebit.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231163; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jadu.vip"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231161; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpv.xj6.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231162; rev:1;)
alert tcp $HOME_NET any -> [154.204.60.236] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231159; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"muoujiejump2.sbs"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231160; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.110] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231158; rev:1;)
alert tcp $HOME_NET any -> [82.146.35.250] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231157; rev:1;)
alert tcp $HOME_NET any -> [54.151.255.201] 81  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231155; rev:1;)
alert tcp $HOME_NET any -> [104.243.248.73] 8088  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231156; rev:1;)
alert tcp $HOME_NET any -> [91.107.127.141] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231154; rev:1;)
alert tcp $HOME_NET any -> [23.224.102.158] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231153; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.159-89-8-28.cprapid.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231152; rev:1;)
alert tcp $HOME_NET any -> [213.195.120.238] 4002  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231150; rev:1;)
alert tcp $HOME_NET any -> [94.130.130.51] 66  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231151; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.4] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231149; rev:1;)
alert tcp $HOME_NET any -> [104.131.167.132] 4747  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231148; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.152] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231146; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.152] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231147; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.152] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231145; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.119] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231144; rev:1;)
alert tcp $HOME_NET any -> [91.109.188.6] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231143; rev:1;)
alert tcp $HOME_NET any -> [80.79.7.197] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231142; rev:1;)
alert tcp $HOME_NET any -> [186.168.66.85] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231140; rev:1;)
alert tcp $HOME_NET any -> [186.168.66.85] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231141; rev:1;)
alert tcp $HOME_NET any -> [187.24.12.179] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231139; rev:1;)
alert tcp $HOME_NET any -> [89.148.48.240] 443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231137; rev:1;)
alert tcp $HOME_NET any -> [103.195.103.138] 5555  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231138; rev:1;)
alert tcp $HOME_NET any -> [194.213.3.123] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231136; rev:1;)
alert tcp $HOME_NET any -> [123.60.174.4] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231135/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231135; rev:1;)
alert tcp $HOME_NET any -> [123.60.174.4] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231133/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231133; rev:1;)
alert tcp $HOME_NET any -> [123.60.174.4] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231134/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231134; rev:1;)
alert tcp $HOME_NET any -> [123.60.174.4] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231132/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231132; rev:1;)
alert tcp $HOME_NET any -> [123.60.174.4] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231130/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231130; rev:1;)
alert tcp $HOME_NET any -> [123.60.174.4] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231131/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231131; rev:1;)
alert tcp $HOME_NET any -> [124.70.98.249] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231129/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231129; rev:1;)
alert tcp $HOME_NET any -> [124.70.98.249] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231127/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231127; rev:1;)
alert tcp $HOME_NET any -> [124.70.98.249] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231128/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231128; rev:1;)
alert tcp $HOME_NET any -> [124.70.98.249] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231126/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231126; rev:1;)
alert tcp $HOME_NET any -> [124.70.98.249] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231124/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231124; rev:1;)
alert tcp $HOME_NET any -> [124.70.98.249] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231125/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231125; rev:1;)
alert tcp $HOME_NET any -> [124.70.98.249] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231123/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231123; rev:1;)
alert tcp $HOME_NET any -> [124.70.0.94] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231121/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231121; rev:1;)
alert tcp $HOME_NET any -> [124.70.98.249] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231122/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231122; rev:1;)
alert tcp $HOME_NET any -> [124.70.0.94] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231120/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231120; rev:1;)
alert tcp $HOME_NET any -> [124.70.0.94] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231119/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231119; rev:1;)
alert tcp $HOME_NET any -> [124.70.0.94] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231117/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231117; rev:1;)
alert tcp $HOME_NET any -> [124.70.0.94] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231118/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231118; rev:1;)
alert tcp $HOME_NET any -> [124.70.0.94] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231116/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231116; rev:1;)
alert tcp $HOME_NET any -> [124.70.0.94] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231114/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231114; rev:1;)
alert tcp $HOME_NET any -> [124.70.0.94] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231115/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231115; rev:1;)
alert tcp $HOME_NET any -> [139.159.146.137] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231113/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231113; rev:1;)
alert tcp $HOME_NET any -> [139.159.146.137] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231112/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231112; rev:1;)
alert tcp $HOME_NET any -> [124.71.222.120] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231110/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231110; rev:1;)
alert tcp $HOME_NET any -> [139.159.146.137] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231111/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231111; rev:1;)
alert tcp $HOME_NET any -> [124.71.222.120] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231109/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231109; rev:1;)
alert tcp $HOME_NET any -> [124.71.222.120] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231107/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231107; rev:1;)
alert tcp $HOME_NET any -> [124.71.222.120] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231108/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231108; rev:1;)
alert tcp $HOME_NET any -> [124.71.222.120] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231106/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231106; rev:1;)
alert tcp $HOME_NET any -> [124.71.222.120] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231104/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231104; rev:1;)
alert tcp $HOME_NET any -> [124.71.222.120] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231105/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231105; rev:1;)
alert tcp $HOME_NET any -> [124.71.222.120] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231103/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231103; rev:1;)
alert tcp $HOME_NET any -> [139.9.180.3] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231102/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231102; rev:1;)
alert tcp $HOME_NET any -> [139.9.180.3] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231100/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231100; rev:1;)
alert tcp $HOME_NET any -> [139.9.180.3] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231101/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231101; rev:1;)
alert tcp $HOME_NET any -> [139.9.180.3] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231099/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231099; rev:1;)
alert tcp $HOME_NET any -> [139.9.41.174] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231098/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231098; rev:1;)
alert tcp $HOME_NET any -> [139.9.41.174] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231097/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231097; rev:1;)
alert tcp $HOME_NET any -> [139.9.41.174] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231095/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231095; rev:1;)
alert tcp $HOME_NET any -> [139.9.41.174] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231096/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231096; rev:1;)
alert tcp $HOME_NET any -> [139.9.41.174] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231094/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231094; rev:1;)
alert tcp $HOME_NET any -> [139.9.41.174] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231092/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231092; rev:1;)
alert tcp $HOME_NET any -> [139.9.41.174] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231093/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231093; rev:1;)
alert tcp $HOME_NET any -> [139.9.41.174] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231091/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231091; rev:1;)
alert tcp $HOME_NET any -> [60.204.211.54] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231090/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231090; rev:1;)
alert tcp $HOME_NET any -> [124.71.218.160] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231089/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231089; rev:1;)
alert tcp $HOME_NET any -> [124.71.218.160] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231088/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231088; rev:1;)
alert tcp $HOME_NET any -> [124.71.188.124] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231086/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231086; rev:1;)
alert tcp $HOME_NET any -> [124.71.188.124] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231087/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231087; rev:1;)
alert tcp $HOME_NET any -> [1.94.125.189] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231084/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231084; rev:1;)
alert tcp $HOME_NET any -> [1.94.125.189] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231085/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231085; rev:1;)
alert tcp $HOME_NET any -> [1.94.125.189] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231083/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231083; rev:1;)
alert tcp $HOME_NET any -> [1.94.125.189] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231082/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231082; rev:1;)
alert tcp $HOME_NET any -> [1.94.125.189] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231081/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231081; rev:1;)
alert tcp $HOME_NET any -> [121.37.164.60] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231079/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231079; rev:1;)
alert tcp $HOME_NET any -> [1.94.125.189] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231080/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231080; rev:1;)
alert tcp $HOME_NET any -> [5.252.178.189] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231077/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231077; rev:1;)
alert tcp $HOME_NET any -> [5.252.178.189] 8080  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231078/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231078; rev:1;)
alert tcp $HOME_NET any -> [194.116.191.150] 8080  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231076/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231076; rev:1;)
alert tcp $HOME_NET any -> [120.46.66.113] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231075/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231075; rev:1;)
alert tcp $HOME_NET any -> [103.91.64.204] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231074/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231074; rev:1;)
alert tcp $HOME_NET any -> [1.92.75.200] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231072/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231072; rev:1;)
alert tcp $HOME_NET any -> [103.91.64.204] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231073/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231073; rev:1;)
alert tcp $HOME_NET any -> [1.92.91.219] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231071/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231071; rev:1;)
alert tcp $HOME_NET any -> [35.161.176.76] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231070/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231070; rev:1;)
alert tcp $HOME_NET any -> [209.151.148.66] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231069/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231069; rev:1;)
alert tcp $HOME_NET any -> [206.189.106.153] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231068/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231068; rev:1;)
alert tcp $HOME_NET any -> [44.220.45.98] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231067/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231067; rev:1;)
alert tcp $HOME_NET any -> [159.75.120.80] 3389  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231066/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231066; rev:1;)
alert tcp $HOME_NET any -> [18.170.56.163] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231065/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_16; classtype:trojan-activity; sid:91231065; rev:1;)
alert tcp $HOME_NET any -> [152.238.69.117] 8888  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231064; rev:1;)
alert tcp $HOME_NET any -> [105.102.73.65] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231063; rev:1;)
alert tcp $HOME_NET any -> [101.43.129.115] 30016  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231062/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_16; classtype:trojan-activity; sid:91231062; rev:1;)
alert tcp $HOME_NET any -> [103.233.11.162] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231061; rev:1;)
alert tcp $HOME_NET any -> [5.226.48.112] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231060; rev:1;)
alert tcp $HOME_NET any -> [114.55.131.0] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231059; rev:1;)
alert tcp $HOME_NET any -> [114.55.131.0] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231058; rev:1;)
alert tcp $HOME_NET any -> [3.1.204.121] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231057; rev:1;)
alert tcp $HOME_NET any -> [20.205.136.186] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231056; rev:1;)
alert tcp $HOME_NET any -> [113.250.188.15] 8886  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231055; rev:1;)
alert tcp $HOME_NET any -> [121.40.175.169] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231054; rev:1;)
alert tcp $HOME_NET any -> [165.22.217.13] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231053; rev:1;)
alert tcp $HOME_NET any -> [103.146.179.78] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231051; rev:1;)
alert tcp $HOME_NET any -> [3.142.167.4] 12644  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231052; rev:1;)
alert tcp $HOME_NET any -> [20.127.240.152] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231050; rev:1;)
alert tcp $HOME_NET any -> [101.43.30.194] 3389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231049; rev:1;)
alert tcp $HOME_NET any -> [165.22.209.89] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231048; rev:1;)
alert tcp $HOME_NET any -> [82.157.17.230] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231047; rev:1;)
alert tcp $HOME_NET any -> [175.178.8.109] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231046; rev:1;)
alert tcp $HOME_NET any -> [47.97.71.72] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231044; rev:1;)
alert tcp $HOME_NET any -> [220.163.125.38] 5678  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231045; rev:1;)
alert tcp $HOME_NET any -> [121.4.50.245] 801  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231043; rev:1;)
alert tcp $HOME_NET any -> [101.43.252.53] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231041; rev:1;)
alert tcp $HOME_NET any -> [165.22.220.70] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231042; rev:1;)
alert tcp $HOME_NET any -> [1.94.38.123] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231040; rev:1;)
alert tcp $HOME_NET any -> [39.108.142.219] 64412  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231038; rev:1;)
alert tcp $HOME_NET any -> [154.12.88.29] 2000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231039; rev:1;)
alert tcp $HOME_NET any -> [101.200.84.39] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231037; rev:1;)
alert tcp $HOME_NET any -> [107.151.246.214] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231035; rev:1;)
alert tcp $HOME_NET any -> [45.76.76.58] 4567  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231036; rev:1;)
alert tcp $HOME_NET any -> [107.151.246.214] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231034; rev:1;)
alert tcp $HOME_NET any -> [165.22.222.164] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231032; rev:1;)
alert tcp $HOME_NET any -> [185.196.9.231] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231033; rev:1;)
alert tcp $HOME_NET any -> [107.172.157.199] 4567  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231031; rev:1;)
alert tcp $HOME_NET any -> [149.88.70.64] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231029; rev:1;)
alert tcp $HOME_NET any -> [149.88.70.64] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231030; rev:1;)
alert tcp $HOME_NET any -> [38.207.165.215] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231028; rev:1;)
alert tcp $HOME_NET any -> [165.22.211.22] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231027; rev:1;)
alert tcp $HOME_NET any -> [8.210.236.92] 5678  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231026; rev:1;)
alert tcp $HOME_NET any -> [164.90.184.252] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231024; rev:1;)
alert tcp $HOME_NET any -> [103.150.10.15] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231025; rev:1;)
alert tcp $HOME_NET any -> [120.48.58.156] 3386  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231023; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.227] 2000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231022; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-zap816639-7.zap-srv.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231021; rev:1;)
alert tcp $HOME_NET any -> [98.66.154.37] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231020; rev:1;)
alert tcp $HOME_NET any -> [8.134.192.169] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231018; rev:1;)
alert tcp $HOME_NET any -> [45.11.46.63] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231019; rev:1;)
alert tcp $HOME_NET any -> [43.139.91.52] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231017; rev:1;)
alert tcp $HOME_NET any -> [38.207.178.41] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231016; rev:1;)
alert tcp $HOME_NET any -> [123.60.168.6] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231015; rev:1;)
alert tcp $HOME_NET any -> [141.11.136.124] 3306  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231014; rev:1;)
alert tcp $HOME_NET any -> [39.103.146.246] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231012; rev:1;)
alert tcp $HOME_NET any -> [54.152.134.141] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231013; rev:1;)
alert tcp $HOME_NET any -> [150.158.144.112] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231011; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-43-204-108-99.ap-south-1.compute.amazonaws.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231010; rev:1;)
alert tcp $HOME_NET any -> [46.246.82.163] 7045  (msg:"ThreatFox Vjw0rm botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231009; rev:1;)
alert tcp $HOME_NET any -> [107.150.7.246] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231008/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91231008; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231006; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-bvvdi136-1317500845.gz.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1231007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231007; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cachewebspace.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230996; rev:1;)
alert tcp $HOME_NET any -> [51.81.69.81] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230997; rev:1;)
alert tcp $HOME_NET any -> [88.119.175.241] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230998; rev:1;)
alert tcp $HOME_NET any -> [89.208.107.232] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230999; rev:1;)
alert tcp $HOME_NET any -> [173.44.141.79] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231000; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"123.20.56.214"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231004; rev:1;)
alert tcp $HOME_NET any -> [123.207.56.214] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1231005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231005; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"43.130.60.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.130.60.49"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231002; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"185.196.9.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1231001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91231001; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"privatebankinghsbc.blogspot.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"privatebankinghsbc.blogspot.com"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230994; rev:1;)
alert tcp $HOME_NET any -> [80.92.204.226] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230993/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230993; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"chaseonlineprivatebanking.blogspot.com"; depth:38; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230991; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"chaseonlineprivatebanking.blogspot.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230992; rev:1;)
alert tcp $HOME_NET any -> [34.147.142.69] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230990/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.236.244.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230988; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230987; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"newstatisc.googleinfo.se"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230986; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230985; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"1.15.189.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230984; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"service-pgxnje5g-1307231181.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230983; rev:1;)
alert tcp $HOME_NET any -> [111.229.187.212] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230982; rev:1;)
alert tcp $HOME_NET any -> [115.135.103.166] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230981/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230981; rev:1;)
alert tcp $HOME_NET any -> [185.73.124.230] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230980/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"185.234.216.102"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230969/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230969; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmas.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230970/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230970; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmas.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230971/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230971; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmas.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230972/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230972; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmasistan.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230973/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230973; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmasistan.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230974/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230974; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmasistans.xyz"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230975/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230975; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmasistans.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230976/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogi0ngqwmdlmmduz/"; depth:18; nocase; http.host; content:"cstmsklmnaopstrlmasistans.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230977/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230977; rev:1;)
alert tcp $HOME_NET any -> [54.200.228.98] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230979/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230979; rev:1;)
alert tcp $HOME_NET any -> [110.43.34.176] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230978/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230978; rev:1;)
alert tcp $HOME_NET any -> [95.217.243.230] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230966; rev:1;)
alert tcp $HOME_NET any -> [159.69.102.168] 7575  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230967; rev:1;)
alert tcp $HOME_NET any -> [65.21.187.53] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230968; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199612212584"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230965; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lve24v"; depth:7; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230964; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.187.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230963; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"159.69.102.168"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230962; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.243.230"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230961; rev:1;)
alert tcp $HOME_NET any -> [118.221.65.69] 3460  (msg:"ThreatFox Poison Ivy botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230960/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230960; rev:1;)
alert tcp $HOME_NET any -> [172.93.222.149] 8809  (msg:"ThreatFox Ave Maria botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230959; rev:1;)
alert tcp $HOME_NET any -> [34.96.149.127] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230958/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230958; rev:1;)
alert tcp $HOME_NET any -> [3.70.47.231] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230957/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230957; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/e50ac16f7b113954.php"; depth:21; nocase; http.host; content:"149.255.35.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230956; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tradein-myus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230955/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_16; classtype:trojan-activity; sid:91230955; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trade-inmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230954/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_16; classtype:trojan-activity; sid:91230954; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"trad-einmyus.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230953/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_16; classtype:trojan-activity; sid:91230953; rev:1;)
alert tcp $HOME_NET any -> [175.24.175.59] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230952/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_16; classtype:trojan-activity; sid:91230952; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dd341/index.php"; depth:16; nocase; http.host; content:"ddbl.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_16; classtype:trojan-activity; sid:91230951; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4async/windows/packetvideo_/geopollphp/40/protecttrackdownloads/wordpress4packet/linux7/protect/apiprotectbasewp/temporary8asyncauth/eternalphppacketgeoupdateflowerdownloads.php"; depth:178; nocase; http.host; content:"89.185.84.52"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230950; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/720/game/centralprovider/toupdatedefault.php"; depth:45; nocase; http.host; content:"176.123.168.238"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230949; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0899768.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230948; rev:1;)
alert tcp $HOME_NET any -> [41.99.178.129] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230947/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230947; rev:1;)
alert tcp $HOME_NET any -> [83.22.228.184] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230946/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230946; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"scorelineupdate.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230939; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.127.224.127"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230940; rev:1;)
alert tcp $HOME_NET any -> [109.107.182.26] 14895  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230942; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"phinetik.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230944; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.127.224.199"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230945; rev:1;)
alert tcp $HOME_NET any -> [18.228.115.60] 13904  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230943; rev:1;)
alert tcp $HOME_NET any -> [45.95.169.102] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230941/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_15; classtype:trojan-activity; sid:91230941; rev:1;)
alert tcp $HOME_NET any -> [61.19.254.6] 8091  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230927; rev:1;)
alert tcp $HOME_NET any -> [154.53.52.33] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230928; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vortexlab.azure-api.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230930; rev:1;)
alert tcp $HOME_NET any -> [77.83.246.15] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230931; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/v2/login"; depth:13; nocase; http.host; content:"vortexlab.azure-api.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230932; rev:1;)
alert tcp $HOME_NET any -> [165.22.209.89] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230933; rev:1;)
alert tcp $HOME_NET any -> [165.22.217.13] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230934; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"165.22.209.89"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230935; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"165.22.220.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230937; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"165.22.209.89"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230936; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"165.22.220.70"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230938; rev:1;)
alert tcp $HOME_NET any -> [124.220.224.87] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230929/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230929; rev:1;)
alert tcp $HOME_NET any -> [95.217.55.214] 28306  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230926; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/getit"; depth:10; nocase; http.host; content:"service-bauue492-1309306755.gz.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230924; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-bauue492-1309306755.gz.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230925; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"3.89.126.230"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.120.46.210"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"23.224.61.51"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"182.92.216.171"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230920; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.92.219.221"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230919; rev:1;)
alert tcp $HOME_NET any -> [175.178.23.244] 8044  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230916; rev:1;)
alert tcp $HOME_NET any -> [1.14.28.172] 9088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/31dd08d447d463d4.php"; depth:21; nocase; http.host; content:"77.105.132.229"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230918; rev:1;)
alert tcp $HOME_NET any -> [149.88.80.30] 1111  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230915; rev:1;)
alert tcp $HOME_NET any -> [3.89.126.230] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230910; rev:1;)
alert tcp $HOME_NET any -> [40.124.87.200] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230912; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"40.124.87.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230913; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"40.124.87.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230914; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b17/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230911; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lz4.tiktok123.life"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230909; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/b17/fre.php"; depth:12; nocase; http.host; content:"sempersim.su"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230908/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_15; classtype:trojan-activity; sid:91230908; rev:1;)
alert tcp $HOME_NET any -> [193.142.59.209] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230907; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"120.55.82.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230906; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230905; rev:1;)
alert tcp $HOME_NET any -> [176.31.21.3] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230904/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230904; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmpythonsqllinuxwordpresslocaltemptemporary.php"; depth:48; nocase; http.host; content:"009788cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230903; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"af31462241.little574.dog"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230736; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ad83067819.politician407.cc"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230735; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ah24319910.little574.dog"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230737; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ah48793979.follow707.cloud"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230738; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ak14365841.reduction925.cc"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230739; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ax82528484.paste518.cyou"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230740; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bi77461158.reduction925.cc"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230741; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bp61431860.weekend956.agency"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230742; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bq20940184.hole579.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230743; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bz56223611.supper728.gifts"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230744; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ca70104711.party257.engineer"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230745; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cg26555208.temple357.careers"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230746; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ch27390466.operator595.city"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230747; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ck36970538.keep822.cam"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230748; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ck38055632.operator595.city"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230749; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cq69947833.laugh687.delivery"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230750; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cx51318470.bus527.cfd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230751; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"dc30117151.wide227.dog"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230752; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"dk13597652.block714.mobi"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230753; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"dp26034124.follow707.cloud"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230754; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ds88277251.earn454.live"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230755; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"eba18.ffox.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230756; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ef27127706.door111.network"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230757; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ei23992012.passenger210.bar"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230758; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"em89206696.arch535.industries"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230759; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"em92287661.supper728.gifts"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230760; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"eu20976880.bit681.center"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230761; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fb28343398.temple321.bar"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230762; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fd76829342.depth305.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230763; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fn22214993.hinder799.cyou"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230764; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fp8565340.temple321.bar"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230765; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fz19876324.circle504.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230766; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fz97829124.operator595.city"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230767; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gk66765425.hole579.info"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230768; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gq77935519.supper728.gifts"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230769; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gq97717721.blind227.boutique"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230770; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gz52395619.weekend956.agency"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230771; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"hw27367815.severe373.asia"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230772; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"hz86232397.mnvps.live"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230773; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ic10353896.slavery588.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230774; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"it38469760.passenger210.bar"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230775/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230775; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"iv20033491.she583.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230776; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"iz83661546.fasten466.golf"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230777; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jd56933392.hand995.camp"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230778; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"kd37039685.severe373.asia"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230779; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"kh40424217.operator595.city"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230780; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"kp96190005.laugh687.delivery"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230781; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"kw2199162.hand995.camp"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230782; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ky72778169.nothing536.loan"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230783; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"li75628279.reduction925.cc"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230784; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"lp37095324.reduction925.cc"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230785; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"lu37005322.operator595.city"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230786; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ma16394068.arch535.industries"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230787; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"my49898597.party257.engineer"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230788; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"na98470849.severe373.asia"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230789; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"nd11950863.bind853.me"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230790; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ne13599891.slavery588.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230791; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ng79410170.earn454.live"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230792; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"nj42584278.salt204.me"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230793; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ns13102412.circle504.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230794; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"oj83725790.hinder799.cyou"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230795; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"op10194629.mn-vps.art"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230796; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"op89216989.flavor540.info"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230797; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"oq67557328.depth305.digital"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230798; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"pe3839026.subject403.quest"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230801; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ox42878257.blind227.boutique"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230799; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"pd87452203.listen884.digital"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230800; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"pj69707064.bus527.cfd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230802; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"profiyou.ffox.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230803; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"pt30120535.circle504.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230804; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"qd94153140.operator595.city"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230805; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"qi32775626.subject403.quest"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230806; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"qi85741768.bus527.cfd"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230807; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"qx13279925.subject403.quest"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230808; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ra78188285.bind853.me"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230809; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ru35757716.supper728.gifts"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230810; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"rw2678233.hole579.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230811; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"rx74588942.blind227.boutique"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230812; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"sam2ur5.ffox.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230813; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"sr43121329.bit681.center"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230814; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"td53771365.circle504.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230815; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"to82078409.earn454.live"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230816; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tu60621748.slavery588.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230817; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tx11121533.wide227.dog"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230818; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tz3839388.little574.dog"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230819/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230819; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"u8vaaaa.ffox.site"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230820/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230820; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"uh42219679.earn454.live"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230821/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230821; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"un5.ffox.site"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230824; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"um67804342.follow707.cloud"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230822; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"un11z.ffox.site"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230823; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"unitcapervhost67405.lowhost.ru"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230825; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"up47852607.earn454.live"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230826; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ve19ve.ffox.site"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230827; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"vn44479387.party257.engineer"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230828; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"vo99726097.hand995.camp"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230829; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"vz61763422.permanent875.center"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230830; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wa17139521.paste518.cyou"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230831; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"walltraf.ffox.site"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230832; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wh71712897.blind227.boutique"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230833; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wi70718111.follow707.cloud"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230834; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wp9127968.flavor540.info"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230835; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wz62802319.temple357.careers"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230836; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wz91076974.composition375.digital"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230837/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230837; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"xc50801004.mnvps.info"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230838; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"xp23013920.frighten164.men"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230839; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yf99616650.fasten466.golf"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230840; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yg89130451.literature539.space"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230841; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yh70522246.wide227.dog"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230842; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ym97779850.circle504.shop"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230843; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cloud-info.click"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230878; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"yp29618907.slavery588.biz"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230844; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"data-stat.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230879; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.micspanel.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230880; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"cdn.omapapi.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230881; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"static.extenmap.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230882; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"static.leadfeedssl.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230883; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"web.heapstatic.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230884; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jquery-on.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230885; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"webstatics.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230886; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"checkout-cdn.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230887; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gtagagent.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230888; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqueurystatic.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230889; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"doogle-analytics.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230890; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"doogle-analytics.store"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230891; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"doogle-analytics.site"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230892; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqbs-cdn.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230893; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqbs-min.store"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230894; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqbs-checker.store"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230895; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqbs-rest.store"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230896; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqbs-cloud-min.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230897; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"jqbs-cloud-cdn.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230898; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"shipping-manager.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230899; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"checkout-cdn.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230900; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tracker.web-cockpit.jp"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230901; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"mn-vps.art"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230902; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"zi30717909.war740.engineer"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230845; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"politician407.cc"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230847; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"zv3305370.weekend956.agency"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230846; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"little574.dog"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230848; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"paste518.cyou"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230849; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"weekend956.agency"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230850; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"hole579.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230851; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"temple357.careers"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230853; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"party257.engineer"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230852; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"operator595.city"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230854; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"keep822.cam"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230855; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"laugh687.delivery"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230856; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"wide227.dog"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230857; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"ffox.site"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230858; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"arch535.industries"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230859; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bit681.center"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230860; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"hinder799.cyou"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230861; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"circle504.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230862; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"severe373.asia"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230863; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"mnvps.live"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230864; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"she583.info"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230865; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"fasten466.golf"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230866; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"hand995.camp"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230867; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"nothing536.loan"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230868; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"mn-vps.art"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230869; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"flavor540.info"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230870; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"listen884.digital"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230871; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"subject403.quest"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230872; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"lowhost.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230873; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"permanent875.center"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230874; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"composition375.digital"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230875; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"mnvps.info"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230876; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"frighten164.men"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:bad-unknown; sid:91230877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cleanlogo/index.php"; depth:20; nocase; http.host; content:"94.156.65.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230734; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"colorschemeas.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230732; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"call.colorschemeas.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230733; rev:1;)
alert tcp $HOME_NET any -> [193.233.74.8] 37369  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230731; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"1.12.231.99"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"8.130.116.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"8.130.116.89"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"20.196.198.116"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"cs.xcb.one"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/preload"; depth:8; nocase; http.host; content:"144.217.252.172"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.115.203.204"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230724; rev:1;)
alert tcp $HOME_NET any -> [142.202.190.140] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230723; rev:1;)
alert tcp $HOME_NET any -> [65.109.241.139] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230720; rev:1;)
alert tcp $HOME_NET any -> [65.109.240.203] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230721; rev:1;)
alert tcp $HOME_NET any -> [128.140.123.120] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.240.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230718; rev:1;)
alert tcp $HOME_NET any -> [116.202.0.196] 10220  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.123.120"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.241.139"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230716; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.0.196"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230715; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.184] 2602  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230714/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_15; classtype:trojan-activity; sid:91230714; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.184] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230713/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_15; classtype:trojan-activity; sid:91230713; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 62984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"106.55.199.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"106.55.199.146"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"103.239.247.51"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"101.43.46.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"42.193.119.4"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"101.43.46.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230703; rev:1;)
alert tcp $HOME_NET any -> [103.148.202.10] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230702; rev:1;)
alert tcp $HOME_NET any -> [103.148.202.12] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mht_image/"; depth:11; nocase; http.host; content:"success.165gov.cyou"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.42.172.78"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"176.32.38.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230698; rev:1;)
alert tcp $HOME_NET any -> [8.209.65.99] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230697; rev:1;)
alert tcp $HOME_NET any -> [47.120.46.210] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230696/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0902645.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230695; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.113] 21076  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230694; rev:1;)
alert tcp $HOME_NET any -> [109.234.34.210] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230693/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_15; classtype:trojan-activity; sid:91230693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.16.39.253"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230692; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.40] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/40d570f44e84a454.php"; depth:21; nocase; http.host; content:"185.172.128.24"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"event.coachgreb.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230670; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"coachgreb.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230671; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"51.81.69.81"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"ficinity.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230673; rev:1;)
alert tcp $HOME_NET any -> [54.190.125.162] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230689/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230689; rev:1;)
alert tcp $HOME_NET any -> [182.92.216.171] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230688; rev:1;)
alert tcp $HOME_NET any -> [23.224.61.51] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230687/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230687; rev:1;)
alert tcp $HOME_NET any -> [111.241.144.169] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230686/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_15; classtype:trojan-activity; sid:91230686; rev:1;)
alert tcp $HOME_NET any -> [34.211.241.194] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230685/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/lx341/index.php"; depth:16; nocase; http.host; content:"lxbn.shop"; depth:9; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7493c28b.php"; depth:13; nocase; http.host; content:"a0904877.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230683; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.207] 1337  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230682; rev:1;)
alert tcp $HOME_NET any -> [3.89.126.230] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230681/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_15; classtype:trojan-activity; sid:91230681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"101.201.46.105"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dumpeternal/videosecureprocessprocessorwindowsasyncdlelocal.php"; depth:64; nocase; http.host; content:"82.97.243.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_15; classtype:trojan-activity; sid:91230679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cm65543.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230678; rev:1;)
alert tcp $HOME_NET any -> [92.246.136.222] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230677/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230677; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.224] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230676; rev:1;)
alert tcp $HOME_NET any -> [193.233.255.122] 2314  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230675; rev:1;)
alert tcp $HOME_NET any -> [213.57.235.107] 10134  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230674/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230674; rev:1;)
alert tcp $HOME_NET any -> [94.249.3.0] 6565  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230669; rev:1;)
alert tcp $HOME_NET any -> [94.49.28.52] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230668/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230668; rev:1;)
alert tcp $HOME_NET any -> [37.186.54.251] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230667/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230667; rev:1;)
alert tcp $HOME_NET any -> [37.210.244.83] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230666/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230666; rev:1;)
alert tcp $HOME_NET any -> [152.18.160.130] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230665/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230665; rev:1;)
alert tcp $HOME_NET any -> [209.73.143.227] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230664/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230664; rev:1;)
alert tcp $HOME_NET any -> [3.25.93.101] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230663/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230663; rev:1;)
alert tcp $HOME_NET any -> [120.132.83.136] 6443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230662/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230662; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0906284.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230661; rev:1;)
alert tcp $HOME_NET any -> [93.44.164.107] 6024  (msg:"ThreatFox LimeRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230660; rev:1;)
alert tcp $HOME_NET any -> [47.108.175.149] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230659/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230659; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linecpubigloadmultidblinuxasyncuniversaldatalifedownloads.php"; depth:62; nocase; http.host; content:"837565cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230658; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/privatetrack/6voiddbprivate/877image/polllinuxwp.php"; depth:53; nocase; http.host; content:"188.120.226.211"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230657; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fooddrinks.cc"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230656; rev:1;)
alert tcp $HOME_NET any -> [38.242.201.250] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230655/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230655; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thinkvncvbnxc.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230616; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"uniquevncvbnxc.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230617; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"suitevncvbnxc.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230614; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teamvncvbnxc.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230615; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smartvncvbnxc.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230613; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"simplevncvbnxc.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230612; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paintvncvbnxc.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230610; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"royalvncvbnxc.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230611; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nowvncvbnxc.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230608; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ourvncvbnxc.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230609; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nhasachlaocai.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230607; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbdasfhdsfdshgiksd.shop"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230604; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ilikefggfdbvcbvcbc.online"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230605; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lodgevncvbnxc.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230606; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"accuratevncvbnxc.website"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230599; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dichvuhp.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230602; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"epicvncvbnxc.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230603; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bestofvncvbnxc.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230600; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clubvncvbnxc.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230601; rev:1;)
alert tcp $HOME_NET any -> [138.201.8.186] 8001  (msg:"ThreatFox DUCKTAIL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230597; rev:1;)
alert tcp $HOME_NET any -> [23.88.71.29] 8000  (msg:"ThreatFox DUCKTAIL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230598; rev:1;)
alert tcp $HOME_NET any -> [138.201.8.186] 8000  (msg:"ThreatFox DUCKTAIL botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230596; rev:1;)
alert tcp $HOME_NET any -> [149.248.18.142] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230586; rev:1;)
alert tcp $HOME_NET any -> [213.248.43.127] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230589; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230587; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230588; rev:1;)
alert tcp $HOME_NET any -> [149.88.75.218] 8011  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230590; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"trustihkl.lol"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230592; rev:1;)
alert tcp $HOME_NET any -> [118.195.236.44] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230593; rev:1;)
alert tcp $HOME_NET any -> [118.195.236.44] 18443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230594; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.micrcscft-store.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230595; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"virtualvncvbnxc.website"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcappeal.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230619; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcbox.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230620; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxccafe.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230621; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcexpertise.website"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230622; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcfaq.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230623; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcfast.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230624; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcgenius.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230625; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcgiant.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230626; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxchero.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230627; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcmd.website"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230628; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcnatural.website"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230629; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcoffer.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230630; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcpraise.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230631; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcright.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230632; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcsave.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230633; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcseeker.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230634; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcsizable.website"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcsoup.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230636; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcthrilling.website"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230637; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcvalue.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230638; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcwhiz.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230639; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vncvbnxcxchange.website"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230640; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wikivncvbnxc.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230641; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cookie.dichvuhp.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230642; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"maixunkeji.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230646; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"39.106.74.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230647; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.106.74.90"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230648; rev:1;)
alert tcp $HOME_NET any -> [128.199.71.62] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230654/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230654; rev:1;)
alert tcp $HOME_NET any -> [81.19.216.77] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230653/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"154.204.60.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.236.244.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"8.136.241.0"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230649; rev:1;)
alert tcp $HOME_NET any -> [54.94.248.37] 12232  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230645; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"120.24.179.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230644; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"1.14.92.24"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230643; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"101.43.30.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230585; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"31.41.244.41"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230524/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"cinconistanplaskamisto.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230525/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"cinconistanplaskamist1.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230526/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230526; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"cinconistanplaskamist2.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230527/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"cinconistanplaskamist3.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"cinconistanplaskamist4.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230529; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yti2nzrkodrkzmm5/"; depth:18; nocase; http.host; content:"cinconistanplaskamist5.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230530/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"4ht227ce29z6.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230532/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230532; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"r85d4kbe5729.vip"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230531/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"6kd020yb568x.top"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230533/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230533; rev:1;)
alert tcp $HOME_NET any -> [193.134.211.62] 23333  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230557; rev:1;)
alert tcp $HOME_NET any -> [193.134.211.62] 24444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230558; rev:1;)
alert tcp $HOME_NET any -> [45.157.11.10] 4258  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230569/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_14; classtype:trojan-activity; sid:91230569; rev:1;)
alert tcp $HOME_NET any -> [54.252.142.240] 14280  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"f2kic1nam25n81k.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230534/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230534; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtu2owe0nzjjngy5/"; depth:18; nocase; http.host; content:"99ol9f44xvgo.cn"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230535/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230535; rev:1;)
alert tcp $HOME_NET any -> [209.141.56.114] 12500  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230540; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bofeng.com.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230536; rev:1;)
alert tcp $HOME_NET any -> [45.61.185.156] 62212  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230541; rev:1;)
alert tcp $HOME_NET any -> [45.61.185.156] 62213  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230542; rev:1;)
alert tcp $HOME_NET any -> [205.234.181.204] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230555; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"debasesingle.life"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230556; rev:1;)
alert tcp $HOME_NET any -> [138.201.92.7] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230584/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230584; rev:1;)
alert tcp $HOME_NET any -> [176.44.93.104] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230583/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230583; rev:1;)
alert tcp $HOME_NET any -> [74.12.147.6] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230582/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230582; rev:1;)
alert tcp $HOME_NET any -> [41.96.118.26] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230581/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230581; rev:1;)
alert tcp $HOME_NET any -> [200.109.203.57] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230580/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230580; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.163] 7443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230579/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230579; rev:1;)
alert tcp $HOME_NET any -> [58.181.97.19] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230578/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230578; rev:1;)
alert tcp $HOME_NET any -> [135.181.39.81] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230577/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230577; rev:1;)
alert tcp $HOME_NET any -> [193.3.19.167] 8000  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230576/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0904422.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230575; rev:1;)
alert tcp $HOME_NET any -> [217.138.206.254] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230574/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230574; rev:1;)
alert tcp $HOME_NET any -> [185.200.246.67] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230573/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230573; rev:1;)
alert tcp $HOME_NET any -> [45.136.199.30] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230570/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230570; rev:1;)
alert tcp $HOME_NET any -> [13.229.3.203] 18777  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230568; rev:1;)
alert tcp $HOME_NET any -> [52.220.121.212] 18777  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230567; rev:1;)
alert tcp $HOME_NET any -> [18.136.148.247] 18777  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_14; classtype:trojan-activity; sid:91230566; rev:1;)
alert tcp $HOME_NET any -> [154.204.60.179] 83  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230565/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_14; classtype:trojan-activity; sid:91230565; rev:1;)
alert tcp $HOME_NET any -> [89.208.106.112] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230564/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_14; classtype:trojan-activity; sid:91230564; rev:1;)
alert tcp $HOME_NET any -> [47.115.220.95] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230563/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230563; rev:1;)
alert tcp $HOME_NET any -> [5.101.0.60] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230562/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230562; rev:1;)
alert tcp $HOME_NET any -> [5.101.1.60] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230561/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230561; rev:1;)
alert tcp $HOME_NET any -> [216.218.135.117] 90  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230560; rev:1;)
alert tcp $HOME_NET any -> [106.55.199.146] 6666  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230559/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cz07639.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230554; rev:1;)
alert tcp $HOME_NET any -> [98.66.161.180] 8848  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230553/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230553; rev:1;)
alert tcp $HOME_NET any -> [23.93.69.203] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230552/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230552; rev:1;)
alert tcp $HOME_NET any -> [41.96.4.108] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230551/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230551; rev:1;)
alert tcp $HOME_NET any -> [31.190.243.13] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230550/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230550; rev:1;)
alert tcp $HOME_NET any -> [13.235.248.157] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230549/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230549; rev:1;)
alert tcp $HOME_NET any -> [141.94.69.198] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230548/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230548; rev:1;)
alert tcp $HOME_NET any -> [90.46.97.127] 4443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230547/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230547; rev:1;)
alert tcp $HOME_NET any -> [23.94.198.26] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230546/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230546; rev:1;)
alert tcp $HOME_NET any -> [45.66.248.135] 3510  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230545; rev:1;)
alert tcp $HOME_NET any -> [134.175.125.207] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230544; rev:1;)
alert tcp $HOME_NET any -> [193.3.19.167] 8080  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"139.9.196.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230539; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"139.9.196.215"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"154.197.99.65"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230537; rev:1;)
alert tcp $HOME_NET any -> [104.233.140.136] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230523/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230523; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"fashionlazynavyresewg.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/v8sjh3hs8/index.php"; depth:20; nocase; http.host; content:"185.172.128.63"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230520; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"106.54.209.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230522; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230521; rev:1;)
alert tcp $HOME_NET any -> [47.97.46.39] 6543  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230507; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns543320.ip-144-217-252.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230508; rev:1;)
alert tcp $HOME_NET any -> [144.217.252.172] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230509; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.cbhhb.com.cn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230514; rev:1;)
alert tcp $HOME_NET any -> [8.218.123.22] 12345  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"8.218.123.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"ns1.cbhhb.com.cn"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"ns1.cbhhb.com.cn"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/image/"; depth:7; nocase; http.host; content:"101.34.28.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"8.218.123.22"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230512; rev:1;)
alert tcp $HOME_NET any -> [101.168.22.94] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230511/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230511; rev:1;)
alert tcp $HOME_NET any -> [60.205.115.92] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230510/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230510; rev:1;)
alert tcp $HOME_NET any -> [3.84.20.87] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230492; rev:1;)
alert tcp $HOME_NET any -> [88.214.58.89] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230493; rev:1;)
alert tcp $HOME_NET any -> [15.207.223.7] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230494; rev:1;)
alert tcp $HOME_NET any -> [54.167.18.211] 444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230495; rev:1;)
alert tcp $HOME_NET any -> [89.147.111.188] 4455  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230496; rev:1;)
alert tcp $HOME_NET any -> [54.167.18.211] 11337  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230497; rev:1;)
alert tcp $HOME_NET any -> [213.248.43.48] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/task/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:46; nocase; http.host; content:"213.248.43.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/loader/screen/owysn2ysn2ysytasowusodysogmsotysnjqsn2ms"; depth:55; nocase; http.host; content:"213.248.43.48"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230500; rev:1;)
alert tcp $HOME_NET any -> [45.15.156.186] 29975  (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230502; rev:1;)
alert tcp $HOME_NET any -> [193.223.105.158] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230505; rev:1;)
alert tcp $HOME_NET any -> [31.117.169.56] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"167.99.75.81"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230490; rev:1;)
alert tcp $HOME_NET any -> [45.154.24.14] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230489/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230489; rev:1;)
alert tcp $HOME_NET any -> [66.204.14.246] 1099  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230488/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230488; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.54] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230487/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230487; rev:1;)
alert tcp $HOME_NET any -> [20.239.152.186] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230486/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230486; rev:1;)
alert tcp $HOME_NET any -> [147.135.85.114] 4444  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230485/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230485; rev:1;)
alert tcp $HOME_NET any -> [41.97.246.37] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230484/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230484; rev:1;)
alert tcp $HOME_NET any -> [90.4.110.126] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230483/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230483; rev:1;)
alert tcp $HOME_NET any -> [18.201.9.92] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230482/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230482; rev:1;)
alert tcp $HOME_NET any -> [84.32.188.80] 65534  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230481/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230481; rev:1;)
alert tcp $HOME_NET any -> [193.222.96.163] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230480/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230480; rev:1;)
alert tcp $HOME_NET any -> [20.199.89.215] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230479/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230479; rev:1;)
alert tcp $HOME_NET any -> [164.92.79.49] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230478/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230478; rev:1;)
alert tcp $HOME_NET any -> [47.74.90.4] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230477/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230477; rev:1;)
alert tcp $HOME_NET any -> [13.235.248.157] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230476/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230476; rev:1;)
alert tcp $HOME_NET any -> [94.198.50.195] 9200  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230475/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230475; rev:1;)
alert tcp $HOME_NET any -> [137.184.185.109] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230474/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_13; classtype:trojan-activity; sid:91230474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/7linuxlinux/basedle/geojavascript7/8processsql/lineimagevideouniversal/testdump/cdn0/to1eternal/3uploadsasync/localbigloadlinux/phpbaseprocess/processpython/5/processexternalgenerator/_eternalprovider/authlongpoll/vmlinepipesecurecpuprotectwindows.php"; depth:252; nocase; http.host; content:"89.23.115.8"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230473; rev:1;)
alert tcp $HOME_NET any -> [47.236.244.14] 60001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230472/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230472; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//5.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230470; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//7.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230471; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//4.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//2.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//3.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//1.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/o//6.jpg"; depth:9; nocase; http.host; content:"9entrevera.sa.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/imageupdateprotectasynctrafficdatalifecentral.php"; depth:50; nocase; http.host; content:"147.45.196.103"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230464; rev:1;)
alert tcp $HOME_NET any -> [20.79.30.95] 33223  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230458; rev:1;)
alert tcp $HOME_NET any -> [141.95.211.148] 46011  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"analysisswellenterw.fun"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230447; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dashboard.renovationsruth.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230454; rev:1;)
alert tcp $HOME_NET any -> [66.135.17.87] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/app.min.js"; depth:11; nocase; http.host; content:"webcachedata.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j6yd"; depth:5; nocase; http.host; content:"1.94.97.134"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230463/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_13; classtype:trojan-activity; sid:91230463; rev:1;)
alert tcp $HOME_NET any -> [167.99.75.81] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230462/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230462; rev:1;)
alert tcp $HOME_NET any -> [5.75.165.62] 34937  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_13; classtype:trojan-activity; sid:91230461; rev:1;)
alert tcp $HOME_NET any -> [103.176.178.88] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230459/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_13; classtype:trojan-activity; sid:91230459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"192.3.80.202"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230457; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linerequestpacketlowgeoprocessorlongpolldbdleprivate.php"; depth:57; nocase; http.host; content:"898082lm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230453; rev:1;)
alert tcp $HOME_NET any -> [77.105.132.124] 2525  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h5oq"; depth:5; nocase; http.host; content:"54.186.231.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230451/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_12; classtype:trojan-activity; sid:91230451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kw3h"; depth:5; nocase; http.host; content:"146.190.120.217"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230450/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_12; classtype:trojan-activity; sid:91230450; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bl341/index.php"; depth:16; nocase; http.host; content:"blbl1.shop"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/w4hj"; depth:5; nocase; http.host; content:"47.252.17.61"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_12; classtype:trojan-activity; sid:91230448; rev:1;)
alert tcp $HOME_NET any -> [119.188.247.158] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230446/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230446; rev:1;)
alert tcp $HOME_NET any -> [189.253.229.70] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230445/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230445; rev:1;)
alert tcp $HOME_NET any -> [46.105.73.148] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230444/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230444; rev:1;)
alert tcp $HOME_NET any -> [54.185.217.31] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230443/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230443; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-hsyluctr-1252427727.bj.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230436; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-9sehd1r7-1252427727.bj.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230433; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-oca34jj9-1257331363.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230434; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.ye0kr1n.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230435; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"965keji.cn"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230431; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaowanyouqian.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230432; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"site.dev.hutechweb.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230429; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"965keji.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230430; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/h4bflh"; depth:7; nocase; http.host; content:"service.specialcraftbox.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230411; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"182.23.67.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230427; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mali.siegemachine.cn"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/kqgrxb"; depth:7; nocase; http.host; content:"soft.specialcraftbox.com"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yrhyeesre"; depth:10; nocase; http.host; content:"stone.betradingway.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230413; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/station"; depth:8; nocase; http.host; content:"goaway.betradingway.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230414; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/prestart"; depth:9; nocase; http.host; content:"goto.lineferaline.com"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230415; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/editcontent"; depth:12; nocase; http.host; content:"places.creeksidehuntingpreserve.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"places.creeksidehuntingpreserve.com"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230417; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"creeksidehuntingpreserve.com"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230418; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/ewmrgqnaww.php"; depth:21; nocase; http.host; content:"lazittarl.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230422; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"178.238.247.167"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230419; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"lazittarl.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230421; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"refillpantrysd.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"surprise.refillpantrysd.com"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230424; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"88.119.175.241"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230425; rev:1;)
alert tcp $HOME_NET any -> [44.221.115.240] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230442; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.dracumi.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230441; rev:1;)
alert tcp $HOME_NET any -> [35.75.17.163] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230440; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"carrefour-uat.sumikuma.tw"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230439; rev:1;)
alert tcp $HOME_NET any -> [149.210.56.38] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/virgin/leo/gate.php"; depth:20; nocase; http.host; content:"fishery.co.in"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230437; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.187] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230426/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_12; classtype:trojan-activity; sid:91230426; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.210] 50500  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230420; rev:1;)
alert tcp $HOME_NET any -> [104.243.27.95] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230410/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230410; rev:1;)
alert tcp $HOME_NET any -> [185.125.56.177] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230409/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230409; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/de4846fc29f26952.php"; depth:21; nocase; http.host; content:"109.107.181.33"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230408; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 15595  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230407; rev:1;)
alert tcp $HOME_NET any -> [35.158.159.254] 15595  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230406; rev:1;)
alert tcp $HOME_NET any -> [52.28.112.211] 15595  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230405; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"736628.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230404; rev:1;)
alert tcp $HOME_NET any -> [45.94.58.137] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230403; rev:1;)
alert tcp $HOME_NET any -> [112.196.45.11] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230402; rev:1;)
alert tcp $HOME_NET any -> [20.33.38.1] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230401; rev:1;)
alert tcp $HOME_NET any -> [20.77.91.250] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230399; rev:1;)
alert tcp $HOME_NET any -> [4.180.77.220] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230400; rev:1;)
alert tcp $HOME_NET any -> [38.180.6.129] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230398; rev:1;)
alert tcp $HOME_NET any -> [150.95.141.41] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230397; rev:1;)
alert tcp $HOME_NET any -> [24.105.180.13] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230396; rev:1;)
alert tcp $HOME_NET any -> [119.45.204.226] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230395; rev:1;)
alert tcp $HOME_NET any -> [20.235.245.202] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230394; rev:1;)
alert tcp $HOME_NET any -> [164.92.117.179] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230393; rev:1;)
alert tcp $HOME_NET any -> [104.194.78.89] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230392; rev:1;)
alert tcp $HOME_NET any -> [47.109.89.13] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230391; rev:1;)
alert tcp $HOME_NET any -> [146.235.217.116] 1268  (msg:"ThreatFox Orcus RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230390; rev:1;)
alert tcp $HOME_NET any -> [123.99.198.130] 14363  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230389; rev:1;)
alert tcp $HOME_NET any -> [125.229.208.221] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230388; rev:1;)
alert tcp $HOME_NET any -> [178.20.47.103] 9090  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230387; rev:1;)
alert tcp $HOME_NET any -> [188.240.121.104] 4444  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230386; rev:1;)
alert tcp $HOME_NET any -> [5.206.224.18] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230385; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"animegalaxys.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230384; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foxee4.cfd"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230383; rev:1;)
alert tcp $HOME_NET any -> [91.224.92.201] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230382; rev:1;)
alert tcp $HOME_NET any -> [64.31.63.82] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230381; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"liquiditv.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230380; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.liquiditv.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230379; rev:1;)
alert tcp $HOME_NET any -> [213.195.120.238] 5003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230378; rev:1;)
alert tcp $HOME_NET any -> [213.195.120.238] 4003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230377; rev:1;)
alert tcp $HOME_NET any -> [60.204.211.54] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230376/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_12; classtype:trojan-activity; sid:91230376; rev:1;)
alert tcp $HOME_NET any -> [60.204.211.54] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230375/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_12; classtype:trojan-activity; sid:91230375; rev:1;)
alert tcp $HOME_NET any -> [60.204.211.54] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230374/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_12; classtype:trojan-activity; sid:91230374; rev:1;)
alert tcp $HOME_NET any -> [60.204.211.54] 8006  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230372/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_12; classtype:trojan-activity; sid:91230372; rev:1;)
alert tcp $HOME_NET any -> [60.204.211.54] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230373/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_12; classtype:trojan-activity; sid:91230373; rev:1;)
alert tcp $HOME_NET any -> [104.193.69.140] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230371/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_12; classtype:trojan-activity; sid:91230371; rev:1;)
alert tcp $HOME_NET any -> [105.98.70.154] 6001  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230370; rev:1;)
alert tcp $HOME_NET any -> [139.9.196.215] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230369; rev:1;)
alert tcp $HOME_NET any -> [74.119.193.190] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230368; rev:1;)
alert tcp $HOME_NET any -> [74.119.193.190] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230367; rev:1;)
alert tcp $HOME_NET any -> [139.196.24.227] 50501  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230366; rev:1;)
alert tcp $HOME_NET any -> [192.74.237.132] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230365; rev:1;)
alert tcp $HOME_NET any -> [192.3.80.202] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230364; rev:1;)
alert tcp $HOME_NET any -> [123.57.181.89] 6001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230363; rev:1;)
alert tcp $HOME_NET any -> [120.26.196.41] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230362; rev:1;)
alert tcp $HOME_NET any -> [20.2.223.43] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230361; rev:1;)
alert tcp $HOME_NET any -> [8.217.174.23] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230360; rev:1;)
alert tcp $HOME_NET any -> [188.166.22.203] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230359; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"182.23.67.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230358; rev:1;)
alert tcp $HOME_NET any -> [51.254.33.199] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230357/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"wcs.microsoftwindows.cloud"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/plugmanzx.exe"; depth:26; nocase; http.host; content:"prime.topendpower.top"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230350; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"prime.topendpower.top"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230351; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_errorpages/linczx.exe"; depth:23; nocase; http.host; content:"link.blueyonderllc.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230352; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"link.blueyonderllc.top"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230353; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"topendpower.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230354; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"blueyonderllc.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230355; rev:1;)
alert tcp $HOME_NET any -> [154.197.99.65] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230349/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230349; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providerimagerequestwindowswpprivate.php"; depth:41; nocase; http.host; content:"45.87.246.118"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230348; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.203] 5050  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230347; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"elakarraru.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230346/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_12; classtype:trojan-activity; sid:91230346; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"elakarraru.site"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230345/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_12; classtype:trojan-activity; sid:91230345; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.187] 1334  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230344; rev:1;)
alert tcp $HOME_NET any -> [104.243.27.95] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230343/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230343; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230342; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"124.71.222.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230341; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"66.119.15.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230340; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"49.65.96.139"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230339; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"39.104.20.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230338; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230337; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"209.146.124.195"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230336; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.90.247.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230335; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/637-08770317-9137754/field-keywords=woman"; depth:61; nocase; http.host; content:"163.5.169.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230334; rev:1;)
alert tcp $HOME_NET any -> [45.67.230.205] 443  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230333; rev:1;)
alert tcp $HOME_NET any -> [2.58.85.236] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230332/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230332; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"209.146.124.195"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230331; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"66.119.15.241"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230330; rev:1;)
alert tcp $HOME_NET any -> [139.9.196.215] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230329/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230329; rev:1;)
alert tcp $HOME_NET any -> [66.119.15.241] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230328; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ggee.buzz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230283; rev:1;)
alert tcp $HOME_NET any -> [101.37.14.112] 6554  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230279; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yudsasd.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230281; rev:1;)
alert tcp $HOME_NET any -> [120.78.217.180] 50105  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230280; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.yudsasd.xyz"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ggee.buzz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigmoney.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230285; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.bigmoney.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230286; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.globalmoney.top"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230288; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"globalmoney.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230287; rev:1;)
alert tcp $HOME_NET any -> [185.130.47.125] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230290; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"codecruncher.pro"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230295; rev:1;)
alert tcp $HOME_NET any -> [45.130.201.22] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230297; rev:1;)
alert tcp $HOME_NET any -> [2.58.14.243] 8011  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230327/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230327; rev:1;)
alert tcp $HOME_NET any -> [74.12.147.43] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230326/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230326; rev:1;)
alert tcp $HOME_NET any -> [95.179.140.252] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230325/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230325; rev:1;)
alert tcp $HOME_NET any -> [172.105.109.228] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230324/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230324; rev:1;)
alert tcp $HOME_NET any -> [136.0.3.240] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230323/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230323; rev:1;)
alert tcp $HOME_NET any -> [136.0.3.240] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230322/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230322; rev:1;)
alert tcp $HOME_NET any -> [64.23.155.109] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230321/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230321; rev:1;)
alert tcp $HOME_NET any -> [13.235.248.157] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230320/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230320; rev:1;)
alert tcp $HOME_NET any -> [3.253.120.29] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230319/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_12; classtype:trojan-activity; sid:91230319; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/process4local/javascriptexternaltrack/geopipe4/provider/mariadb2downloads/7public7private/temp/universaltemporary/0api6/update_/5/4processor/3testgeo/traffic/providerimagepipeto_apiprivate.php"; depth:193; nocase; http.host; content:"62.109.28.71"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230318; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externallinetomultiasyncwp.php"; depth:31; nocase; http.host; content:"95.163.228.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230317; rev:1;)
alert tcp $HOME_NET any -> [209.146.124.198] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230316/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230316; rev:1;)
alert tcp $HOME_NET any -> [104.243.27.95] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230315/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230315; rev:1;)
alert tcp $HOME_NET any -> [39.101.177.82] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230314/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230314; rev:1;)
alert tcp $HOME_NET any -> [44.237.77.84] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230313/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230313; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.183] 8181  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230312/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230312; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/v9-gzhsfuz8492wjynjitv7ouml6xe"; depth:48; nocase; http.host; content:"citrix-update.centralus.cloudapp.azure.com"; depth:42; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230311; rev:1;)
alert tcp $HOME_NET any -> [60.204.249.156] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230310/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230310; rev:1;)
alert tcp $HOME_NET any -> [145.239.83.165] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230309/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230309; rev:1;)
alert tcp $HOME_NET any -> [49.49.140.40] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230308/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230308; rev:1;)
alert tcp $HOME_NET any -> [54.89.165.37] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230307; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dde7q711skl5j.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230306; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"dde7q711skl5j.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230305; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/s/ref=nb_sb_noss_1/167-3294888-0262949/field-keywords=books"; depth:60; nocase; http.host; content:"d1dg7ete2wkysb.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230303; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d1dg7ete2wkysb.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_12; classtype:trojan-activity; sid:91230304; rev:1;)
alert tcp $HOME_NET any -> [220.69.33.144] 443  (msg:"ThreatFox Get2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230302/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230302; rev:1;)
alert tcp $HOME_NET any -> [192.74.238.23] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230301/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_12; classtype:trojan-activity; sid:91230301; rev:1;)
alert tcp $HOME_NET any -> [47.216.198.63] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230300/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230300; rev:1;)
alert tcp $HOME_NET any -> [120.78.156.73] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230299/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230299; rev:1;)
alert tcp $HOME_NET any -> [139.84.228.75] 22669  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230298; rev:1;)
alert tcp $HOME_NET any -> [103.114.104.158] 1664  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230296; rev:1;)
alert tcp $HOME_NET any -> [101.43.191.108] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230294; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.yuejinjianke.cn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230293; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.yuejinjianke.cn"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230292; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dumptemp10/track20/lowprocesslongpollserverdefaulttestprivatecdntemporary.php"; depth:78; nocase; http.host; content:"109.107.182.163"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230289; rev:1;)
alert tcp $HOME_NET any -> [18.231.93.153] 12232  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230276; rev:1;)
alert tcp $HOME_NET any -> [18.228.115.60] 12232  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230277; rev:1;)
alert tcp $HOME_NET any -> [18.229.146.63] 12232  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230278; rev:1;)
alert tcp $HOME_NET any -> [14.225.210.98] 12024  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230275; rev:1;)
alert tcp $HOME_NET any -> [83.213.157.103] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230274/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230274; rev:1;)
alert tcp $HOME_NET any -> [40.120.52.205] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230273; rev:1;)
alert tcp $HOME_NET any -> [111.30.29.23] 3335  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230272; rev:1;)
alert tcp $HOME_NET any -> [123.58.210.31] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230271; rev:1;)
alert tcp $HOME_NET any -> [103.101.224.16] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230270; rev:1;)
alert tcp $HOME_NET any -> [146.185.22.147] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230269; rev:1;)
alert tcp $HOME_NET any -> [118.195.236.44] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230268; rev:1;)
alert tcp $HOME_NET any -> [152.136.49.42] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230267; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-76-227-205.ap-southeast-1.compute.amazonaws.com"; depth:54; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230266; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"havoc.redethics.online"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230265; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sc.zhanshizhan.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230264; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.stupefied-banach.91-215-85-177.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230263; rev:1;)
alert tcp $HOME_NET any -> [172.86.68.180] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230262; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.49] 2004  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230260; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.49] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230261; rev:1;)
alert tcp $HOME_NET any -> [121.43.225.222] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230259; rev:1;)
alert tcp $HOME_NET any -> [101.43.194.122] 886  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230258; rev:1;)
alert tcp $HOME_NET any -> [45.129.14.102] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230257; rev:1;)
alert tcp $HOME_NET any -> [60.205.231.128] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230256; rev:1;)
alert tcp $HOME_NET any -> [121.41.49.194] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230255; rev:1;)
alert tcp $HOME_NET any -> [39.106.74.90] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230254; rev:1;)
alert tcp $HOME_NET any -> [185.239.69.162] 2053  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230253; rev:1;)
alert tcp $HOME_NET any -> [43.138.72.60] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230251; rev:1;)
alert tcp $HOME_NET any -> [206.188.196.204] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230252; rev:1;)
alert tcp $HOME_NET any -> [103.30.77.235] 8090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230250; rev:1;)
alert tcp $HOME_NET any -> [112.124.62.216] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230249; rev:1;)
alert tcp $HOME_NET any -> [8.130.166.74] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230248; rev:1;)
alert tcp $HOME_NET any -> [101.201.119.107] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230247; rev:1;)
alert tcp $HOME_NET any -> [74.12.147.43] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230246/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230246; rev:1;)
alert tcp $HOME_NET any -> [2.91.189.30] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230245/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230245; rev:1;)
alert tcp $HOME_NET any -> [107.172.57.92] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230244/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230244; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/central/7/db8db/pollwordpress/serverauthtempdump/auth/server7line2/pipedatalife/poll4/linephpdatalife.php"; depth:106; nocase; http.host; content:"83.220.169.42"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230243; rev:1;)
alert tcp $HOME_NET any -> [54.242.28.234] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230242/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230242; rev:1;)
alert tcp $HOME_NET any -> [18.184.177.22] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230241/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230241; rev:1;)
alert tcp $HOME_NET any -> [23.94.40.12] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230239; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"make-hex-32332e39342e34302e3132-rr.1u.ms"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230240; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.gtbidding.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230238; rev:1;)
alert tcp $HOME_NET any -> [45.56.105.235] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230221; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dogs.graspthemes.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230223; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"45-56-105-235.ip.linodeusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230225; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"make-hex-32332e39352e3139372e313934-rr.1u.ms"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230233; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/v1.98/cyum68zbb6fh"; depth:24; nocase; http.host; content:"45.77.255.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230232; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/recite/granted/e1q45fxnyqs9"; depth:28; nocase; http.host; content:"74.48.184.88"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230231; rev:1;)
alert tcp $HOME_NET any -> [185.161.211.17] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230230; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/posting.html"; depth:13; nocase; http.host; content:"hostapimgmt.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230228; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hostapimgmt.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230229; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"176.32.38.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230227; rev:1;)
alert tcp $HOME_NET any -> [78.92.112.76] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230226/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230226; rev:1;)
alert tcp $HOME_NET any -> [8.218.123.22] 7654  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230224/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230224; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"liquisync.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:bad-unknown; sid:91230107; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"js-utilities.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:bad-unknown; sid:91230108; rev:1;)
alert tcp $HOME_NET any -> [123.207.45.112] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230220/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230220; rev:1;)
alert tcp $HOME_NET any -> [103.146.140.99] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230219/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230219; rev:1;)
alert tcp $HOME_NET any -> [51.21.137.60] 8009  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230218/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230218; rev:1;)
alert tcp $HOME_NET any -> [96.44.166.186] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230216; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recruitment60.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230215; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4280678.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230214; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.jmccarth.net"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230213; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foodpantrybestpractices.org"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230212; rev:1;)
alert tcp $HOME_NET any -> [107.170.86.54] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230211; rev:1;)
alert tcp $HOME_NET any -> [176.9.38.220] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230210; rev:1;)
alert tcp $HOME_NET any -> [141.95.100.182] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230209; rev:1;)
alert tcp $HOME_NET any -> [222.234.220.156] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230207; rev:1;)
alert tcp $HOME_NET any -> [216.249.175.251] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230206; rev:1;)
alert tcp $HOME_NET any -> [52.29.110.121] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230205; rev:1;)
alert tcp $HOME_NET any -> [20.235.6.212] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230204; rev:1;)
alert tcp $HOME_NET any -> [107.174.156.151] 8333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230203; rev:1;)
alert tcp $HOME_NET any -> [40.90.254.146] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230201; rev:1;)
alert tcp $HOME_NET any -> [3.127.68.49] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230202; rev:1;)
alert tcp $HOME_NET any -> [124.221.28.34] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230200; rev:1;)
alert tcp $HOME_NET any -> [122.169.64.215] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230199; rev:1;)
alert tcp $HOME_NET any -> [52.23.33.245] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230198; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"great-golick.45-141-215-173.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230197; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.7] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230196; rev:1;)
alert tcp $HOME_NET any -> [5.181.7.60] 4831  (msg:"ThreatFox BitRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230195; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.210] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230194; rev:1;)
alert tcp $HOME_NET any -> [8.217.83.74] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230193; rev:1;)
alert tcp $HOME_NET any -> [115.74.20.156] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230192; rev:1;)
alert tcp $HOME_NET any -> [47.76.181.76] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230191; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"namyonghospital.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230190; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nadon.net"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230189; rev:1;)
alert tcp $HOME_NET any -> [175.16.183.116] 8089  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230188; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiyidh21.sbs"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230187; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jino57.fvds.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230186; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nanafb3.sbs"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230184; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"karasergkaravaev4.fvds.ru"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230185; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.235] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230182; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nowseacoin.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230183; rev:1;)
alert tcp $HOME_NET any -> [18.141.3.52] 83  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230181; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vasvasniks5.fvds.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230180; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.practical-hawking.159-89-8-28.plesk.page"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230179; rev:1;)
alert tcp $HOME_NET any -> [65.20.106.42] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230178; rev:1;)
alert tcp $HOME_NET any -> [34.171.179.211] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230177; rev:1;)
alert tcp $HOME_NET any -> [88.229.34.236] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230176; rev:1;)
alert tcp $HOME_NET any -> [190.28.171.243] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230175; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.148] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230173; rev:1;)
alert tcp $HOME_NET any -> [74.222.22.137] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230174; rev:1;)
alert tcp $HOME_NET any -> [187.24.11.12] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230172; rev:1;)
alert tcp $HOME_NET any -> [124.71.188.124] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230171/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230171; rev:1;)
alert tcp $HOME_NET any -> [124.71.188.124] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230169/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230169; rev:1;)
alert tcp $HOME_NET any -> [124.71.188.124] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230170/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230170; rev:1;)
alert tcp $HOME_NET any -> [124.71.188.124] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230168/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230168; rev:1;)
alert tcp $HOME_NET any -> [45.32.106.247] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230167/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230167; rev:1;)
alert tcp $HOME_NET any -> [45.67.34.151] 8080  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230166/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230166; rev:1;)
alert tcp $HOME_NET any -> [192.71.26.172] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230164/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230164; rev:1;)
alert tcp $HOME_NET any -> [1.94.125.189] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230165/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230165; rev:1;)
alert tcp $HOME_NET any -> [158.220.115.82] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230163/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230163; rev:1;)
alert tcp $HOME_NET any -> [5.8.10.71] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230162/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_11; classtype:trojan-activity; sid:91230162; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.49] 2086  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230161; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.49] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230159; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.49] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230160; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.49] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230158; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.49] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230157; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.49] 2309  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230155; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.49] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230156; rev:1;)
alert tcp $HOME_NET any -> [79.137.199.167] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230154; rev:1;)
alert tcp $HOME_NET any -> [106.55.199.146] 6667  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230153; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.197] 445  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230151; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.197] 8010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230152; rev:1;)
alert tcp $HOME_NET any -> [91.92.243.197] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230150; rev:1;)
alert tcp $HOME_NET any -> [47.92.219.221] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230148; rev:1;)
alert tcp $HOME_NET any -> [182.23.67.109] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230149; rev:1;)
alert tcp $HOME_NET any -> [101.43.144.125] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230147; rev:1;)
alert tcp $HOME_NET any -> [124.223.220.137] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230146; rev:1;)
alert tcp $HOME_NET any -> [59.110.15.143] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230145; rev:1;)
alert tcp $HOME_NET any -> [8.137.107.50] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230144; rev:1;)
alert tcp $HOME_NET any -> [194.26.135.115] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230143; rev:1;)
alert tcp $HOME_NET any -> [114.132.197.186] 4438  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230142; rev:1;)
alert tcp $HOME_NET any -> [39.105.2.113] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230141; rev:1;)
alert tcp $HOME_NET any -> [39.105.2.113] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230140; rev:1;)
alert tcp $HOME_NET any -> [103.234.72.88] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230139; rev:1;)
alert tcp $HOME_NET any -> [8.140.254.173] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230137; rev:1;)
alert tcp $HOME_NET any -> [39.106.74.90] 8389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230138; rev:1;)
alert tcp $HOME_NET any -> [47.236.244.14] 60000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230136; rev:1;)
alert tcp $HOME_NET any -> [66.112.210.81] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230135; rev:1;)
alert tcp $HOME_NET any -> [114.55.226.103] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230134; rev:1;)
alert tcp $HOME_NET any -> [38.54.68.65] 10443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230132; rev:1;)
alert tcp $HOME_NET any -> [91.240.118.233] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230133; rev:1;)
alert tcp $HOME_NET any -> [121.41.17.125] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230131; rev:1;)
alert tcp $HOME_NET any -> [103.30.77.235] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230130; rev:1;)
alert tcp $HOME_NET any -> [94.156.64.124] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230129; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nz-us.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230127; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.onbuyhouses.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230128; rev:1;)
alert tcp $HOME_NET any -> [2.56.10.80] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230126/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230126; rev:1;)
alert tcp $HOME_NET any -> [93.153.68.186] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230125/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230125; rev:1;)
alert tcp $HOME_NET any -> [93.153.68.186] 61125  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230124/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230124; rev:1;)
alert tcp $HOME_NET any -> [149.102.235.34] 80  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230123/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230123; rev:1;)
alert tcp $HOME_NET any -> [149.102.235.34] 61125  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230122/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"124.71.5.199"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"124.222.213.61"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230120; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.blueseaedu.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230119; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.blueseaedu.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"43.153.222.28"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.105.69.34"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.94.221.227"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"150.158.13.117"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.98.157.4"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.104.20.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"124.222.54.66"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230109; rev:1;)
alert tcp $HOME_NET any -> [139.180.171.110] 22636  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230106/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230106; rev:1;)
alert tcp $HOME_NET any -> [139.180.171.110] 1604  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230105/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230105; rev:1;)
alert tcp $HOME_NET any -> [171.5.179.208] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230104/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230104; rev:1;)
alert tcp $HOME_NET any -> [194.33.191.248] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230103/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.115.213.18"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230102; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wcs.microsoftwindows.cloud"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"wcs.microsoftwindows.cloud"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230100; rev:1;)
alert tcp $HOME_NET any -> [45.77.255.59] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/post/v1.98/cyum68zbb6fh"; depth:24; nocase; http.host; content:"45.77.255.59"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230098; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.112] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230097/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/functionalstatus/mwkru-hytoycqt-hf63baudhjrkwrqbgpdf"; depth:53; nocase; http.host; content:"80.66.75.53"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230095; rev:1;)
alert tcp $HOME_NET any -> [80.66.75.53] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"114.132.218.55"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.104.28.38"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/audiencemanager.js"; depth:19; nocase; http.host; content:"home.aliba-inc.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230091; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"home.aliba-inc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230090; rev:1;)
alert tcp $HOME_NET any -> [123.56.189.125] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230089/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230089; rev:1;)
alert tcp $HOME_NET any -> [187.135.144.49] 2232  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230088/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230088; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.fiducaire.lu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230076; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.asurances.lu"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230077; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sagsblog.telinduslab.lu"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230078; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.jocelynhealth.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230079; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"a1b2c3.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230080; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.5cce1d35e.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230081; rev:1;)
alert tcp $HOME_NET any -> [43.138.22.122] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230087/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230087; rev:1;)
alert tcp $HOME_NET any -> [93.90.72.13] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230086/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230086; rev:1;)
alert tcp $HOME_NET any -> [72.27.103.160] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230085/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230085; rev:1;)
alert tcp $HOME_NET any -> [18.162.214.171] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230084/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230084; rev:1;)
alert tcp $HOME_NET any -> [167.99.156.77] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230083/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230083; rev:1;)
alert tcp $HOME_NET any -> [3.106.130.174] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230082/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_11; classtype:trojan-activity; sid:91230082; rev:1;)
alert tcp $HOME_NET any -> [47.99.139.108] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230075/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230075; rev:1;)
alert tcp $HOME_NET any -> [45.155.249.183] 1337  (msg:"ThreatFox Loda botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230074; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"185azyn6606dec24rd13.ddns.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230073; rev:1;)
alert tcp $HOME_NET any -> [185.224.128.11] 55650  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230071/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230071; rev:1;)
alert tcp $HOME_NET any -> [45.90.97.101] 9931  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230072/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230072; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.231] 13781  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230069; rev:1;)
alert tcp $HOME_NET any -> [139.162.148.153] 23433  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230070; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gamemodz.duckdns.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230068; rev:1;)
alert tcp $HOME_NET any -> [45.128.96.133] 58001  (msg:"ThreatFox zgRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230067/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230067; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.61] 7000  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230066/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230066; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wealthyblessed.duckdns.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opendomain.lyamore-metal.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230061; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"open.lyamore-metal.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230062; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opendomain.taiwantradeglobal.com"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230063; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"open.taiwantradeglobal.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230064; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.144] 4449  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230060/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230060; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"moonvenom4449.duckdns.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230059; rev:1;)
alert tcp $HOME_NET any -> [119.81.84.107] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230058/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_11; classtype:trojan-activity; sid:91230058; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"lazittarl.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.127.225.84"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230052; rev:1;)
alert tcp $HOME_NET any -> [141.98.10.85] 38241  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230054/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230054; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"cnc7.cremeonu.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230055/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_11; classtype:trojan-activity; sid:91230055; rev:1;)
alert tcp $HOME_NET any -> [77.91.124.92] 33992  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230057; rev:1;)
alert tcp $HOME_NET any -> [82.147.85.205] 24010  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_11; classtype:trojan-activity; sid:91230056; rev:1;)
alert tcp $HOME_NET any -> [205.189.160.217] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230053/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91230053; rev:1;)
alert tcp $HOME_NET any -> [64.237.181.19] 1800  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230050/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91230050; rev:1;)
alert tcp $HOME_NET any -> [45.61.138.9] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230049/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91230049; rev:1;)
alert tcp $HOME_NET any -> [45.32.159.208] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230048/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91230048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2021/63388.cab"; depth:42; nocase; http.host; content:"139.180.144.171"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"cs.h1ll0.cs.in"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230046; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"t.10nf0x.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230044; rev:1;)
alert tcp $HOME_NET any -> [134.209.92.85] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230045; rev:1;)
alert tcp $HOME_NET any -> [49.234.12.22] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230043; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"webtest.icbcbc.com.cn"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230042; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.icbcbc.com.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230041; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"git.icbcbc.com.cn"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1230040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230040; rev:1;)
alert tcp $HOME_NET any -> [95.6.72.229] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230039; rev:1;)
alert tcp $HOME_NET any -> [39.40.168.159] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230038; rev:1;)
alert tcp $HOME_NET any -> [184.96.139.136] 993  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230037; rev:1;)
alert tcp $HOME_NET any -> [72.27.11.30] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230036; rev:1;)
alert tcp $HOME_NET any -> [172.242.145.126] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230035; rev:1;)
alert tcp $HOME_NET any -> [37.186.58.51] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230034; rev:1;)
alert tcp $HOME_NET any -> [31.117.56.211] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230033; rev:1;)
alert tcp $HOME_NET any -> [103.126.7.66] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230032/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230032; rev:1;)
alert tcp $HOME_NET any -> [20.107.115.8] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230031/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230031; rev:1;)
alert tcp $HOME_NET any -> [91.236.230.169] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230030/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91230030; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd3wufkw/log.php"; depth:18; nocase; http.host; content:"87.251.66.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230029; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd3wufkw/log.php"; depth:18; nocase; http.host; content:"193.233.18.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230028; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd3wufkw/post.php"; depth:19; nocase; http.host; content:"87.251.66.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230027; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.111.120"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230026; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"139.9.93.128"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230025; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"123.207.45.112"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230024; rev:1;)
alert tcp $HOME_NET any -> [193.233.18.157] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230023/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_10; classtype:trojan-activity; sid:91230023; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abd3wufkw/post.php"; depth:19; nocase; http.host; content:"193.233.18.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230022; rev:1;)
alert tcp $HOME_NET any -> [37.220.86.102] 4444  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230021/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_10; classtype:trojan-activity; sid:91230021; rev:1;)
alert tcp $HOME_NET any -> [87.251.66.248] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230020/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_10; classtype:trojan-activity; sid:91230020; rev:1;)
alert tcp $HOME_NET any -> [123.207.45.112] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230019/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91230019; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/test1/get.php"; depth:14; nocase; http.host; content:"habrafa.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230018; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.47.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230017; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"128.140.69.37"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230015; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"195.201.44.3"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230016; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.167.169"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230014; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.241.217"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.187.82"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230013; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.178.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230011; rev:1;)
alert tcp $HOME_NET any -> [95.216.178.60] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230004; rev:1;)
alert tcp $HOME_NET any -> [95.217.241.217] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230005; rev:1;)
alert tcp $HOME_NET any -> [116.202.187.82] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230006; rev:1;)
alert tcp $HOME_NET any -> [116.203.167.169] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230007; rev:1;)
alert tcp $HOME_NET any -> [128.140.69.37] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230008; rev:1;)
alert tcp $HOME_NET any -> [195.201.44.3] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230009; rev:1;)
alert tcp $HOME_NET any -> [195.201.47.172] 80  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230010; rev:1;)
alert tcp $HOME_NET any -> [95.216.178.60] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230003; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.216.178.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230002; rev:1;)
alert tcp $HOME_NET any -> [91.215.85.23] 6601  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1230001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230001; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"electricnico.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1230000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91230000; rev:1;)
alert tcp $HOME_NET any -> [106.38.221.252] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229999/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229999; rev:1;)
alert tcp $HOME_NET any -> [42.194.249.55] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229998/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229998; rev:1;)
alert tcp $HOME_NET any -> [161.35.146.96] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229997/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229997; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"retraining.allstardriving.org"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229995; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"allstardriving.org"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229996; rev:1;)
alert tcp $HOME_NET any -> [46.246.4.8] 2054  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229994; rev:1;)
alert tcp $HOME_NET any -> [3.69.157.220] 14402  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229993; rev:1;)
alert tcp $HOME_NET any -> [3.68.171.119] 14402  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229992; rev:1;)
alert tcp $HOME_NET any -> [3.66.38.117] 14402  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229991; rev:1;)
alert tcp $HOME_NET any -> [3.69.115.178] 14402  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229990; rev:1;)
alert tcp $HOME_NET any -> [52.28.247.255] 14402  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229989; rev:1;)
alert tcp $HOME_NET any -> [121.41.0.213] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229988/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229988; rev:1;)
alert tcp $HOME_NET any -> [2.50.140.18] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229987; rev:1;)
alert tcp $HOME_NET any -> [94.198.50.195] 9000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229986; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.yop918kiss.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229984; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.babyeonb.cc"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229985; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"farmbilllawenterprise.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229983; rev:1;)
alert tcp $HOME_NET any -> [164.92.250.55] 443  (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229982; rev:1;)
alert tcp $HOME_NET any -> [154.8.204.131] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229980; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4010  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229981; rev:1;)
alert tcp $HOME_NET any -> [170.187.181.74] 44386  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229979; rev:1;)
alert tcp $HOME_NET any -> [45.132.88.28] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229978; rev:1;)
alert tcp $HOME_NET any -> [54.237.206.70] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229977; rev:1;)
alert tcp $HOME_NET any -> [3.234.60.33] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229976/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229976; rev:1;)
alert tcp $HOME_NET any -> [34.234.47.172] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229975; rev:1;)
alert tcp $HOME_NET any -> [13.235.21.176] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229974; rev:1;)
alert tcp $HOME_NET any -> [181.237.128.179] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229973; rev:1;)
alert tcp $HOME_NET any -> [202.83.17.58] 81  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229972; rev:1;)
alert tcp $HOME_NET any -> [13.93.87.157] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229971; rev:1;)
alert tcp $HOME_NET any -> [193.23.55.98] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229970; rev:1;)
alert tcp $HOME_NET any -> [85.215.108.157] 4433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229969; rev:1;)
alert tcp $HOME_NET any -> [124.90.130.241] 10056  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229968; rev:1;)
alert tcp $HOME_NET any -> [223.167.229.127] 8200  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229967; rev:1;)
alert tcp $HOME_NET any -> [24.105.180.14] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229966; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"outlook.trabede.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229965; rev:1;)
alert tcp $HOME_NET any -> [60.247.156.214] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229964; rev:1;)
alert tcp $HOME_NET any -> [194.15.216.203] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229963; rev:1;)
alert tcp $HOME_NET any -> [116.204.43.111] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229962; rev:1;)
alert tcp $HOME_NET any -> [54.87.191.236] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229961; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"elated-black.45-141-215-173.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229960; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.153] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229959; rev:1;)
alert tcp $HOME_NET any -> [194.33.191.106] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229958; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.244] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229956; rev:1;)
alert tcp $HOME_NET any -> [194.33.191.106] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229957; rev:1;)
alert tcp $HOME_NET any -> [91.92.241.244] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229955; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.152] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229954; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.49] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229953; rev:1;)
alert tcp $HOME_NET any -> [94.228.169.198] 3000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229952; rev:1;)
alert tcp $HOME_NET any -> [115.74.20.156] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229951; rev:1;)
alert tcp $HOME_NET any -> [45.141.215.178] 61240  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229950; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"thesirenmika.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229949; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hc.info-163.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229948; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"microsoft-webservices.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229947; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.lucarne-films.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229945; rev:1;)
alert tcp $HOME_NET any -> [45.126.125.144] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229946; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kasm.cy-security.de"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229944; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vpn.cy-security.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229942; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dl.info-163.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229943; rev:1;)
alert tcp $HOME_NET any -> [8.219.206.59] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229941; rev:1;)
alert tcp $HOME_NET any -> [89.221.224.197] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229940; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"festive-jemison.173-249-59-190.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229939; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mqrmtohl90.za.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229938; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.festive-jemison.173-249-59-190.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229936; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hilfe-konto.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229937; rev:1;)
alert tcp $HOME_NET any -> [20.55.233.193] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229934; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"foxee5.cfd"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229935; rev:1;)
alert tcp $HOME_NET any -> [92.118.113.12] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229933; rev:1;)
alert tcp $HOME_NET any -> [79.137.203.29] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229932; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yiyifb4.cfd"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229931; rev:1;)
alert tcp $HOME_NET any -> [79.133.180.197] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229929; rev:1;)
alert tcp $HOME_NET any -> [91.107.124.135] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229930; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.35] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229928; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.137-184-80-125.cprapid.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229927; rev:1;)
alert tcp $HOME_NET any -> [208.85.17.219] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229926; rev:1;)
alert tcp $HOME_NET any -> [20.211.251.199] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229925; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.172] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229923; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.172] 4444  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229924; rev:1;)
alert tcp $HOME_NET any -> [209.145.56.0] 4123  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229922; rev:1;)
alert tcp $HOME_NET any -> [206.123.132.236] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229921; rev:1;)
alert tcp $HOME_NET any -> [92.46.172.137] 10258  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229919; rev:1;)
alert tcp $HOME_NET any -> [92.46.172.137] 28363  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229920; rev:1;)
alert tcp $HOME_NET any -> [54.38.151.131] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229918; rev:1;)
alert tcp $HOME_NET any -> [186.112.202.162] 2404  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229916; rev:1;)
alert tcp $HOME_NET any -> [54.38.151.131] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229917; rev:1;)
alert tcp $HOME_NET any -> [213.195.120.238] 5001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229915; rev:1;)
alert tcp $HOME_NET any -> [185.130.214.116] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229914/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229914; rev:1;)
alert tcp $HOME_NET any -> [121.37.164.60] 8007  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229913/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229913; rev:1;)
alert tcp $HOME_NET any -> [121.37.164.60] 8005  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229912/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229912; rev:1;)
alert tcp $HOME_NET any -> [121.37.164.60] 8002  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229910/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229910; rev:1;)
alert tcp $HOME_NET any -> [121.37.164.60] 8004  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229911/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229911; rev:1;)
alert tcp $HOME_NET any -> [194.116.191.150] 8081  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229909/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229909; rev:1;)
alert tcp $HOME_NET any -> [155.138.142.176] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229908/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229908; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"www.glouton.ca"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229907/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229907; rev:1;)
alert tcp $HOME_NET any -> [46.105.83.251] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229906/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229906; rev:1;)
alert tcp $HOME_NET any -> [20.234.169.130] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229905/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229905; rev:1;)
alert tcp $HOME_NET any -> [20.56.158.50] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229904/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_10; classtype:trojan-activity; sid:91229904; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.68] 2281  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229902; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.68] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229903; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.68] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229900; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.68] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229901; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.68] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229899; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.68] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229898; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.68] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229896; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.68] 1801  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229897; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.68] 1911  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229895; rev:1;)
alert tcp $HOME_NET any -> [67.141.168.212] 4444  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229894; rev:1;)
alert tcp $HOME_NET any -> [47.120.37.45] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229893; rev:1;)
alert tcp $HOME_NET any -> [121.43.186.227] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229892; rev:1;)
alert tcp $HOME_NET any -> [101.200.36.30] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229890; rev:1;)
alert tcp $HOME_NET any -> [47.92.110.61] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229891; rev:1;)
alert tcp $HOME_NET any -> [101.201.59.29] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229889; rev:1;)
alert tcp $HOME_NET any -> [101.201.59.29] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229888; rev:1;)
alert tcp $HOME_NET any -> [47.99.114.238] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229886; rev:1;)
alert tcp $HOME_NET any -> [23.224.198.98] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229887; rev:1;)
alert tcp $HOME_NET any -> [107.174.242.74] 20000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229885; rev:1;)
alert tcp $HOME_NET any -> [158.247.238.223] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229884; rev:1;)
alert tcp $HOME_NET any -> [123.57.206.33] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229882; rev:1;)
alert tcp $HOME_NET any -> [45.145.228.224] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229883; rev:1;)
alert tcp $HOME_NET any -> [209.146.124.195] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229881; rev:1;)
alert tcp $HOME_NET any -> [101.43.211.190] 60020  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229879; rev:1;)
alert tcp $HOME_NET any -> [8.137.33.166] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229880; rev:1;)
alert tcp $HOME_NET any -> [209.146.124.196] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229877; rev:1;)
alert tcp $HOME_NET any -> [182.23.67.109] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229878; rev:1;)
alert tcp $HOME_NET any -> [39.104.52.1] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229876; rev:1;)
alert tcp $HOME_NET any -> [101.37.85.231] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229875; rev:1;)
alert tcp $HOME_NET any -> [101.33.210.191] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229874; rev:1;)
alert tcp $HOME_NET any -> [114.55.72.98] 82  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229872; rev:1;)
alert tcp $HOME_NET any -> [120.55.39.237] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229873; rev:1;)
alert tcp $HOME_NET any -> [47.116.38.40] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229871; rev:1;)
alert tcp $HOME_NET any -> [107.174.90.202] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229870; rev:1;)
alert tcp $HOME_NET any -> [101.34.28.19] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229868; rev:1;)
alert tcp $HOME_NET any -> [112.124.65.163] 20230  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229869; rev:1;)
alert tcp $HOME_NET any -> [209.146.124.197] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229867; rev:1;)
alert tcp $HOME_NET any -> [194.32.149.227] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229866; rev:1;)
alert tcp $HOME_NET any -> [110.42.189.52] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229865; rev:1;)
alert tcp $HOME_NET any -> [154.8.158.60] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229864; rev:1;)
alert tcp $HOME_NET any -> [107.151.247.233] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229862; rev:1;)
alert tcp $HOME_NET any -> [209.146.124.199] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229863; rev:1;)
alert tcp $HOME_NET any -> [1.94.111.137] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229861; rev:1;)
alert tcp $HOME_NET any -> [121.43.113.36] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229860; rev:1;)
alert tcp $HOME_NET any -> [107.151.247.19] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229858; rev:1;)
alert tcp $HOME_NET any -> [107.151.247.19] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229859; rev:1;)
alert tcp $HOME_NET any -> [152.136.125.88] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229857; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"freiheit.co.kr"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229856; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"41-216-183-115.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229855; rev:1;)
alert tcp $HOME_NET any -> [45.95.146.38] 671  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229841/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_10; classtype:trojan-activity; sid:91229841; rev:1;)
alert tcp $HOME_NET any -> [74.48.184.88] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229854/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229854; rev:1;)
alert tcp $HOME_NET any -> [18.170.11.119] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229853/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-2c8ubzu7-1257331363.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229851; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-2c8ubzu7-1257331363.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"164.90.169.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"120.55.82.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"content.microsoft.com.w.kunlunca.com"; depth:36; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229848; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"162.14.107.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229847; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"107.175.247.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229846/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229846; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.116.17.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229843; rev:1;)
alert tcp $HOME_NET any -> [3.122.237.119] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229842/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229842; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.emaratalyoum.me"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229840; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.61] 65535  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229828; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wealthyman.ddnsfree.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229829/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"124.222.213.61"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229839/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229839; rev:1;)
alert tcp $HOME_NET any -> [209.146.124.196] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229838/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/qfdb"; depth:5; nocase; http.host; content:"146.190.120.217"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229837/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_10; classtype:trojan-activity; sid:91229837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"60.204.249.156"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229836/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"47.120.37.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229835/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"119.3.175.203"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229834/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229834; rev:1;)
alert tcp $HOME_NET any -> [45.121.48.43] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229833; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"45.121.48.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229832; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"157.245.158.14"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229831; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"39.104.20.145"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229830/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229830; rev:1;)
alert tcp $HOME_NET any -> [101.37.85.231] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229827; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"telemetry-notification.azureedge.net"; depth:36; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229824; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"heur-labs.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229825/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229825; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"confident-blackwell.159-223-29-112.plesk.page"; depth:45; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229826/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229826; rev:1;)
alert tcp $HOME_NET any -> [159.235.45.136] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229823/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229823; rev:1;)
alert tcp $HOME_NET any -> [41.97.128.158] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229822/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229822; rev:1;)
alert tcp $HOME_NET any -> [86.98.50.35] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229821; rev:1;)
alert tcp $HOME_NET any -> [187.232.174.122] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229820/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229820; rev:1;)
alert tcp $HOME_NET any -> [86.96.75.73] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229819/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229819; rev:1;)
alert tcp $HOME_NET any -> [130.51.20.64] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229818/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229818; rev:1;)
alert tcp $HOME_NET any -> [161.35.239.147] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229817; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.215] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229816; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.215] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229815; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.215] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229814; rev:1;)
alert tcp $HOME_NET any -> [65.20.101.150] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229813; rev:1;)
alert tcp $HOME_NET any -> [52.211.169.127] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229812; rev:1;)
alert tcp $HOME_NET any -> [5.252.179.38] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229811; rev:1;)
alert tcp $HOME_NET any -> [5.252.179.38] 50666  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_10; classtype:trojan-activity; sid:91229810; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.220] 80  (msg:"ThreatFox Lumma Stealer payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pic/2.exe"; depth:10; nocase; http.host; content:"91.92.253.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pic/3.exe"; depth:10; nocase; http.host; content:"91.92.253.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pic/1.exe"; depth:10; nocase; http.host; content:"91.92.253.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229787; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sideindexfollowragelrew.pw"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pic/4.exe"; depth:10; nocase; http.host; content:"91.92.253.220"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229786; rev:1;)
alert tcp $HOME_NET any -> [38.46.8.66] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"sideindexfollowragelrew.pw"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229784; rev:1;)
alert tcp $HOME_NET any -> [38.46.8.67] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229762; rev:1;)
alert tcp $HOME_NET any -> [38.46.8.68] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229763; rev:1;)
alert tcp $HOME_NET any -> [38.46.8.69] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229764; rev:1;)
alert tcp $HOME_NET any -> [38.46.8.70] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229765; rev:1;)
alert tcp $HOME_NET any -> [157.90.162.211] 1515  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229766; rev:1;)
alert tcp $HOME_NET any -> [110.41.19.62] 10086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229767; rev:1;)
alert tcp $HOME_NET any -> [175.178.68.156] 10086  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229768; rev:1;)
alert tcp $HOME_NET any -> [157.90.162.211] 1111  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229769; rev:1;)
alert tcp $HOME_NET any -> [185.185.68.164] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229782; rev:1;)
alert tcp $HOME_NET any -> [45.11.27.62] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229783; rev:1;)
alert tcp $HOME_NET any -> [79.98.45.97] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229809/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229809; rev:1;)
alert tcp $HOME_NET any -> [110.41.189.19] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-fkkrrv8q-1307850644.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229807; rev:1;)
alert tcp $HOME_NET any -> [110.41.189.19] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229806; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-fkkrrv8q-1307850644.gz.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-fkkrrv8q-1307850644.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229804; rev:1;)
alert tcp $HOME_NET any -> [52.147.121.107] 19530  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229803; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.68] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229802/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229802; rev:1;)
alert tcp $HOME_NET any -> [43.139.128.212] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229801/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229801; rev:1;)
alert tcp $HOME_NET any -> [91.92.252.6] 61715  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229800; rev:1;)
alert tcp $HOME_NET any -> [141.255.145.89] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229799/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229799; rev:1;)
alert tcp $HOME_NET any -> [203.24.92.243] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get_log.txt"; depth:16; nocase; http.host; content:"203.24.92.243"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229797; rev:1;)
alert tcp $HOME_NET any -> [203.24.92.243] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get_log.txt"; depth:16; nocase; http.host; content:"64.44.177.178"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_10; classtype:trojan-activity; sid:91229795; rev:1;)
alert tcp $HOME_NET any -> [45.61.154.80] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229794/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_10; classtype:trojan-activity; sid:91229794; rev:1;)
alert tcp $HOME_NET any -> [23.95.90.63] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/abc/def/"; depth:9; nocase; http.host; content:"23.95.90.63"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/c/msdownload/update/others/2022/12/29136388_"; depth:45; nocase; http.host; content:"39.99.128.40"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229791; rev:1;)
alert tcp $HOME_NET any -> [72.27.79.178] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229781/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229781; rev:1;)
alert tcp $HOME_NET any -> [88.237.198.37] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229780/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229780; rev:1;)
alert tcp $HOME_NET any -> [184.96.134.78] 993  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229779/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229779; rev:1;)
alert tcp $HOME_NET any -> [39.40.159.189] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229778/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229778; rev:1;)
alert tcp $HOME_NET any -> [197.204.232.211] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229777/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229777; rev:1;)
alert tcp $HOME_NET any -> [18.162.58.174] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229776/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229776; rev:1;)
alert tcp $HOME_NET any -> [94.130.198.190] 443  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229775/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229775; rev:1;)
alert tcp $HOME_NET any -> [120.26.241.141] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229774/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229774; rev:1;)
alert tcp $HOME_NET any -> [35.180.226.123] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229773/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229773; rev:1;)
alert tcp $HOME_NET any -> [5.180.155.87] 64765  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/httpprocessorbigloadlinux.php"; depth:30; nocase; http.host; content:"tiyeso4885.temp.swtest.ru"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229771; rev:1;)
alert tcp $HOME_NET any -> [135.181.242.178] 42473  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"jhueby.diskstation.me"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"120.48.58.156"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/firepro.php"; depth:16; nocase; http.host; content:"77.105.147.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229690; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"000197.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229691; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emailmigration.org"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229694; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"weekendstartupshow.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229692; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mpr23-421-c2.westus2.cloudapp.azure.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229693; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.emailmigration.org"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229695; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.168] 34926  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"superjunggvbvqq.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229700/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"junggvbvqqqqqq.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229701/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"lajunggvbvqq.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229702/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"junggvbvqqgroup.com"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229703/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"junggvbvqqnet.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229704/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"abgggpoh.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229705/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"nisiqniqqsiq.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229706/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mtq4mmuxodbhmtvi/"; depth:18; nocase; http.host; content:"194.26.135.29"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229707/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229707; rev:1;)
alert tcp $HOME_NET any -> [142.154.77.0] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229758; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.3280678.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229757; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hypocrisync.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229756; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4372  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229755/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229755; rev:1;)
alert tcp $HOME_NET any -> [38.181.56.43] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229754/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229754; rev:1;)
alert tcp $HOME_NET any -> [8.219.3.40] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229753; rev:1;)
alert tcp $HOME_NET any -> [4.227.149.56] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229752; rev:1;)
alert tcp $HOME_NET any -> [64.23.150.41] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229751/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229751; rev:1;)
alert tcp $HOME_NET any -> [20.28.145.206] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229750; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.trabede.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229749; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"account.trabede.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229748; rev:1;)
alert tcp $HOME_NET any -> [101.35.153.30] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229747; rev:1;)
alert tcp $HOME_NET any -> [43.139.61.221] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229746; rev:1;)
alert tcp $HOME_NET any -> [101.34.214.78] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229745; rev:1;)
alert tcp $HOME_NET any -> [37.110.19.55] 88  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229744; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sharp-hugle.45-141-215-173.plesk.page"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229743/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229743; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.67] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229742/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229742; rev:1;)
alert tcp $HOME_NET any -> [91.92.248.39] 4444  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229741/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229741; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.nvidiaapp.cloud"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229740/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229740; rev:1;)
alert tcp $HOME_NET any -> [88.119.171.83] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229739; rev:1;)
alert tcp $HOME_NET any -> [173.249.59.190] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229738; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"o-paketverfolgung.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229737; rev:1;)
alert tcp $HOME_NET any -> [168.1.193.211] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229736; rev:1;)
alert tcp $HOME_NET any -> [35.197.55.147] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229735; rev:1;)
alert tcp $HOME_NET any -> [3.26.24.38] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229734; rev:1;)
alert tcp $HOME_NET any -> [38.54.63.8] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229733; rev:1;)
alert tcp $HOME_NET any -> [92.46.172.137] 636  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229732; rev:1;)
alert tcp $HOME_NET any -> [92.46.172.137] 46949  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229730; rev:1;)
alert tcp $HOME_NET any -> [92.46.172.137] 427  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229731; rev:1;)
alert tcp $HOME_NET any -> [92.46.172.137] 29256  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229728; rev:1;)
alert tcp $HOME_NET any -> [92.46.172.137] 36274  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229729; rev:1;)
alert tcp $HOME_NET any -> [186.112.202.162] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229727; rev:1;)
alert tcp $HOME_NET any -> [47.243.104.165] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229726; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"supershell.dongling.xyz"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229725; rev:1;)
alert tcp $HOME_NET any -> [139.159.250.245] 38888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229724; rev:1;)
alert tcp $HOME_NET any -> [35.180.226.123] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229723/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229723; rev:1;)
alert tcp $HOME_NET any -> [47.57.12.167] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229722; rev:1;)
alert tcp $HOME_NET any -> [47.92.110.61] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229721; rev:1;)
alert tcp $HOME_NET any -> [111.230.30.197] 65262  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229720; rev:1;)
alert tcp $HOME_NET any -> [165.232.70.231] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229719; rev:1;)
alert tcp $HOME_NET any -> [47.113.147.219] 8063  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229718; rev:1;)
alert tcp $HOME_NET any -> [192.144.219.118] 8845  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229716; rev:1;)
alert tcp $HOME_NET any -> [190.92.227.9] 60060  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229717; rev:1;)
alert tcp $HOME_NET any -> [112.124.23.19] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229715; rev:1;)
alert tcp $HOME_NET any -> [116.62.123.217] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229713; rev:1;)
alert tcp $HOME_NET any -> [39.99.141.149] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229714; rev:1;)
alert tcp $HOME_NET any -> [147.78.47.184] 1455  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229712; rev:1;)
alert tcp $HOME_NET any -> [47.94.56.161] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229711; rev:1;)
alert tcp $HOME_NET any -> [47.108.236.50] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229710; rev:1;)
alert tcp $HOME_NET any -> [194.87.196.79] 5557  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229709; rev:1;)
alert tcp $HOME_NET any -> [52.221.252.111] 8389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229708; rev:1;)
alert tcp $HOME_NET any -> [91.92.246.124] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229699/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_09; classtype:trojan-activity; sid:91229699; rev:1;)
alert tcp $HOME_NET any -> [123.60.88.219] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229698/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229698; rev:1;)
alert tcp $HOME_NET any -> [89.23.118.243] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229697/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229697; rev:1;)
alert tcp $HOME_NET any -> [14.99.115.211] 443  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229689/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229689; rev:1;)
alert tcp $HOME_NET any -> [170.130.55.92] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229686; rev:1;)
alert tcp $HOME_NET any -> [107.158.62.160] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229688/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/4update/httpcdndle/eternalprovider1multi/betterphp/dleupdate/securetemporaryapicentral/lowtestproviderprotect/cdnupdatemariadb/proton/javascripttrackpipe6/6vm/base/secure/db/async8/defaulttemp.php"; depth:197; nocase; http.host; content:"89.23.112.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229687; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"110.40.184.247"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229685; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229684; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"47.120.37.45"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"164.90.169.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229682; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"39.105.4.90"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"federalstudentaid-usdepartmentofeducation.tandemcyberops.co"; depth:59; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229679; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"federalstudentaid-usdepartmentofeducation.tandemcyberops.co"; depth:59; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229680; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"42.193.119.4"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229678; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/idle/1376547834/1"; depth:18; nocase; http.host; content:"95.164.35.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229677; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"150.158.45.62"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229676; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"219.151.137.139"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229675; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"120.222.152.106"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229674; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"1.62.64.108"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229673; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"120.222.152.85"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229672; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/static/js/jquery-3.3.1.min.js"; depth:30; nocase; http.host; content:"124.225.14.210"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229671; rev:1;)
alert tcp $HOME_NET any -> [108.181.166.130] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229670/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229670; rev:1;)
alert tcp $HOME_NET any -> [157.245.158.14] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229669/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229669; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bigloadwpdleprivatedownloadstemporary.php"; depth:42; nocase; http.host; content:"775515cm.n9shteam1.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229666; rev:1;)
alert tcp $HOME_NET any -> [80.92.204.241] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229668/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229668; rev:1;)
alert tcp $HOME_NET any -> [80.92.204.233] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229667/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229667; rev:1;)
alert tcp $HOME_NET any -> [95.54.8.107] 3112  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229665; rev:1;)
alert tcp $HOME_NET any -> [75.90.35.49] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229664; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jhueby.diskstation.me"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229663; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"jhueby.diskstation.me"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229662; rev:1;)
alert tcp $HOME_NET any -> [111.92.243.236] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229661; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/claim/servlets-examples/i2i52xqkqqzf"; depth:37; nocase; http.host; content:"111.92.243.236"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229660; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229659; rev:1;)
alert tcp $HOME_NET any -> [65.21.188.123] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229658; rev:1;)
alert tcp $HOME_NET any -> [49.12.114.15] 10220  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229656; rev:1;)
alert tcp $HOME_NET any -> [168.119.106.20] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229657; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.21.188.123"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229654; rev:1;)
alert tcp $HOME_NET any -> [95.217.25.10] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229655; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"168.119.106.20"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229653; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199601319247"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229652; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"95.217.25.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229651; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bg3goty"; depth:8; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229650; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"49.12.114.15"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229649; rev:1;)
alert tcp $HOME_NET any -> [119.3.175.203] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229648/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229648; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hk-once.520226.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229637; rev:1;)
alert tcp $HOME_NET any -> [124.221.237.200] 7890  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229646; rev:1;)
alert tcp $HOME_NET any -> [124.221.237.200] 7891  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229647; rev:1;)
alert tcp $HOME_NET any -> [94.49.45.216] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229645/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229645; rev:1;)
alert tcp $HOME_NET any -> [159.0.5.190] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229644/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229644; rev:1;)
alert tcp $HOME_NET any -> [103.156.171.39] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229643/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229643; rev:1;)
alert tcp $HOME_NET any -> [45.76.145.241] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229642/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229642; rev:1;)
alert tcp $HOME_NET any -> [34.203.229.137] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229641/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229641; rev:1;)
alert tcp $HOME_NET any -> [103.113.100.99] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229640/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229640; rev:1;)
alert tcp $HOME_NET any -> [114.83.4.23] 15780  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229639/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229639; rev:1;)
alert tcp $HOME_NET any -> [54.93.117.12] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229638/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_09; classtype:trojan-activity; sid:91229638; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"lilisiaplaksiminailmas.com"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229541/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229541; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"lilisiaplaksiminailmas.xyz"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229542/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229542; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"lilisiaplaksiminailmas.site"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229543/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229543; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njkxzjrjmjnlyty4/"; depth:18; nocase; http.host; content:"cmkalanka1.shop"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229544/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229544; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njkxzjrjmjnlyty4/"; depth:18; nocase; http.host; content:"cmkalankada1.shop"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229545/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229545; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njkxzjrjmjnlyty4/"; depth:18; nocase; http.host; content:"cmkalankahs21.shop"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229546/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229546; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njkxzjrjmjnlyty4/"; depth:18; nocase; http.host; content:"cmkalankasga61.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229547/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229547; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/njkxzjrjmjnlyty4/"; depth:18; nocase; http.host; content:"cmkalankakms51.shop"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229548/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229548; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"111.90.141.192"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"lilisiaplaksiminailmas.net"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229540/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229540; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mzrlzgfmyzq5nzc0/"; depth:18; nocase; http.host; content:"2.57.149.175"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229539/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229539; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.95] 3699  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229535; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"80.66.79.248"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.177.94.180"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229561; rev:1;)
alert tcp $HOME_NET any -> [136.244.98.49] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229636; rev:1;)
alert tcp $HOME_NET any -> [5.161.223.88] 4104  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229635; rev:1;)
alert tcp $HOME_NET any -> [2.139.237.194] 8087  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229634; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4398  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229633; rev:1;)
alert tcp $HOME_NET any -> [194.67.87.250] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229632; rev:1;)
alert tcp $HOME_NET any -> [20.28.238.153] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229631/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229631; rev:1;)
alert tcp $HOME_NET any -> [44.216.132.79] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229630; rev:1;)
alert tcp $HOME_NET any -> [202.155.238.7] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229628; rev:1;)
alert tcp $HOME_NET any -> [123.56.134.143] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229629; rev:1;)
alert tcp $HOME_NET any -> [18.184.225.151] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229627; rev:1;)
alert tcp $HOME_NET any -> [110.42.156.84] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229626; rev:1;)
alert tcp $HOME_NET any -> [34.236.127.162] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229625; rev:1;)
alert tcp $HOME_NET any -> [116.202.1.25] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229624; rev:1;)
alert tcp $HOME_NET any -> [3.140.108.240] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229623; rev:1;)
alert tcp $HOME_NET any -> [123.60.168.6] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229622; rev:1;)
alert tcp $HOME_NET any -> [34.79.204.1] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229621; rev:1;)
alert tcp $HOME_NET any -> [173.249.198.97] 8888  (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229620; rev:1;)
alert tcp $HOME_NET any -> [45.81.235.110] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229619; rev:1;)
alert tcp $HOME_NET any -> [195.20.16.207] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229618; rev:1;)
alert tcp $HOME_NET any -> [161.35.21.152] 443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229617; rev:1;)
alert tcp $HOME_NET any -> [103.42.30.21] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229616; rev:1;)
alert tcp $HOME_NET any -> [34.239.255.86] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229615; rev:1;)
alert tcp $HOME_NET any -> [179.96.164.83] 445  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229614; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.102] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229613; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.114] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229612; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.115] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229610; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.119] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229611; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.109] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229609; rev:1;)
alert tcp $HOME_NET any -> [223.155.16.95] 23333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229607; rev:1;)
alert tcp $HOME_NET any -> [217.208.240.203] 25565  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229608; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"znwfb3.buzz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229606; rev:1;)
alert tcp $HOME_NET any -> [176.123.168.211] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229605; rev:1;)
alert tcp $HOME_NET any -> [185.211.170.96] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229604; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.52] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229603; rev:1;)
alert tcp $HOME_NET any -> [213.195.112.94] 5001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229602; rev:1;)
alert tcp $HOME_NET any -> [144.126.128.158] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229600; rev:1;)
alert tcp $HOME_NET any -> [144.126.128.158] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229601; rev:1;)
alert tcp $HOME_NET any -> [82.65.19.134] 4443  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229599; rev:1;)
alert tcp $HOME_NET any -> [8.217.161.236] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229598; rev:1;)
alert tcp $HOME_NET any -> [43.129.232.211] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229597; rev:1;)
alert tcp $HOME_NET any -> [123.60.174.4] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229596/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229596; rev:1;)
alert tcp $HOME_NET any -> [60.204.211.54] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229595/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229595; rev:1;)
alert tcp $HOME_NET any -> [124.71.188.124] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229594/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229594; rev:1;)
alert tcp $HOME_NET any -> [121.37.164.60] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229593/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229593; rev:1;)
alert tcp $HOME_NET any -> [1.94.125.189] 8000  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229592/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229592; rev:1;)
alert tcp $HOME_NET any -> [5.8.10.66] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229591/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229591; rev:1;)
alert tcp $HOME_NET any -> [44.222.150.23] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229590/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229590; rev:1;)
alert tcp $HOME_NET any -> [5.8.10.71] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229589/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_09; classtype:trojan-activity; sid:91229589; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.86] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229588; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.86] 1608  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229587; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.86] 2233  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229586; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.86] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229585; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.86] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229583; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.86] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229584; rev:1;)
alert tcp $HOME_NET any -> [187.135.178.86] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229582; rev:1;)
alert tcp $HOME_NET any -> [123.56.64.225] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229580; rev:1;)
alert tcp $HOME_NET any -> [121.41.0.213] 123  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229581; rev:1;)
alert tcp $HOME_NET any -> [8.140.48.59] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229579; rev:1;)
alert tcp $HOME_NET any -> [182.92.127.203] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229578; rev:1;)
alert tcp $HOME_NET any -> [8.130.116.89] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229576; rev:1;)
alert tcp $HOME_NET any -> [47.57.12.167] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229577; rev:1;)
alert tcp $HOME_NET any -> [101.200.122.80] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229575; rev:1;)
alert tcp $HOME_NET any -> [47.94.199.234] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229574; rev:1;)
alert tcp $HOME_NET any -> [114.55.232.33] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229573; rev:1;)
alert tcp $HOME_NET any -> [120.46.152.54] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229571; rev:1;)
alert tcp $HOME_NET any -> [110.41.16.127] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229572; rev:1;)
alert tcp $HOME_NET any -> [120.46.152.54] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229570; rev:1;)
alert tcp $HOME_NET any -> [103.234.72.30] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229568; rev:1;)
alert tcp $HOME_NET any -> [185.94.165.120] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229569; rev:1;)
alert tcp $HOME_NET any -> [172.233.72.15] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229567; rev:1;)
alert tcp $HOME_NET any -> [75.90.35.49] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229566; rev:1;)
alert tcp $HOME_NET any -> [8.137.33.166] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229565; rev:1;)
alert tcp $HOME_NET any -> [82.157.255.112] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229564; rev:1;)
alert tcp $HOME_NET any -> [62.234.46.238] 4320  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229563; rev:1;)
alert tcp $HOME_NET any -> [124.222.117.74] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/3cdn/base5securepublic/dle7sqlline/1video/php_/sqldump/8pipepython/dumptemptrafficexternal/defaultjavascript0/externalimagevmrequestpolllowlongpollservercentral.php"; depth:165; nocase; http.host; content:"185.251.91.215"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_09; classtype:trojan-activity; sid:91229558; rev:1;)
alert tcp $HOME_NET any -> [80.78.25.228] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229557/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_09; classtype:trojan-activity; sid:91229557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/phpjavascriptbasewordpresstempdownloads.php"; depth:44; nocase; http.host; content:"045134cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229556; rev:1;)
alert tcp $HOME_NET any -> [141.255.152.155] 2222  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229555; rev:1;)
alert tcp $HOME_NET any -> [141.255.152.155] 4444  (msg:"ThreatFox CyberGate botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"111.230.119.183"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229552; rev:1;)
alert tcp $HOME_NET any -> [111.230.119.183] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229553; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.212] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229551; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d1railx6y20syj.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229550; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"d1railx6y20syj.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229549; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternallinejspacketlowprotectsqldbgeneratorcdn.php"; depth:51; nocase; http.host; content:"526775cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229538; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"111.231.31.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229537; rev:1;)
alert tcp $HOME_NET any -> [95.56.104.12] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229536; rev:1;)
alert tcp $HOME_NET any -> [188.173.33.11] 993  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229534/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229534; rev:1;)
alert tcp $HOME_NET any -> [31.117.230.129] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229533/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229533; rev:1;)
alert tcp $HOME_NET any -> [34.239.255.86] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229532/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229532; rev:1;)
alert tcp $HOME_NET any -> [64.176.66.86] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229531/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229531; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"evokenumberpottruckere.fun"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229530; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"goddirtybrilliancece.fun"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229525; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"revivalconflictgrippe.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229526; rev:1;)
alert tcp $HOME_NET any -> [3.127.253.86] 13739  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229529; rev:1;)
alert tcp $HOME_NET any -> [3.121.139.82] 13739  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229528; rev:1;)
alert tcp $HOME_NET any -> [18.198.77.177] 13739  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229527; rev:1;)
alert tcp $HOME_NET any -> [45.138.157.57] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229524/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_08; classtype:trojan-activity; sid:91229524; rev:1;)
alert tcp $HOME_NET any -> [46.246.6.15] 1234  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229523; rev:1;)
alert tcp $HOME_NET any -> [43.142.183.159] 8444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229522; rev:1;)
alert tcp $HOME_NET any -> [43.142.183.159] 8445  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229521; rev:1;)
alert tcp $HOME_NET any -> [117.120.62.147] 6666  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229520; rev:1;)
alert tcp $HOME_NET any -> [155.94.140.13] 4493  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229519; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 9561  (msg:"ThreatFox Revenge RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229518; rev:1;)
alert tcp $HOME_NET any -> [198.23.254.30] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229516; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mss.supportflash.pics"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229517/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229517; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/"; depth:9; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229515; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/alucmon.wav"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229475; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/dxwxrelllvk.wav"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229476; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/eucjlrz.vdf"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229477; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/fmbidfqiew.wav"; depth:23; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229478; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/fujgch.mp3"; depth:19; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229479; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/hreelq.wav"; depth:19; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229480; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/ikfnlucrfeq.dat"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229481; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/jystkgzqv.wav"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229482; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/kzdzejqjq.mp4"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229483; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/mpsenzr.mp3"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/nmszdiichnu.mp3"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229485; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/ogzgi.wav"; depth:18; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/pqcdghctwi.wav"; depth:23; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qfvxqoncr.wav"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229488; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qgkltuqpt.vdf"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qwuhtbm.mp4"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qjwhtxehdqw.mp3"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/sxkainlspoh.wav"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/wyfeklim.pdf"; depth:21; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/alucmon.wav"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/dxwxrelllvk.wav"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/eucjlrz.vdf"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/fmbidfqiew.wav"; depth:23; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229497/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/fujgch.mp3"; depth:19; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229498/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/hreelq.wav"; depth:19; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229499/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/ikfnlucrfeq.dat"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229500/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/jystkgzqv.wav"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229501/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/kzdzejqjq.mp4"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229502/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/mpsenzr.mp3"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229503/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/nmszdiichnu.mp3"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229504/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/ogzgi.wav"; depth:18; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229505/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qgkltuqpt.vdf"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229508/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/pqcdghctwi.wav"; depth:23; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229506/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qfvxqoncr.wav"; depth:22; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229507/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qjwhtxehdqw.mp3"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229509; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/qwuhtbm.mp4"; depth:20; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229510; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/sxkainlspoh.wav"; depth:24; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229511; rev:1;)
alert tcp $HOME_NET any -> [103.171.0.200] 80  (msg:"ThreatFox zgRAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229513; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mrcheng/wyfeklim.pdf"; depth:21; nocase; http.host; content:"103.171.0.200"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229512; rev:1;)
alert tcp $HOME_NET any -> [103.171.0.200] 443  (msg:"ThreatFox zgRAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229514; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"choosetotruck.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229462; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.127.224.145"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229463; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/cache.php"; depth:17; nocase; http.host; content:"choosetotruck.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229464; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ewmrgqnaww.php"; depth:15; nocase; http.host; content:"choosetotruck.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229465; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/letter.php"; depth:17; nocase; http.host; content:"choosetotruck.com"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229466; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/data.php"; depth:9; nocase; http.host; content:"boxtechcompany.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229469; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"boxtechcompany.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229467; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"188.127.224.160"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229468; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.181.156.235"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229470; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"0.whitelinetosplit.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2.whitelinetosplit.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229472; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"from.whitelinetosplit.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229473; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goto.whitelinetosplit.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229474; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"frenchpies.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229460; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"213.171.14.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229461; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bjz1khvv"; depth:9; nocase; http.host; content:"nowordshere.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229458; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"nowordshere.org"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229459; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"restraining.allstardriving.org"; depth:30; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229456; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"185.130.47.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229457; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 36499  (msg:"ThreatFox XWorm botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229440/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_08; classtype:trojan-activity; sid:91229440; rev:1;)
alert tcp $HOME_NET any -> [34.154.74.85] 587  (msg:"ThreatFox Agent Tesla botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229454; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 58297  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229453; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login.jsp"; depth:10; nocase; http.host; content:"121.37.206.148"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229455; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"45.207.45.188"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229452; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"161.35.186.154"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229451; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"85.208.109.15"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229450; rev:1;)
alert tcp $HOME_NET any -> [217.165.232.41] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229449; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.tpowe2.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229448; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.m18888.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229447; rev:1;)
alert tcp $HOME_NET any -> [188.164.199.44] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229446; rev:1;)
alert tcp $HOME_NET any -> [15.229.2.119] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229445; rev:1;)
alert tcp $HOME_NET any -> [20.83.179.56] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229444; rev:1;)
alert tcp $HOME_NET any -> [159.75.174.82] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229443; rev:1;)
alert tcp $HOME_NET any -> [207.2.123.65] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229442; rev:1;)
alert tcp $HOME_NET any -> [175.178.39.16] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229441; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"get.specialcraftbox.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229405/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229405; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service.specialcraftbox.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229406/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229406; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"soft.specialcraftbox.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229407/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229407; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"43.129.187.60"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229439; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-52-5-62-203.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229438; rev:1;)
alert tcp $HOME_NET any -> [34.249.99.131] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229437; rev:1;)
alert tcp $HOME_NET any -> [103.82.26.41] 4447  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229436; rev:1;)
alert tcp $HOME_NET any -> [103.42.30.42] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229435; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"esdm-internal.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229434; rev:1;)
alert tcp $HOME_NET any -> [175.16.147.232] 8089  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229433; rev:1;)
alert tcp $HOME_NET any -> [191.82.240.73] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229432; rev:1;)
alert tcp $HOME_NET any -> [154.9.227.45] 6774  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229431; rev:1;)
alert tcp $HOME_NET any -> [119.160.235.251] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229430; rev:1;)
alert tcp $HOME_NET any -> [104.233.210.104] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229429; rev:1;)
alert tcp $HOME_NET any -> [149.154.70.118] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229428; rev:1;)
alert tcp $HOME_NET any -> [91.224.92.176] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229427; rev:1;)
alert tcp $HOME_NET any -> [66.94.120.244] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229425; rev:1;)
alert tcp $HOME_NET any -> [66.94.120.244] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229426; rev:1;)
alert tcp $HOME_NET any -> [43.142.51.234] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229424; rev:1;)
alert tcp $HOME_NET any -> [123.60.174.4] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229423/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229423; rev:1;)
alert tcp $HOME_NET any -> [60.204.211.54] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229422/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229422; rev:1;)
alert tcp $HOME_NET any -> [121.37.164.60] 8003  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229421/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229421; rev:1;)
alert tcp $HOME_NET any -> [121.37.164.60] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229420/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229420; rev:1;)
alert tcp $HOME_NET any -> [124.71.188.124] 8001  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229419/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229419; rev:1;)
alert tcp $HOME_NET any -> [121.41.50.152] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229418; rev:1;)
alert tcp $HOME_NET any -> [120.27.247.156] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229416; rev:1;)
alert tcp $HOME_NET any -> [60.204.152.185] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229417; rev:1;)
alert tcp $HOME_NET any -> [47.104.28.38] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229415; rev:1;)
alert tcp $HOME_NET any -> [47.104.28.38] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229414; rev:1;)
alert tcp $HOME_NET any -> [47.120.16.255] 4567  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229413/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229413; rev:1;)
alert tcp $HOME_NET any -> [206.237.5.20] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229412/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229412; rev:1;)
alert tcp $HOME_NET any -> [47.115.208.55] 8001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229411; rev:1;)
alert tcp $HOME_NET any -> [38.150.3.24] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229410/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229410; rev:1;)
alert tcp $HOME_NET any -> [8.130.92.31] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229409/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229409; rev:1;)
alert tcp $HOME_NET any -> [103.234.72.30] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229408/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229408; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alehej54.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229384/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229384; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alehmv64.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229385/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229385; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alejcw73.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229386/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229386; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alekah57.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229387/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229387; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alenep53.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229388/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229388; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aleqxd56.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229389; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alevfe67.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229390; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alexfy76.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229391; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alezop66.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229392/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229392; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alezqi75.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229393; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"aleeyd31.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229394; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alefuk34.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229395/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229395; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alepvb33.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229399/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229399; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alerhb46.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229400/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229400; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alelof36.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229396/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229396; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alenjf44.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229397/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229397; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alensr26.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229398/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229398; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alesxu45.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229401/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229401; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alevju41.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229402/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229402; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alezjy47.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229403/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229403; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alezno43.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229404/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229404; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g9jjjbnadshz/index.php"; depth:23; nocase; http.host; content:"rubyonthewal.xyz"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229383/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229383; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qonein9sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229345; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qonein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229344; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoleven11vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229341; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qonein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229342; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qonein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229343; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoleven11pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229338; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoleven11sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229339; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoleven11sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229340; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoleven11ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229336; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoleven11pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229337; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofourt14sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229333; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofourt14vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229335; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229329; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229332; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofourt14sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229334; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229330; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229331; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229328; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229326; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229327; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofifteen15sb.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229322; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofifteen15vt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229323; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229324; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofive5pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229325; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofifteen15pt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229321; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qitvelv12ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229318; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qofifteen15ht.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229320; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qitvelv12vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229319; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qiten10vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229316; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qithirt13vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229317; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qisix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229313; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qisix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229314; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qiten10ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229315; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qinein9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229312; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qileven11vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229310; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qinein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229311; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qifourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229308; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qifourt14vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229309; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qifive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229306/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229306; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qifive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229307; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qififteen15pt.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229303; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qififteen15vs.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229304; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qifive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229305; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qonein9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229347; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qonein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229346; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229348; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosix6pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229349; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosix6sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229351; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosix6pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229350; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229352/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229352; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qosix6vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229353; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229355; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoten10ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229354; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoten10pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229356; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoten10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229357; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoten10sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229358; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qoten10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229359; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qothirt13ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229360; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qothirt13pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229361; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qothirt13pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229362; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qothirt13sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229363; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qothirt13sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229364; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qothirt13vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229365; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qotvelv12ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229366; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qotvelv12pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229368; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qotvelv12pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229367/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229367; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qotvelv12sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229369; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qotvelv12sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229370/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229370; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qotvelv12vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229371/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229371; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpfourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229372/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229372; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpfourt14sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229373/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229373; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpleven11ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229374/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229374; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpleven11sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229375/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229375; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpleven11sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229376/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229376; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpnein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229377/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229377; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpnein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229378/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229378; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qpnein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229379/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229379; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qptvelv12ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229380/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229380; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qptvelv12sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229381/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229381; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qptwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229382/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229382; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229298; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229299; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229300; rev:1;)
alert tcp $HOME_NET any -> [124.223.64.88] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229302/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_08; classtype:trojan-activity; sid:91229302; rev:1;)
alert tcp $HOME_NET any -> [211.76.170.240] 443  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229301/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_08; classtype:trojan-activity; sid:91229301; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229235; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229236; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229237; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229238; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdsix6vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229239; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdsix6vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229240; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdten10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229241; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdten10vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229242; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthirteen13ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229243; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthirteen13pt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229244; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthirteen13vs.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229246; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229247; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthirteen13sb.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229245; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthre3pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229248; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229249; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229250; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdthre3vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229251; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdtwo2sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229252; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdtwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229253; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdtwo2vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229254; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdtwo2vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229255; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfeight8pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229256/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229256; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffive5sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229257/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229257; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffive5vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229258/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229258; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229259/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229259; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229260; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229261; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229262/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229262; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229263; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11vt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229264; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229265; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229266; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229267; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229268; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfone1pn.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229269; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfone1sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229270; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfone1vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229271; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229272; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7pn.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229273; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229274; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7sr.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229275; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229277; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229276; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229278; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229279; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229280; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229281; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthirteen13ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229282; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthirteen13vt.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229284; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdone1vs.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229233; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdseven7ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229234; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdone1sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229232; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdone1ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229229; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdone1pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229230; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdone1sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229231; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdnein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229227; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdnein9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229228; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdnein9pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229225; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdnein9sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229226; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdnein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229224; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfourt14vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229223; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfourt14pt.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229221; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfourt14sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229222; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229220; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfour4sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229218; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfour4vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229219; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfour4ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229216; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfour4pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229217; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229215; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229213; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfive5sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229214; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdfive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229212; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qd10ten.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229210; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qdeight8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229211; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkblk02.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229205; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkbmy02.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229207; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkbpl02.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229208; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kykudat.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229209; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkbau02.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229204; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hkbmix02.online"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229206; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthirteen13pn.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229283; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229285/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229285; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229286; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229287; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229288; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qftwo2sr.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229289; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qftwo2vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229290; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11pt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229292; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11ht.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229291; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229294; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qleven11sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229293; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qstwo2pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229295; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3ddesign.3utilities.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229296; rev:1;)
alert tcp $HOME_NET any -> [185.185.68.48] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229297; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cloudwebhub.pro"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229200; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"nowordshere.org"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229201; rev:1;)
alert tcp $HOME_NET any -> [82.97.241.207] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229202; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"116.198.11.22"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229199; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229198; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"110.41.11.72"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229197; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"123.249.101.92"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229196; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"43.138.62.36"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"sanjianke.icu"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229194; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/newtab_ogb"; depth:17; nocase; http.host; content:"74.235.187.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229193; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"147.139.32.75"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229192; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229191/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229191; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/async/newtab_ogb"; depth:17; nocase; http.host; content:"74.235.187.46"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229190; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"36.99.39.121"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229189; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"192.144.220.12"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229188; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/secure.html"; depth:12; nocase; http.host; content:"20.49.255.240"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229187; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"101.132.182.180"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229186; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229185; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"4.194.41.34"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229184; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"120.55.82.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229183; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.90.247.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229182; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.100.199.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229181; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"1.13.17.173"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229180; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"101.35.253.212"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229179; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229178; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"101.43.127.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229177; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/users.jsp"; depth:10; nocase; http.host; content:"helloone.accountants.monster"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229176; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229175; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229174; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apiv8/getstatus"; depth:16; nocase; http.host; content:"seruvadessigen.3utilities.com"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229172; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"seruvadessigen.3utilities.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229173; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229171; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"101.43.30.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229170; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_/scs/mail-static/_/js/"; depth:24; nocase; http.host; content:"locall.miragov.info"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229168; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"locall.miragov.info"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229169; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"146.56.234.203"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229167; rev:1;)
alert tcp $HOME_NET any -> [3.137.178.137] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229166; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"workday.us.org"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229165/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229165; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en-us/silentauth"; depth:17; nocase; http.host; content:"workday.us.org"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229164; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229163; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3se9ewodke339f0e83.connectivitytests.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-4.6.0.min.js"; depth:20; nocase; http.host; content:"107.172.16.172"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"124.222.173.133"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229160; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"101.201.57.173"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229159; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"42.193.119.4"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229158; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.100.199.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229157; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"52.226.247.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.7.1.min.js"; depth:20; nocase; http.host; content:"159.65.150.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229155; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp06/wp-includes/po.php"; depth:24; nocase; http.host; content:"success.165gov.cyou"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229153; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"success.165gov.cyou"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"120.27.212.14"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"107.175.247.197"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"143.198.101.149"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229150; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d20tk7ygz8ugsj.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229149; rev:1;)
alert tcp $HOME_NET any -> [8.138.82.105] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"8.134.80.227"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.110.253.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"199.195.252.200"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229145; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-rbr85ft5-1259685312.cd.apigw.tencentcs.com"; depth:50; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/get"; depth:8; nocase; http.host; content:"service-rbr85ft5-1259685312.cd.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229143; rev:1;)
alert tcp $HOME_NET any -> [65.49.210.124] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"check.cloudupdateserver.cloudns.org"; depth:35; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229140; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"check.cloudupdateserver.cloudns.org"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229141; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.goodljlagfhssss.live"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"1.94.67.222"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/case.css"; depth:9; nocase; http.host; content:"cins.hin7lostvas.pro"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229137/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"101.200.72.45"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.99.151.68"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"154.204.60.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"121.4.59.117"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229133; rev:1;)
alert tcp $HOME_NET any -> [8.130.94.202] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229132; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"test.wiiooiij.tk"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"test.wiiooiij.tk"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"185.196.9.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.223.64.88"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api-opt-2023-gfr/3"; depth:19; nocase; http.host; content:"fk.n0reply.eu.org"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229126; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fk.n0reply.eu.org"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theme/login.php"; depth:16; nocase; http.host; content:"185.215.113.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1229125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229125; rev:1;)
alert tcp $HOME_NET any -> [78.100.236.181] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229124/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229124; rev:1;)
alert tcp $HOME_NET any -> [72.27.165.49] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229123/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229123; rev:1;)
alert tcp $HOME_NET any -> [54.154.24.71] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229122/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229122; rev:1;)
alert tcp $HOME_NET any -> [185.196.10.126] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229121/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229121; rev:1;)
alert tcp $HOME_NET any -> [119.152.6.213] 443  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229120/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229120; rev:1;)
alert tcp $HOME_NET any -> [54.250.116.148] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229119/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_08; classtype:trojan-activity; sid:91229119; rev:1;)
alert tcp $HOME_NET any -> [193.233.254.194] 11584  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229118; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthirteen13sr.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228948; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228949; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228945; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228946; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qften10vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228947; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6sb.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228944; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfsix6ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228943; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfone1pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228941; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfseven7sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228942; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228939; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfone1ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228940; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228936; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228938; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228937; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228934; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfleven11sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228935; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffive5vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228932; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228933; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffive5ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228931; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfeight8vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228930; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjfourt14vs.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjnein9vs.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228927; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gjseven7vs.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228928; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfeight8sb.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228929; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pichadex.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228918; rev:1;)
alert tcp $HOME_NET any -> [46.199.193.93] 3551  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228916; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myhostfrfr0.ddns.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228917; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/theme/index.php"; depth:16; nocase; http.host; content:"185.215.113.68"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"diagramfiremonkeyowwa.fun"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"cakecoldsplurgrewe.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228897; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"soupinterestoe.fun"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228898; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"neighborhoodfeelsa.fun"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228899; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"dayfarrichjwclik.fun"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228900; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"ratefacilityframw.fun"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228901; rev:1;)
alert tcp $HOME_NET any -> [154.223.17.134] 5959  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228902/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228902; rev:1;)
alert tcp $HOME_NET any -> [165.232.87.210] 5945  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228903; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ruspyc.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228904; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfthre3sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228950; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgeit8ht.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228951; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfourt14ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228952; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfourt14pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228953; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgfourt14sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228954; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgleven11ht.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228955; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgleven11pn.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228956; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnein9ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228957; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnein9pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228958; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgnein9sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228959; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgseven7vt.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228960; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgsix6vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228961; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgten10pn.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228963; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgten10ht.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228962; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228964; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgthre3vt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228965; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgtwo2vt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228966; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qtfive5pt.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228967/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228967; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qttwo2pt.top"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228968; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.qffive5ht.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228969/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228969; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"emv1.qften10sr.top"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228970/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228970; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qffourt14sr.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228971/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228971; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgeiht8sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228973/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228973; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qfnein9sr.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228972/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228972; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgleven11sb.top"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228974/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228974; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qgten10sb.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228975/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228975; rev:1;)
alert tcp $HOME_NET any -> [79.137.198.170] 80  (msg:"ThreatFox AMOS botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228985; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crazy-hugle.185-196-8-89.plesk.page"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229111; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"midlifeprogrammer.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229112; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gallant-booth.185-196-8-89.plesk.page"; depth:37; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229113; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"185-196-8-89.plesk.page"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229114; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.conectmeto.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229115; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"online.microsoftoffice.cyou"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229116; rev:1;)
alert tcp $HOME_NET any -> [158.220.96.15] 3320  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229117; rev:1;)
alert tcp $HOME_NET any -> [2.91.179.245] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229110; rev:1;)
alert tcp $HOME_NET any -> [140.82.33.83] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229109/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229109; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.736626.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229108; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"recruitment61.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229107; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.europapokal2024.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229105; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.1280678.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229106; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.peninsula3.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229104; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.seismicsisterhood.org"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229103; rev:1;)
alert tcp $HOME_NET any -> [35.210.122.136] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229101; rev:1;)
alert tcp $HOME_NET any -> [35.210.122.136] 5555  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229102; rev:1;)
alert tcp $HOME_NET any -> [3.218.61.11] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229100; rev:1;)
alert tcp $HOME_NET any -> [103.106.191.10] 8000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229099; rev:1;)
alert tcp $HOME_NET any -> [62.113.117.13] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229098; rev:1;)
alert tcp $HOME_NET any -> [18.195.76.113] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229097; rev:1;)
alert tcp $HOME_NET any -> [62.171.159.175] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229096; rev:1;)
alert tcp $HOME_NET any -> [181.237.128.179] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229095; rev:1;)
alert tcp $HOME_NET any -> [168.62.49.51] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229094; rev:1;)
alert tcp $HOME_NET any -> [20.230.19.10] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229093; rev:1;)
alert tcp $HOME_NET any -> [18.222.106.155] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229092; rev:1;)
alert tcp $HOME_NET any -> [46.151.214.196] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229091; rev:1;)
alert tcp $HOME_NET any -> [1.12.48.214] 31220  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229090; rev:1;)
alert tcp $HOME_NET any -> [106.52.233.34] 31220  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229089; rev:1;)
alert tcp $HOME_NET any -> [13.209.204.53] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229088; rev:1;)
alert tcp $HOME_NET any -> [18.158.149.45] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229087; rev:1;)
alert tcp $HOME_NET any -> [18.158.149.45] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229086; rev:1;)
alert tcp $HOME_NET any -> [45.139.222.37] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229085; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m.customerportalverify.store"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229084; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"apis.customerportalverify.store"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229083; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"omns.customerportalverify.store"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229081; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fc.customerportalverify.store"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229082; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"content.customerportalverify.store"; depth:34; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229080; rev:1;)
alert tcp $HOME_NET any -> [159.65.47.249] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229078; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stats.customerportalverify.store"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229079; rev:1;)
alert tcp $HOME_NET any -> [5.42.64.70] 2096  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229077; rev:1;)
alert tcp $HOME_NET any -> [192.248.184.70] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229075; rev:1;)
alert tcp $HOME_NET any -> [47.96.43.107] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229076; rev:1;)
alert tcp $HOME_NET any -> [180.141.51.20] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229074; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.payandhay.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229073; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-235-217-21.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229072; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-3-217-28-109.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229071; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-210-248-214.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229070; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ams-k-node1.vleo.ru"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229069; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.elated-black.45-141-215-173.plesk.page"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229067; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fbadearnings.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229068; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"85.192.63.57.sslip.io"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229065; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"79.137.194.188.sslip.io"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229066; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.61] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229064; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.67] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229063; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.62] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229062; rev:1;)
alert tcp $HOME_NET any -> [167.88.168.158] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229061; rev:1;)
alert tcp $HOME_NET any -> [27.74.166.158] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229060; rev:1;)
alert tcp $HOME_NET any -> [20.6.33.42] 9099  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229058; rev:1;)
alert tcp $HOME_NET any -> [27.74.166.158] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229059/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229059; rev:1;)
alert tcp $HOME_NET any -> [103.42.30.30] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229057/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229057; rev:1;)
alert tcp $HOME_NET any -> [103.42.30.39] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229055/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229055; rev:1;)
alert tcp $HOME_NET any -> [103.42.30.58] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229056/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229056; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"oxyphyllous.20402177.xyz"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229054; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159-223-92-16.digitaloceandns.com"; depth:33; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229052; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"git.cy-security.de"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229053; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sicher-online.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229050; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"proxy-apps.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229051; rev:1;)
alert tcp $HOME_NET any -> [172.94.93.15] 2222  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229049; rev:1;)
alert tcp $HOME_NET any -> [193.161.193.99] 38655  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229048; rev:1;)
alert tcp $HOME_NET any -> [13.213.38.230] 81  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229047; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reksiaeksinov1.fvds.ru"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229046; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mebadboy.fvds.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229045; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.143] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229044/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229044; rev:1;)
alert tcp $HOME_NET any -> [91.92.240.134] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229043/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229043; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api-encar.nibiru.pro"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229041/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229041; rev:1;)
alert tcp $HOME_NET any -> [54.211.212.149] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229042/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229042; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.80] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229039/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229039; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bitrix.avtokuba.ru"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1229040/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229040; rev:1;)
alert tcp $HOME_NET any -> [176.123.168.117] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229038/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229038; rev:1;)
alert tcp $HOME_NET any -> [79.174.13.18] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229037/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229037; rev:1;)
alert tcp $HOME_NET any -> [119.160.235.239] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229036/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229036; rev:1;)
alert tcp $HOME_NET any -> [157.90.21.73] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229035/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229035; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.8] 4001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229034/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229034; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.4] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229033/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229033; rev:1;)
alert tcp $HOME_NET any -> [185.250.148.237] 2424  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229031/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229031; rev:1;)
alert tcp $HOME_NET any -> [88.229.34.236] 3004  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229032; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.52] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229029; rev:1;)
alert tcp $HOME_NET any -> [54.38.151.131] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229030; rev:1;)
alert tcp $HOME_NET any -> [185.172.128.52] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229028; rev:1;)
alert tcp $HOME_NET any -> [74.222.22.109] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229027/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229027; rev:1;)
alert tcp $HOME_NET any -> [91.109.186.9] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229025/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229025; rev:1;)
alert tcp $HOME_NET any -> [187.24.64.252] 9999  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229026/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229026; rev:1;)
alert tcp $HOME_NET any -> [51.20.249.187] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229024/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229024; rev:1;)
alert tcp $HOME_NET any -> [5.161.182.109] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229022/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229022; rev:1;)
alert tcp $HOME_NET any -> [178.33.203.39] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229023/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229023; rev:1;)
alert tcp $HOME_NET any -> [66.94.120.244] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229021/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229021; rev:1;)
alert tcp $HOME_NET any -> [122.10.10.115] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229019; rev:1;)
alert tcp $HOME_NET any -> [107.174.115.223] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229020/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229020; rev:1;)
alert tcp $HOME_NET any -> [20.61.4.19] 6000  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229018/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_08; classtype:trojan-activity; sid:91229018; rev:1;)
alert tcp $HOME_NET any -> [47.102.151.229] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229016; rev:1;)
alert tcp $HOME_NET any -> [62.234.166.174] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229017; rev:1;)
alert tcp $HOME_NET any -> [47.100.199.201] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229015; rev:1;)
alert tcp $HOME_NET any -> [123.57.164.84] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229014/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229014; rev:1;)
alert tcp $HOME_NET any -> [123.56.64.225] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229013; rev:1;)
alert tcp $HOME_NET any -> [123.56.64.225] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229012; rev:1;)
alert tcp $HOME_NET any -> [168.100.9.112] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229011; rev:1;)
alert tcp $HOME_NET any -> [8.130.66.111] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229010; rev:1;)
alert tcp $HOME_NET any -> [45.95.174.47] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229009; rev:1;)
alert tcp $HOME_NET any -> [43.134.183.43] 60000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229008; rev:1;)
alert tcp $HOME_NET any -> [43.134.183.43] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229007; rev:1;)
alert tcp $HOME_NET any -> [121.41.50.152] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229006; rev:1;)
alert tcp $HOME_NET any -> [51.81.69.69] 42069  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229005; rev:1;)
alert tcp $HOME_NET any -> [61.75.17.84] 59992  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229004; rev:1;)
alert tcp $HOME_NET any -> [39.106.47.126] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229003; rev:1;)
alert tcp $HOME_NET any -> [101.35.199.148] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229002; rev:1;)
alert tcp $HOME_NET any -> [101.35.199.148] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229001; rev:1;)
alert tcp $HOME_NET any -> [120.46.69.230] 65401  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1229000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91229000; rev:1;)
alert tcp $HOME_NET any -> [108.136.162.32] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228999; rev:1;)
alert tcp $HOME_NET any -> [124.223.87.14] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228998; rev:1;)
alert tcp $HOME_NET any -> [38.147.172.234] 5557  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228996; rev:1;)
alert tcp $HOME_NET any -> [59.110.9.127] 8089  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228997; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.16] 3958  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228995; rev:1;)
alert tcp $HOME_NET any -> [18.229.146.63] 12288  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228994; rev:1;)
alert tcp $HOME_NET any -> [18.229.248.167] 12288  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228993; rev:1;)
alert tcp $HOME_NET any -> [18.228.115.60] 12288  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228992; rev:1;)
alert tcp $HOME_NET any -> [193.233.254.4] 13200  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228991; rev:1;)
alert tcp $HOME_NET any -> [46.246.12.15] 2054  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"194.87.218.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_08; classtype:trojan-activity; sid:91228989; rev:1;)
alert tcp $HOME_NET any -> [47.243.31.155] 8123  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228988/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_08; classtype:trojan-activity; sid:91228988; rev:1;)
alert tcp $HOME_NET any -> [154.204.60.179] 88  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228987/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_08; classtype:trojan-activity; sid:91228987; rev:1;)
alert tcp $HOME_NET any -> [176.29.41.251] 8000  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228986; rev:1;)
alert tcp $HOME_NET any -> [194.87.79.209] 34130  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228984/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228984; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 30710  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228983; rev:1;)
alert tcp $HOME_NET any -> [210.97.234.97] 9735  (msg:"ThreatFox Ghost RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228982/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228982; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/serverlinuxtestwordpressprivate.php"; depth:36; nocase; http.host; content:"028874lm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228981; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dftrqgmt6hzf2.cloudfront.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228979/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228979; rev:1;)
alert tcp $HOME_NET any -> [108.137.133.143] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228980; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"dftrqgmt6hzf2.cloudfront.net"; depth:28; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228978/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228978; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/266ba446.php"; depth:13; nocase; http.host; content:"glacial-liquor.000webhostapp.com"; depth:32; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228977/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228977; rev:1;)
alert tcp $HOME_NET any -> [45.207.45.188] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228976/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228976; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228925; rev:1;)
alert tcp $HOME_NET any -> [134.175.55.199] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228924; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.89] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228923; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/account/kdikpcoywu"; depth:28; nocase; http.host; content:"erihudeg.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228922; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates"; depth:8; nocase; http.host; content:"39.107.242.130"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228921; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"165.154.132.129"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228920; rev:1;)
alert tcp $HOME_NET any -> [43.139.220.166] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228919; rev:1;)
alert tcp $HOME_NET any -> [66.19.9.115] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228915/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228915; rev:1;)
alert tcp $HOME_NET any -> [38.54.85.21] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228914/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228914; rev:1;)
alert tcp $HOME_NET any -> [94.49.47.218] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228913/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228913; rev:1;)
alert tcp $HOME_NET any -> [190.134.210.144] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228912/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228912; rev:1;)
alert tcp $HOME_NET any -> [77.49.83.47] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228911/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228911; rev:1;)
alert tcp $HOME_NET any -> [2.6.197.29] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228910/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228910; rev:1;)
alert tcp $HOME_NET any -> [27.99.41.173] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228909/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228909; rev:1;)
alert tcp $HOME_NET any -> [103.106.228.51] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228908/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228908; rev:1;)
alert tcp $HOME_NET any -> [64.23.143.159] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228907/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228907; rev:1;)
alert tcp $HOME_NET any -> [185.228.234.171] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228906/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228906; rev:1;)
alert tcp $HOME_NET any -> [52.197.96.6] 80  (msg:"ThreatFox Brute Ratel C4 botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228905/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228905; rev:1;)
alert tcp $HOME_NET any -> [5.42.64.57] 43890  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228857/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228857; rev:1;)
alert tcp $HOME_NET any -> [45.131.108.210] 747  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228849; rev:1;)
alert tcp $HOME_NET any -> [5.42.66.49] 43890  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228858; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"62.72.32.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228887; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"95.156.227.5"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"185.183.98.152"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"79.133.51.114"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"91.206.178.198"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"101.99.94.198"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard"; depth:10; nocase; http.host; content:"188.116.22.246"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228892; rev:1;)
alert tcp $HOME_NET any -> [47.100.199.201] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228894/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"101.43.215.118"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"124.221.178.17"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228885; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d8g.lol"; depth:7; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228883; rev:1;)
alert tcp $HOME_NET any -> [159.75.104.157] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228884; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"d8g.lol"; depth:7; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228882; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"8.140.147.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"106.14.144.30"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228880; rev:1;)
alert tcp $HOME_NET any -> [43.139.35.215] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228879/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228879; rev:1;)
alert tcp $HOME_NET any -> [164.155.212.249] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228878/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228878; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"165.3.113.96"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228877/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228877; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"164.155.212.249"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228876; rev:1;)
alert tcp $HOME_NET any -> [164.155.212.249] 2000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228875; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"152.32.210.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228874; rev:1;)
alert tcp $HOME_NET any -> [185.196.8.89] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/validate/account/kdikpcoywu"; depth:28; nocase; http.host; content:"erihudeg.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"8.142.117.162"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228870/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228870; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"8.142.5.148"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228869/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"193.201.9.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"47.112.137.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"metersphere.zenmen.cloud"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/owa/"; depth:5; nocase; http.host; content:"www.goodljlagfhss.live"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"121.4.50.245"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/3"; depth:6; nocase; http.host; content:"120.27.148.91"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228863; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-oca34jj9-1257331363.sh.tencentapigw.com"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-oca34jj9-1257331363.sh.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.112.137.119"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228860; rev:1;)
alert tcp $HOME_NET any -> [185.164.163.75] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228859/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228859; rev:1;)
alert tcp $HOME_NET any -> [90.91.100.126] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228856/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"101.34.222.38"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.100.199.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228853; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/fwlink"; depth:7; nocase; http.host; content:"154.204.60.179"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"updates.adobe-soft.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"194.87.218.132"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"164.90.169.184"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228847; rev:1;)
alert tcp $HOME_NET any -> [164.90.169.184] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228848; rev:1;)
alert tcp $HOME_NET any -> [45.60.75.128] 9443  (msg:"ThreatFox Nimplant botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228846/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228846; rev:1;)
alert tcp $HOME_NET any -> [151.236.18.179] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228845/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228845; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.simplence.cn"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228761/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228761; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.mylcyz.top"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228759/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228759; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.rememdam.xyz"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228760/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228760; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.kp1nm8ao.xyz"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228756/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228756; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.microsoft-update.one"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1228757/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228757; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.microsoft2888.top"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1228758/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228758; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.dns-supports.online"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228754/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228754; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.dnslogik.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228755/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228755; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.crnbchina.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228752/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228752; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.dmitolt.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1228753/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228753; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.centos-yum.xyz"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228750/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.chongfan1990.xyz"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228751/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228751; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.623866.xyz"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228746/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228746; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.akingump.cloud"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228747/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.az-gateway.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228748/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.bre1ce.top"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228749/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228749; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"server1.bre1ce.top"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228744/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228744; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"service-mew"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228745/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"sanjianke.icu"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228742/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228742; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"septcntr.com"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1228743/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228743; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rano.initiativeus.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1228738/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228738; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"rano.outlookonlines.com"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228739/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228739; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"recommendation.digihealthlocker.com"; depth:35; nocase; reference:url, threatfox.abuse.ch/ioc/1228740/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"redteam.tandemcyberops.co"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1228741/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228741; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"po.vigorlabs.info"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228736/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228736; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"qw.regsvcast.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228737/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228737; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"js.msedgeupdate.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228734/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228734; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pics.d3fgg12.lol"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228735/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228735; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"annualraises2023.zip"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228733/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228733; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.teleradiocom.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228762/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228762; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.weepstakes.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228763/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228763; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.xiaopeng111.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228764/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228764; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.zengjunhe.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228765/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228765; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.163microsoft.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228766/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228766; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.623866.xyz"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228767/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228767; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.az-gateway.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228768/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228768; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.centos-yum.xyz"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228769/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228769; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.chongfan1990.xyz"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228770/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228770; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.crnbchina.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228771/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228771; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.dns-supports.online"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228772/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228772; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.dnslogik.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228773/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228773; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.kp1nm8ao.xyz"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228774/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228774; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.microsoft-update.one"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1228775/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228775; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.mylcyz.top"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228776/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228776; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.rememdam.xyz"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228777/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228777; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.simplence.cn"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228778/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228778; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.xiaopeng111.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228779/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228779; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.zengjunhe.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228780/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228780; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns3.chongfan1990.xyz"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228781/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228781; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns3.simplence.cn"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228782/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228782; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns3.xiaopeng111.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228783/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228783; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns8.x7z.mom"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228784/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228784; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns88.nanyafpg.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228785/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228785; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"nsns1.container911.site"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228786/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228786; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"nt2.227api.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228788/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228788; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"nt3.227api.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228789/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228789; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"nt1.227api.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228787/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228787; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"oa.cncb.info"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1228790/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228790; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ok.ppctech.xyz"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228791/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228791; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"one.gxzf.site"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228792/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228792; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"osssss.huawei.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228793/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228793; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pak.update.nadra-pk.org"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228794/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228794; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pic.micros0ft-security.org"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1228795/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228795; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.centos-yum.xyz"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228796/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228796; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pak.update.nadra-pk.org"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228797/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228797; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"pic.micros0ft-security.org"; depth:26; nocase; reference:url, threatfox.abuse.ch/ioc/1228798/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228798; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.dns-supports.online"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228799/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228799; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.microsoft-update.one"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1228800/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228800; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns2.az-gateway.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228801/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228801; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.az-gateway.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228802/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228802; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.dns-supports.online"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228803/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228803; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"iane.outlookonlines.com"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228805/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228805; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"iane.initiativeus.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1228804/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228804; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"leno.initiativeus.com"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1228806/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228806; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"leno.outlookonlines.com"; depth:23; nocase; reference:url, threatfox.abuse.ch/ioc/1228807/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228807; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"lindacolor.com"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228808/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228808; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"log.lihaimaoyi.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228809/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228809; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mail.cncb.info"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228810/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228810; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"metersphere.zenmen.cloud"; depth:24; nocase; reference:url, threatfox.abuse.ch/ioc/1228811/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228811; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mricossoftmanager.info"; depth:22; nocase; reference:url, threatfox.abuse.ch/ioc/1228812/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228812; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"n1.johnchen88.com"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228814/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228814; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"myappsec.eu"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228813/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228813; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns.b1ing.com"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1228815/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228815; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns.checkavail.space"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228816/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228816; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns.controlcavi.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228817/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228817; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns.n0reply.eu.org"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228818/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228818; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns.tqrjfru.cn"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228819/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228819; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns0248.euskinc.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228820/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228820; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 50%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ns1.163microsoft.com"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228821/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228821; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kennynanobelintourismedleonline.dumb1.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228824/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228824; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alpacino.club"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228831/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228831; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bukkva.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228832/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228832; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gavrik.club"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228833/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228833; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voiceaichanger.pro"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228841/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"dzxngxmlsim3.cloudfront.net"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1228842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"dh5rg5aebo6yx.cloudfront.net"; depth:28; nocase; reference:url, threatfox.abuse.ch/ioc/1228843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228843; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voice.k7pw.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228840/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228840; rev:1;)
alert tcp $HOME_NET any -> [80.66.75.53] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228844; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn-delivery.fortaxen.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228705; rev:1;)
alert tcp $HOME_NET any -> [185.170.144.250] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228706; rev:1;)
alert tcp $HOME_NET any -> [45.148.120.115] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"tollactionancestorw.pw"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228708; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"links-transition.gl.at.ply.gg"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228714/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228714; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fall-sustained.gl.at.ply.gg"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228715/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228715; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"realitysocialiolee.site"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228719/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228719; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"pubettttg.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228722/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"pubeggggoa.top"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228723/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228723; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"pubetjokotg.top"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228724/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228724; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"gebasgao.shop"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228725/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228725; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"fexggohii.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228726/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228726; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2eyotm2m2fly2my/"; depth:18; nocase; http.host; content:"vukyggtou.top"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228727/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228727; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"c2c2adfff.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228728/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228728; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"g232ddxda.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228729/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228729; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ogy2ywu5otm4otq3/"; depth:18; nocase; http.host; content:"ebwaebaw23xx.com"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228730/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228730; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ztzkntjjntkwyzk3/"; depth:18; nocase; http.host; content:"verhovuh.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228731/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228731; rev:1;)
alert tcp $HOME_NET any -> [86.122.248.34] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228839/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228839; rev:1;)
alert tcp $HOME_NET any -> [176.44.122.88] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228838/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228838; rev:1;)
alert tcp $HOME_NET any -> [3.110.101.202] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228837/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228837; rev:1;)
alert tcp $HOME_NET any -> [139.84.172.20] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228836/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228836; rev:1;)
alert tcp $HOME_NET any -> [139.84.172.248] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228835/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228835; rev:1;)
alert tcp $HOME_NET any -> [94.131.100.223] 4444  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228834/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_07; classtype:trojan-activity; sid:91228834; rev:1;)
alert tcp $HOME_NET any -> [18.136.0.29] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228830/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228830; rev:1;)
alert tcp $HOME_NET any -> [88.229.34.236] 3001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228829/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228829; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0902024.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228828/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228828; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.243] 4887  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228827/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228827; rev:1;)
alert tcp $HOME_NET any -> [141.98.212.12] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228826/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228826; rev:1;)
alert tcp $HOME_NET any -> [162.251.166.166] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228825/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_07; classtype:trojan-activity; sid:91228825; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.179] 1334  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228823/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228823; rev:1;)
alert tcp $HOME_NET any -> [85.195.105.85] 7072  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228822/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228822; rev:1;)
alert tcp $HOME_NET any -> [142.202.191.238] 2404  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_07; classtype:trojan-activity; sid:91228732; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wordpress0low/bigload/defaultimagesql/sql7/pollserverprotectdefaultsqltraffictest.php"; depth:86; nocase; http.host; content:"77.83.173.248"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228721; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0903379.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228720/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228720; rev:1;)
alert tcp $HOME_NET any -> [3.94.5.127] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228718/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228718; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"d2kb8sccbn3wgs.cloudfront.net"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228717/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228717; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/favicon"; depth:8; nocase; http.host; content:"d2kb8sccbn3wgs.cloudfront.net"; depth:29; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228716/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228716; rev:1;)
alert tcp $HOME_NET any -> [82.102.218.155] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228713/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228713; rev:1;)
alert tcp $HOME_NET any -> [85.195.137.207] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228712/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228712; rev:1;)
alert tcp $HOME_NET any -> [78.101.236.188] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228711/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228711; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 41958  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228710; rev:1;)
alert tcp $HOME_NET any -> [88.214.58.89] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228709/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228709; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hetooppentyir.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228625; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"intros.top"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228626; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"kefkfkf.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228627/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228627; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"landoflegendstore.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228628/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228628; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linkappc.link"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228629/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228629; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"linkappd.link"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228630/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228630; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"malletmissile.ru"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228632; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mamkindomen.info"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228633; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"menrere.top"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228634; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mistral3.xyz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228635; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mobilesuit.top"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228636; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"opendoors.top"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228637; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"promakerboi.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228638; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"prunerflowershop.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228639; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rowlingimpala.top"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228640; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wejqwed.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228645; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"grilledwings.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228623; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gzgbnserv639.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228624; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"goodideal.org"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228622; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"databasecontrol.xyz"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228609; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"functionalrejh.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228619; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"game2030.space"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228620; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bukkva.link"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228606; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baskettorchaff.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228602; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"adverting-cdn.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228598; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alogsme.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228599; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"alpacino.best"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228600; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigpetsmall.ru"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228603; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"blogsme.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228604; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clogsme.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228607; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cozanostra.best"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228608; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"deniedfight.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228611; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dfthdsb.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228612; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"daymong.ru"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228610; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ed2efjw.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228613; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fasdas.link"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228614; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fickita.info"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228615; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fickitc.link"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228616; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"fickotstuk.space"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sdgserv29.xyz"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228641; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"untouchablename.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228643; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"venecia.best"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228644; rev:1;)
alert tcp $HOME_NET any -> [124.223.64.88] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228704/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228704; rev:1;)
alert tcp $HOME_NET any -> [141.255.159.46] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228703/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228703; rev:1;)
alert tcp $HOME_NET any -> [71.24.150.141] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228702; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"pics.d3fgg12.lol"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"cj13214.tw1.ru"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228700; rev:1;)
alert tcp $HOME_NET any -> [47.100.199.201] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228699/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228699; rev:1;)
alert tcp $HOME_NET any -> [45.66.248.135] 4593  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228698; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"levellivingfield.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228697; rev:1;)
alert tcp $HOME_NET any -> [149.28.168.162] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228696; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228695; rev:1;)
alert tcp $HOME_NET any -> [62.171.159.173] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228694; rev:1;)
alert tcp $HOME_NET any -> [38.54.84.70] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228693; rev:1;)
alert tcp $HOME_NET any -> [46.45.130.200] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228692; rev:1;)
alert tcp $HOME_NET any -> [35.207.223.236] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228691; rev:1;)
alert tcp $HOME_NET any -> [18.195.76.113] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228690; rev:1;)
alert tcp $HOME_NET any -> [3.111.231.169] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228689; rev:1;)
alert tcp $HOME_NET any -> [3.144.241.40] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228688; rev:1;)
alert tcp $HOME_NET any -> [193.200.149.111] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228687; rev:1;)
alert tcp $HOME_NET any -> [68.183.157.146] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228686; rev:1;)
alert tcp $HOME_NET any -> [143.198.59.128] 40080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228685; rev:1;)
alert tcp $HOME_NET any -> [93.188.167.2] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228684; rev:1;)
alert tcp $HOME_NET any -> [43.139.220.166] 31220  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228683; rev:1;)
alert tcp $HOME_NET any -> [134.209.107.62] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228682; rev:1;)
alert tcp $HOME_NET any -> [3.125.178.172] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228681; rev:1;)
alert tcp $HOME_NET any -> [8.217.168.80] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228680; rev:1;)
alert tcp $HOME_NET any -> [115.159.152.161] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228679; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.crypticgamings.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228677; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.crypticgamings.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228678; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"objective-shannon.2-58-113-220.plesk.page"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228676; rev:1;)
alert tcp $HOME_NET any -> [94.228.168.159] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228675; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.74] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228673; rev:1;)
alert tcp $HOME_NET any -> [193.233.132.55] 8081  (msg:"ThreatFox RisePro botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228674; rev:1;)
alert tcp $HOME_NET any -> [172.206.62.226] 1337  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228672; rev:1;)
alert tcp $HOME_NET any -> [103.42.30.83] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228671; rev:1;)
alert tcp $HOME_NET any -> [87.237.54.174] 4447  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228670; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cloud.cy-security.de"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228669; rev:1;)
alert tcp $HOME_NET any -> [191.82.202.123] 2000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228668; rev:1;)
alert tcp $HOME_NET any -> [37.120.137.230] 1433  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228667; rev:1;)
alert tcp $HOME_NET any -> [88.99.210.25] 8082  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228666; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"server289.mukhost.uk"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228664; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.140] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228665; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"app.to-kgb.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228663; rev:1;)
alert tcp $HOME_NET any -> [13.213.38.230] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228662; rev:1;)
alert tcp $HOME_NET any -> [13.213.38.230] 82  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228661; rev:1;)
alert tcp $HOME_NET any -> [198.186.130.12] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228660; rev:1;)
alert tcp $HOME_NET any -> [178.130.132.247] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228659; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nifty-clarke.137-184-80-125.plesk.page"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228658; rev:1;)
alert tcp $HOME_NET any -> [185.16.38.41] 2034  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228657; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.213] 888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228655; rev:1;)
alert tcp $HOME_NET any -> [212.102.59.84] 7777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228656/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228656; rev:1;)
alert tcp $HOME_NET any -> [155.133.27.6] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228654; rev:1;)
alert tcp $HOME_NET any -> [122.114.18.86] 12340  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228653/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_06; classtype:trojan-activity; sid:91228653; rev:1;)
alert tcp $HOME_NET any -> [154.92.14.85] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228652; rev:1;)
alert tcp $HOME_NET any -> [62.234.31.154] 5432  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228651; rev:1;)
alert tcp $HOME_NET any -> [101.33.210.191] 8088  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228650; rev:1;)
alert tcp $HOME_NET any -> [182.92.179.238] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228649; rev:1;)
alert tcp $HOME_NET any -> [161.35.186.154] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228648; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"qimen.top"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228647; rev:1;)
alert tcp $HOME_NET any -> [91.215.85.23] 22277  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228646; rev:1;)
alert tcp $HOME_NET any -> [66.42.105.125] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228597/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228597; rev:1;)
alert tcp $HOME_NET any -> [185.224.81.16] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228595; rev:1;)
alert tcp $HOME_NET any -> [185.164.163.75] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228596; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"49.atk.im"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228592; rev:1;)
alert tcp $HOME_NET any -> [141.98.196.77] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228593; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"iiilll1.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228594; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yourself-catholic.gl.at.ply.gg"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228554; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"gumuh5gm.kt007.com"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228558; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cmcqgm.kt007.com"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1228559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228559; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"ns.tqrjfru.cn"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228560; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"ns.tqrjfru.cn"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228561; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"www.luxiaofei.online"; depth:20; nocase; reference:url, threatfox.abuse.ch/ioc/1228581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228581; rev:1;)
alert tcp $HOME_NET any -> [114.115.210.125] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228562; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"bing921.215436454.xyz"; depth:21; nocase; reference:url, threatfox.abuse.ch/ioc/1228580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228580; rev:1;)
alert tcp $HOME_NET any -> [103.164.81.74] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228582; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hk-once.520226.xyz"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228583; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m.molang007.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228585; rev:1;)
alert tcp $HOME_NET any -> [139.155.127.233] 8790  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228586/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228586; rev:1;)
alert tcp $HOME_NET any -> [8.130.122.200] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228587/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228587; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"msprojectserver.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228588/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228588; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"wmpupdate.com"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228589/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228589; rev:1;)
alert tcp $HOME_NET any -> [43.136.71.208] 2096  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228590; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"micros0fti.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228591; rev:1;)
alert tcp $HOME_NET any -> [51.77.137.208] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228584/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228584; rev:1;)
alert tcp $HOME_NET any -> [43.139.220.166] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228579; rev:1;)
alert tcp $HOME_NET any -> [149.40.62.54] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228578; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"188.166.214.231"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228577; rev:1;)
alert tcp $HOME_NET any -> [5.42.66.50] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228576; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/navigation"; depth:11; nocase; http.host; content:"updataus.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228574; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updataus.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228575; rev:1;)
alert tcp $HOME_NET any -> [47.100.199.201] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228573; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"47.100.199.201"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228572; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"23.95.197.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228571; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"47.109.102.98"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228570; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"16.171.112.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228569; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"165.154.132.129"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228568; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns.tqrjfru.cn"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228567; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/load"; depth:5; nocase; http.host; content:"147.78.47.184"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228566; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"www.xss.mba"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228565; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"locall.navybd-gov.info"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228564; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"locall.navybd-gov.info"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228563; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228557; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228556; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 24544  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228555; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vmpipepythonlowprotectdefaultgeneratortraffic.php"; depth:50; nocase; http.host; content:"990489lm.nyashmyash.top"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228553; rev:1;)
alert tcp $HOME_NET any -> [102.22.83.27] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228551; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"updates-nessus.org"; depth:18; nocase; reference:url, threatfox.abuse.ch/ioc/1228552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228552; rev:1;)
alert tcp $HOME_NET any -> [43.134.183.43] 30002  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228550; rev:1;)
alert tcp $HOME_NET any -> [107.182.190.222] 2083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228548/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228548; rev:1;)
alert tcp $HOME_NET any -> [147.185.221.17] 56274  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228547; rev:1;)
alert tcp $HOME_NET any -> [116.203.123.207] 3001  (msg:"ThreatFox Vidar payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.123.207"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199588685141"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"142.132.232.235"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.64"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mcfuture"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199592921038"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228284/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"20.5.43.62"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"20.5.43.62"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228438/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"45.93.20.242"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228441; rev:1;)
alert tcp $HOME_NET any -> [121.41.9.223] 23335  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ca"; depth:3; nocase; http.host; content:"152.136.128.162"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2i3zwfjnjnhm2i5/"; depth:18; nocase; http.host; content:"194.33.191.206"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228490/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228490; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2i3zwfjnjnhm2i5/"; depth:18; nocase; http.host; content:"xex2napggq.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228491/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228491; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2i3zwfjnjnhm2i5/"; depth:18; nocase; http.host; content:"cccd1xzaza.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228493/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228493; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2i3zwfjnjnhm2i5/"; depth:18; nocase; http.host; content:"vittixx2q.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228492/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228492; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/m2i3zwfjnjnhm2i5/"; depth:18; nocase; http.host; content:"sabaasbaor.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228494/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228494; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzg1ytc1n2rlnwq4/"; depth:18; nocase; http.host; content:"176.113.115.188"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228497/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228497; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/nzg1ytc1n2rlnwq4/"; depth:18; nocase; http.host; content:"91.92.242.212"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228498/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228498; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"176.111.174.151"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228499/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228499; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"ghost23241312.xyz"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228500/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228500; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"ghost232412512.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228501/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228501; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"ghost232412312.xyz"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228502/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228502; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"epinciifirarda227.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228503/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228503; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"epinciifirarda27.xyz"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228504/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228504; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"epi2nciifirarda227.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228506/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228506; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"epinciifirarda237.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228505/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228505; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"epi3nciifirarda27.xyz"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228507/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228507; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/y2nlmmyymmywmgi5/"; depth:18; nocase; http.host; content:"epi5nciifirarda237.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228508/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228508; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"yobuy01.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228510/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228510; rev:1;)
alert tcp $HOME_NET any -> [18.192.31.165] 11297  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228511/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228511; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 11297  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228512/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228512; rev:1;)
alert tcp $HOME_NET any -> [18.158.249.75] 11297  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228513/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228513; rev:1;)
alert tcp $HOME_NET any -> [3.125.209.94] 11297  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228514/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228514; rev:1;)
alert tcp $HOME_NET any -> [3.125.102.39] 11297  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228515/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228515; rev:1;)
alert tcp $HOME_NET any -> [3.125.223.134] 11297  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228516/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228516; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"service-hzdzk12c-1318485841.gz.apigw.tencentcs.com"; depth:50; nocase; reference:url, threatfox.abuse.ch/ioc/1228518/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228518; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"service-oca34jj9-1257331363.sh.tencentapigw.com"; depth:47; nocase; reference:url, threatfox.abuse.ch/ioc/1228519/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228519; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"static-47-206-167-222.tamp.fl.frontiernet.net"; depth:45; nocase; reference:url, threatfox.abuse.ch/ioc/1228521/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228521; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"47.206.167.222"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228520/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228520; rev:1;)
alert tcp $HOME_NET any -> [45.13.119.251] 9932  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228524/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228524; rev:1;)
alert tcp $HOME_NET any -> [176.223.133.62] 1290  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228525; rev:1;)
alert tcp $HOME_NET any -> [23.159.248.156] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228545/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228545; rev:1;)
alert tcp $HOME_NET any -> [142.247.111.85] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228544/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228544; rev:1;)
alert tcp $HOME_NET any -> [104.157.2.130] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228543/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228543; rev:1;)
alert tcp $HOME_NET any -> [213.35.152.193] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228542/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228542; rev:1;)
alert tcp $HOME_NET any -> [20.61.52.34] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228541/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228541; rev:1;)
alert tcp $HOME_NET any -> [188.166.39.71] 4444  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228540/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228540; rev:1;)
alert tcp $HOME_NET any -> [195.90.223.120] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228539/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228539; rev:1;)
alert tcp $HOME_NET any -> [23.168.152.5] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228538/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_06; classtype:trojan-activity; sid:91228538; rev:1;)
alert tcp $HOME_NET any -> [124.220.66.44] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228537/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228537; rev:1;)
alert tcp $HOME_NET any -> [3.127.181.115] 15464  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228536; rev:1;)
alert tcp $HOME_NET any -> [3.67.62.142] 15464  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228535; rev:1;)
alert tcp $HOME_NET any -> [18.158.58.205] 15464  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228534; rev:1;)
alert tcp $HOME_NET any -> [3.64.4.198] 15464  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228533; rev:1;)
alert tcp $HOME_NET any -> [3.67.161.133] 15464  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228532; rev:1;)
alert tcp $HOME_NET any -> [3.67.112.102] 15464  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228531; rev:1;)
alert tcp $HOME_NET any -> [167.172.69.159] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228530/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228530; rev:1;)
alert tcp $HOME_NET any -> [188.166.214.231] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228529/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228529; rev:1;)
alert tcp $HOME_NET any -> [110.43.39.138] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228528/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_06; classtype:trojan-activity; sid:91228528; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/vm8phpdatalife/7imagecentraldatalife/phplowlinuxgeneratorcdn.php"; depth:65; nocase; http.host; content:"185.103.101.0"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228527; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0902362.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228526; rev:1;)
alert tcp $HOME_NET any -> [18.231.93.153] 12944  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228523; rev:1;)
alert tcp $HOME_NET any -> [91.92.247.99] 46554  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228522/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_06; classtype:trojan-activity; sid:91228522; rev:1;)
alert tcp $HOME_NET any -> [18.231.93.153] 12288  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228509/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228509; rev:1;)
alert tcp $HOME_NET any -> [43.138.212.90] 4431  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228496/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228496; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"service-hs6w7s26-1317863896.gz.apigw.tencentcs.com"; depth:50; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/providertotemp.php"; depth:19; nocase; http.host; content:"276721cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228489; rev:1;)
alert tcp $HOME_NET any -> [104.200.72.113] 443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228488; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.1319554.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228487; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jmccarth.net"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228486; rev:1;)
alert tcp $HOME_NET any -> [34.93.252.18] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228485; rev:1;)
alert tcp $HOME_NET any -> [18.236.198.84] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228484; rev:1;)
alert tcp $HOME_NET any -> [3.145.135.41] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228483; rev:1;)
alert tcp $HOME_NET any -> [52.6.94.197] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228482; rev:1;)
alert tcp $HOME_NET any -> [82.157.157.190] 13333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228481; rev:1;)
alert tcp $HOME_NET any -> [42.192.42.48] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228480; rev:1;)
alert tcp $HOME_NET any -> [2.58.113.172] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"crypticgamings.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228478; rev:1;)
alert tcp $HOME_NET any -> [41.216.183.94] 8080  (msg:"ThreatFox Bandit Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"login.microsoft.authenticateoffice.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228475; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ethicalhackersworkshop.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228476; rev:1;)
alert tcp $HOME_NET any -> [213.136.71.179] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228474; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"naughty-elion.107-173-140-104.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228473; rev:1;)
alert tcp $HOME_NET any -> [207.148.29.229] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228472; rev:1;)
alert tcp $HOME_NET any -> [94.250.252.21] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228471; rev:1;)
alert tcp $HOME_NET any -> [51.103.216.212] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228470; rev:1;)
alert tcp $HOME_NET any -> [18.135.210.230] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228469; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.8] 4002  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228468; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.8] 5003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228466; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.8] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228467; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.8] 4003  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228465; rev:1;)
alert tcp $HOME_NET any -> [23.159.248.206] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228463; rev:1;)
alert tcp $HOME_NET any -> [47.99.188.174] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228464; rev:1;)
alert tcp $HOME_NET any -> [44.210.141.208] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228462/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_05; classtype:trojan-activity; sid:91228462; rev:1;)
alert tcp $HOME_NET any -> [38.207.173.58] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228461/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_05; classtype:trojan-activity; sid:91228461; rev:1;)
alert tcp $HOME_NET any -> [103.27.186.143] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228460/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_05; classtype:trojan-activity; sid:91228460; rev:1;)
alert tcp $HOME_NET any -> [139.9.62.19] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228458; rev:1;)
alert tcp $HOME_NET any -> [124.221.37.117] 8083  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228459; rev:1;)
alert tcp $HOME_NET any -> [47.100.199.201] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228457; rev:1;)
alert tcp $HOME_NET any -> [3.88.109.88] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228456; rev:1;)
alert tcp $HOME_NET any -> [120.78.217.180] 50003  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228455; rev:1;)
alert tcp $HOME_NET any -> [8.130.119.191] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228454; rev:1;)
alert tcp $HOME_NET any -> [108.61.127.105] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228453; rev:1;)
alert tcp $HOME_NET any -> [23.94.240.149] 4567  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228452; rev:1;)
alert tcp $HOME_NET any -> [106.14.189.254] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228450; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"guoxue.qimen.top"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228451; rev:1;)
alert tcp $HOME_NET any -> [148.163.89.57] 44136  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228449; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"reitaust.com"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228448/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228448; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"piratia.su"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228447/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"piratia-life.ru"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228446/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228446; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"esmic.at"; depth:8; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228445/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228445; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"cittrans.ru"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228444/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228444; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/"; depth:5; nocase; http.host; content:"channelpi.com"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228443/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228443; rev:1;)
alert tcp $HOME_NET any -> [139.162.170.233] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228442/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228442; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"asdjjasdhioasdia.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228414/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228414; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cooldockmantoo.men"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228415; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fuckmy.website"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228416/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228416; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"iliveona.cloud"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228417; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cjfop.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228418; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"hbdfblf.xyz"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228419; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"shetoldmeshewas12.uno"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228423/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228423; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"homehitter.tk"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228422; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"idfdfh.xyz"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228420; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"jxhfn.xyz"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228421; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"skid.uno"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228424; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"getcred.uk"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228426; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fuckmy.store"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228428; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"dogeatingchink.uno"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228425; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"fuckmy.site"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228427; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"0kn.tech"; depth:8; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228429; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"opewu.homes"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228430; rev:1;)
alert tcp $HOME_NET any -> [195.144.21.137] 6667  (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228431; rev:1;)
alert tcp $HOME_NET any -> [195.144.21.137] 888  (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228432; rev:1;)
alert tcp $HOME_NET any -> [87.121.58.103] 6666  (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228433; rev:1;)
alert tcp $HOME_NET any -> [87.121.58.103] 9701  (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228434; rev:1;)
alert tcp $HOME_NET any -> [20.5.43.62] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228436; rev:1;)
alert tcp $HOME_NET any -> [213.171.14.82] 443  (msg:"ThreatFox FAKEUPDATES payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228435; rev:1;)
alert tcp $HOME_NET any -> [102.40.46.101] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228277/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228277; rev:1;)
alert tcp $HOME_NET any -> [47.116.198.16] 50050  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228276/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228276; rev:1;)
alert tcp $HOME_NET any -> [81.169.252.120] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228275/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228275; rev:1;)
alert tcp $HOME_NET any -> [24.46.79.89] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228274/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228274; rev:1;)
alert tcp $HOME_NET any -> [86.190.166.153] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228273/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228273; rev:1;)
alert tcp $HOME_NET any -> [2.50.16.211] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228272/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228272; rev:1;)
alert tcp $HOME_NET any -> [139.84.162.47] 443  (msg:"ThreatFox pupy botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228271/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228271; rev:1;)
alert tcp $HOME_NET any -> [82.153.138.180] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228270/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228270; rev:1;)
alert tcp $HOME_NET any -> [18.201.203.167] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228269/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228269; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"152.32.210.127"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228268; rev:1;)
alert tcp $HOME_NET any -> [104.200.72.113] 8443  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228267/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228267; rev:1;)
alert tcp $HOME_NET any -> [104.200.72.113] 80  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228265/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228265; rev:1;)
alert tcp $HOME_NET any -> [104.200.72.113] 8000  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228266/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228266; rev:1;)
alert tcp $HOME_NET any -> [20.65.145.66] 1337  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228264/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228264; rev:1;)
alert tcp $HOME_NET any -> [172.86.75.91] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228263/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228263; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"valarioulinity1.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228262/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228262; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"vacantion18ffeu.cc"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228261/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228261; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sulugilioiu19.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228260/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228260; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"selebration17io.io"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228259/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228259; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"goodfooggooftool.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228258/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228258; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"cassiosssionunu.me"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228257/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228257; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"buriatiarutuhuob.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228256/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228256; rev:1;)
alert tcp $HOME_NET any -> [5.61.37.91] 443  (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228250; rev:1;)
alert tcp $HOME_NET any -> [46.17.41.112] 443  (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228251; rev:1;)
alert tcp $HOME_NET any -> [91.241.93.253] 443  (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228252/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228252; rev:1;)
alert tcp $HOME_NET any -> [139.144.212.80] 443  (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228253/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228253; rev:1;)
alert tcp $HOME_NET any -> [176.10.111.99] 443  (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228254/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228254; rev:1;)
alert tcp $HOME_NET any -> [185.14.30.10] 443  (msg:"ThreatFox Gozi botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228255/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228255; rev:1;)
alert tcp $HOME_NET any -> [141.255.145.242] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228249/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228249; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jspacket.php"; depth:13; nocase; http.host; content:"62.109.15.166"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228248; rev:1;)
alert tcp $HOME_NET any -> [103.178.235.88] 19990  (msg:"ThreatFox MooBot botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228246/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228246; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"bngoc.skyljne.click"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228247/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228247; rev:1;)
alert tcp $HOME_NET any -> [104.200.72.113] 8080  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228245; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.213] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228243; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.213] 2083  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228244; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.213] 2077  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228242; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.213] 1745  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228241; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.stripchat70.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228240; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stripchat70.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228239; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"m18888.com"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228238; rev:1;)
alert tcp $HOME_NET any -> [3.18.193.245] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228236; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4242  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228237; rev:1;)
alert tcp $HOME_NET any -> [164.92.181.100] 3131  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228235; rev:1;)
alert tcp $HOME_NET any -> [202.10.36.221] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228234; rev:1;)
alert tcp $HOME_NET any -> [223.167.229.49] 8200  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228233; rev:1;)
alert tcp $HOME_NET any -> [185.239.209.215] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228232; rev:1;)
alert tcp $HOME_NET any -> [193.46.238.181] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228231; rev:1;)
alert tcp $HOME_NET any -> [217.160.89.160] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228230; rev:1;)
alert tcp $HOME_NET any -> [49.0.229.148] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228229; rev:1;)
alert tcp $HOME_NET any -> [47.109.79.80] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228228; rev:1;)
alert tcp $HOME_NET any -> [18.194.31.56] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228226; rev:1;)
alert tcp $HOME_NET any -> [60.204.157.150] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228227; rev:1;)
alert tcp $HOME_NET any -> [49.113.72.129] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228225; rev:1;)
alert tcp $HOME_NET any -> [108.165.115.40] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228224; rev:1;)
alert tcp $HOME_NET any -> [124.220.2.204] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228223; rev:1;)
alert tcp $HOME_NET any -> [118.126.93.98] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228222; rev:1;)
alert tcp $HOME_NET any -> [2.58.113.220] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228221; rev:1;)
alert tcp $HOME_NET any -> [2.58.113.172] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228220; rev:1;)
alert tcp $HOME_NET any -> [152.89.217.215] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228219; rev:1;)
alert tcp $HOME_NET any -> [34.194.123.143] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228217; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-35-169-28-72.compute-1.amazonaws.com"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228218; rev:1;)
alert tcp $HOME_NET any -> [3.217.28.109] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228216; rev:1;)
alert tcp $HOME_NET any -> [185.225.200.120] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228215; rev:1;)
alert tcp $HOME_NET any -> [141.98.83.242] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228214; rev:1;)
alert tcp $HOME_NET any -> [18.130.69.162] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228213; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-239-255-86.compute-1.amazonaws.com"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228212; rev:1;)
alert tcp $HOME_NET any -> [188.166.39.71] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228211; rev:1;)
alert tcp $HOME_NET any -> [65.108.111.159] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228210; rev:1;)
alert tcp $HOME_NET any -> [149.28.201.102] 82  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228209; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"eurolub.ec4you.at"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228208; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"openbank-dispositivo.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228207; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"info-ibercaja.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228206; rev:1;)
alert tcp $HOME_NET any -> [45.76.87.78] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228205; rev:1;)
alert tcp $HOME_NET any -> [91.107.127.88] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228204; rev:1;)
alert tcp $HOME_NET any -> [92.63.106.153] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228203; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"4-72-seguimiento.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228202/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228202; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"159-89-8-28.cprapid.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228201/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228201; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.8] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228200/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228200; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.8] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228199/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228199; rev:1;)
alert tcp $HOME_NET any -> [151.80.238.21] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228198/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228198; rev:1;)
alert tcp $HOME_NET any -> [198.12.125.30] 8801  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228197/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228197; rev:1;)
alert tcp $HOME_NET any -> [45.126.209.4] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228196; rev:1;)
alert tcp $HOME_NET any -> [103.82.134.190] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228195; rev:1;)
alert tcp $HOME_NET any -> [91.109.190.6] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228194/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228194; rev:1;)
alert tcp $HOME_NET any -> [45.32.99.50] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228193/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228193; rev:1;)
alert tcp $HOME_NET any -> [166.1.190.150] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228192/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228192; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 90%)"; dns_query; content:"sdfsj3h1s54-yh.foy9dong.com"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228191/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_05; classtype:trojan-activity; sid:91228191; rev:1;)
alert tcp $HOME_NET any -> [152.32.210.127] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228190/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228190; rev:1;)
alert tcp $HOME_NET any -> [36.99.39.121] 55442  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228188/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228188; rev:1;)
alert tcp $HOME_NET any -> [152.32.210.127] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228189/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228189; rev:1;)
alert tcp $HOME_NET any -> [111.231.22.61] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228187/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228187; rev:1;)
alert tcp $HOME_NET any -> [8.136.241.0] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228186/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228186; rev:1;)
alert tcp $HOME_NET any -> [47.112.137.119] 89  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228185/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228185; rev:1;)
alert tcp $HOME_NET any -> [46.101.69.223] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228183/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228183; rev:1;)
alert tcp $HOME_NET any -> [139.9.62.19] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228184/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228184; rev:1;)
alert tcp $HOME_NET any -> [202.144.192.114] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228182/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228182; rev:1;)
alert tcp $HOME_NET any -> [101.133.225.51] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228181/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228181; rev:1;)
alert tcp $HOME_NET any -> [47.111.227.202] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228179/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228179; rev:1;)
alert tcp $HOME_NET any -> [47.111.227.202] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228180/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228180; rev:1;)
alert tcp $HOME_NET any -> [47.94.56.161] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228178/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228178; rev:1;)
alert tcp $HOME_NET any -> [60.204.231.191] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228176/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228176; rev:1;)
alert tcp $HOME_NET any -> [43.139.177.77] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228177/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228177; rev:1;)
alert tcp $HOME_NET any -> [120.48.58.156] 811  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228175/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228175; rev:1;)
alert tcp $HOME_NET any -> [35.183.238.86] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228174/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228174; rev:1;)
alert tcp $HOME_NET any -> [8.210.65.76] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228173/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228173; rev:1;)
alert tcp $HOME_NET any -> [172.245.60.61] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228172/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228172; rev:1;)
alert tcp $HOME_NET any -> [107.174.242.74] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228171/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228171; rev:1;)
alert tcp $HOME_NET any -> [47.104.28.38] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228170/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228170; rev:1;)
alert tcp $HOME_NET any -> [114.132.183.17] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228169/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228169; rev:1;)
alert tcp $HOME_NET any -> [8.141.84.223] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228168/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228168; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"voiceai.linkedsl.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228167/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228167; rev:1;)
alert tcp $HOME_NET any -> [91.92.245.15] 80  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228166/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228166; rev:1;)
alert tcp $HOME_NET any -> [62.197.48.112] 3333  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228165/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228165; rev:1;)
alert tcp $HOME_NET any -> [91.238.181.238] 3389  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228162/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228162; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"blissful-shaw.45-61-162-107.plesk.page"; depth:38; nocase; reference:url, threatfox.abuse.ch/ioc/1228163/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228163; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45-61-162-107.cprapid.com"; depth:25; nocase; reference:url, threatfox.abuse.ch/ioc/1228164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228164; rev:1;)
alert tcp $HOME_NET any -> [154.47.17.246] 1443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228156/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228156; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"msprojectserver.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228157/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228157; rev:1;)
alert tcp $HOME_NET any -> [5.42.64.57] 1443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228158/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228158; rev:1;)
alert tcp $HOME_NET any -> [5.42.66.49] 1443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228159/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228159; rev:1;)
alert tcp $HOME_NET any -> [45.76.208.125] 20001  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228160/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228160; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.sys-ipsec.xyz"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228161/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228161; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"47.99.34.158"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228155/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228155; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"updates.adobe-soft.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228154/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228154; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/safebrowsing/rd/c1ktwibhehcmdfebad2h12nw1-ioku7h2"; depth:50; nocase; http.host; content:"45.121.48.43"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228153/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228153; rev:1;)
alert tcp $HOME_NET any -> [202.144.192.62] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228152; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns0248.euskinc.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228151; rev:1;)
alert tcp $HOME_NET any -> [54.89.165.37] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228150/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228150; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.dmitolt.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228149/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228149; rev:1;)
alert tcp $HOME_NET any -> [152.32.210.127] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228148/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228148; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cscs.luxiaofei.online"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228147/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228147; rev:1;)
alert tcp $HOME_NET any -> [50.7.61.26] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228146/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228146; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.kp1nm8ao.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228145/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228145; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.kp1nm8ao.xyz"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228144/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228144; rev:1;)
alert tcp $HOME_NET any -> [47.103.20.98] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228143/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228143; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns3.simplence.cn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228142/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228142; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns2.simplence.cn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228141/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228141; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ns1.simplence.cn"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228140/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.254.4"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228139/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228139; rev:1;)
alert tcp $HOME_NET any -> [185.130.226.143] 6575  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228138/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.53"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228079/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228079; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.55"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228081/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228081; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.54"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228080/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228080; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.59"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228082/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228082; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.61"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228084/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228084; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.60"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228083/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228083; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.77"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228085/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228085; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.81"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228086/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228086; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.140"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1228088/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228088; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.181.80.130"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1228087/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228087; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.241.184"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228089/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228089; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.242.113"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228090/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228090; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.244.7"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228091/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228091; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.245.143"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228092/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228092; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.251.17"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1228093/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228093; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.251.113"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228094/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228094; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.252.214"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228095/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228095; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.64.114"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228097/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228097; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.253.254"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228096/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228096; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.64.115"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228098/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228098; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.64.116"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228099/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228099; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.64.218"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228100/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228100; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.68.149"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228101/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228101; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.68.150"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228102/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228102; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.68.151"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228103/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228103; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.68.152"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228104/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228104; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"94.156.68.153"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228105/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228105; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.8"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1228106/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228106; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.36"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228124/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228124; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.14"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228107/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228107; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.21"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228109/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228109; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.20"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228108/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228108; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.22"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228110/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228110; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.23"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228111/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228111; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.24"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228112/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228112; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.25"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228113/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228113; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.26"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228114/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228114; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.27"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228115/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228115; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.28"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228116/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228116; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.29"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228117/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228117; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.30"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228118/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228118; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.32"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228120/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228120; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.31"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228119/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228119; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.33"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228121/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228121; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.34"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228122/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228122; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.35"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228123/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228123; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.37"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228125/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228125; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.38"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228126/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228126; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.39"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228127/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228127; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.40"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228128/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228128; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.41"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228129/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228129; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.43"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.45"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228133/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228133; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.42"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228130/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228130; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.44"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228132; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.46"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228134/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228134; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.47"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228135/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228135; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"185.194.176.48"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1228136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228136; rev:1;)
alert tcp $HOME_NET any -> [66.204.14.247] 55000  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228137/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"43.138.30.109"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228078/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228078; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"123.207.46.13"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228077/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228077; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"grigorjevas.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1228062/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228062; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"gourmand.lt"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1228063/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228063; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"mutualgrimness.entrydns.org"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1228064/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228064; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"healthiertoday.site"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1228065/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228065; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"43.136.84.234"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228076/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228076; rev:1;)
alert tcp $HOME_NET any -> [194.116.191.52] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228075/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228075; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/apiv8/getstatus"; depth:16; nocase; http.host; content:"194.116.191.52"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228074/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228074; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"110.42.213.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228073/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228073; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"120.55.82.147"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228071/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228071; rev:1;)
alert tcp $HOME_NET any -> [120.55.82.147] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228072/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228072; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ongmanibeimeihong.cdnaliyun.top"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228070/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228070; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/wp-admin"; depth:9; nocase; http.host; content:"ongmanibeimeihong.cdnaliyun.top"; depth:31; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228069/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228069; rev:1;)
alert tcp $HOME_NET any -> [165.22.184.218] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228068/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228068; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_"; depth:2; nocase; http.host; content:"165.22.184.218"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228067/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228067; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"103.164.81.74"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228066/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228066; rev:1;)
alert tcp $HOME_NET any -> [165.22.184.218] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228058/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228058; rev:1;)
alert tcp $HOME_NET any -> [45.90.217.165] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228059/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228059; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"superendpoint.azureedge.net"; depth:27; nocase; reference:url, threatfox.abuse.ch/ioc/1228060/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228060; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/match"; depth:6; nocase; http.host; content:"47.108.175.149"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228061/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228061; rev:1;)
alert tcp $HOME_NET any -> [194.87.218.132] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228057/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228057; rev:1;)
alert tcp $HOME_NET any -> [216.224.123.241] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228056/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228056; rev:1;)
alert tcp $HOME_NET any -> [104.243.25.78] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228055/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228055; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dns.dracumi.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227981/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91227981; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bestone/.nekoisdaddy.mips"; depth:26; nocase; http.host; content:"45.86.155.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227985/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91227985; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"cnc.nekololis.ovh"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227986/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91227986; rev:1;)
alert tcp $HOME_NET any -> [87.121.58.103] 80  (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227987/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91227987; rev:1;)
alert tcp $HOME_NET any -> [45.86.155.249] 80  (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227988/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91227988; rev:1;)
alert tcp $HOME_NET any -> [45.229.237.214] 80  (msg:"ThreatFox Mirai payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227989/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91227989; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login/"; depth:12; nocase; http.host; content:"my-vidar.net"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228010/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228010; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login/"; depth:12; nocase; http.host; content:"my-odin.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228011/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228011; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/sellers/auth/login"; depth:19; nocase; http.host; content:"egetfile.top"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228012/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228012; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/auth/login/"; depth:12; nocase; http.host; content:"testingversion.my-vidar.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228013/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228013; rev:1;)
alert tcp $HOME_NET any -> [178.255.168.49] 4782  (msg:"ThreatFox Quasar RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228015/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228015; rev:1;)
alert tcp $HOME_NET any -> [79.107.199.218] 6666  (msg:"ThreatFox Quasar RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228016/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228016; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"ratsakis.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228017/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228017; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"sfxn.ddns.net"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228018/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228018; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (domain - confidence level: 100%)"; dns_query; content:"thietbiytebt.online"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228019/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228019; rev:1;)
alert tcp $HOME_NET any -> [185.224.128.187] 7774  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228026/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228026; rev:1;)
alert tcp $HOME_NET any -> [16.171.112.33] 8010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228029/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228029; rev:1;)
alert tcp $HOME_NET any -> [16.171.112.33] 18010  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228030/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228030; rev:1;)
alert tcp $HOME_NET any -> [84.54.51.74] 19285  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228031/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_05; classtype:trojan-activity; sid:91228031; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"cdn.microsolt.top"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1228032/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228032; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.147.231.124"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228045/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228045; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.153.240.82"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228046/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228046; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.242.53.249"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228048/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228048; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"46.29.162.103"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228047/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228047; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"104.194.156.51"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228049/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228049; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"172.86.66.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228050/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228050; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"172.86.70.150"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228051/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228051; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"176.32.33.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228052/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228052; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.220.180"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228054/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228054; rev:1;)
alert tcp $HOME_NET any -> [5.75.220.180] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228053/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228053; rev:1;)
alert tcp $HOME_NET any -> [139.224.188.135] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228044/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228044; rev:1;)
alert tcp $HOME_NET any -> [71.88.240.64] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228043/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228043; rev:1;)
alert tcp $HOME_NET any -> [94.98.78.18] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228042/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228042; rev:1;)
alert tcp $HOME_NET any -> [50.35.133.122] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228041/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228041; rev:1;)
alert tcp $HOME_NET any -> [78.100.238.179] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228040/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228040; rev:1;)
alert tcp $HOME_NET any -> [176.44.67.57] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228039/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228039; rev:1;)
alert tcp $HOME_NET any -> [86.236.26.94] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228038/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228038; rev:1;)
alert tcp $HOME_NET any -> [69.159.0.230] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228037/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228037; rev:1;)
alert tcp $HOME_NET any -> [179.96.164.40] 445  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228036/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228036; rev:1;)
alert tcp $HOME_NET any -> [160.238.36.135] 8080  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228035/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228035; rev:1;)
alert tcp $HOME_NET any -> [45.61.187.244] 80  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228034/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228034; rev:1;)
alert tcp $HOME_NET any -> [143.110.151.209] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228033/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_05; classtype:trojan-activity; sid:91228033; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/externaleternalvideosecureprocessservermulti.php"; depth:49; nocase; http.host; content:"137953cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1228028/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_05; classtype:trojan-activity; sid:91228028; rev:1;)
alert tcp $HOME_NET any -> [37.220.80.225] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228027/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228027; rev:1;)
alert tcp $HOME_NET any -> [177.7.164.13] 1177  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228025/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_05; classtype:trojan-activity; sid:91228025; rev:1;)
alert tcp $HOME_NET any -> [93.179.113.142] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228009/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228009; rev:1;)
alert tcp $HOME_NET any -> [159.65.147.98] 9090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228008/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228008; rev:1;)
alert tcp $HOME_NET any -> [111.193.206.216] 9333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228007/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228007; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"potomac-clickstream.usaa.website"; depth:32; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228006/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228006; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"clix.usaa.website"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228004/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228004; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bfp.usaa.website"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228005/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228005; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"objects.usaa.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228002/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228002; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"paxful.usaa.website"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1228003/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228003; rev:1;)
alert tcp $HOME_NET any -> [198.46.226.84] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228001/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228001; rev:1;)
alert tcp $HOME_NET any -> [193.22.152.104] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1228000/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91228000; rev:1;)
alert tcp $HOME_NET any -> [154.92.14.85] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227999/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227999; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"infallible-lichterman.45-141-215-173.plesk.page"; depth:47; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227998/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227998; rev:1;)
alert tcp $HOME_NET any -> [77.91.68.183] 80  (msg:"ThreatFox ERMAC botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227997/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227997; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"monitor.cll5.fact.solutions"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227996/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227996; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.211] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227995/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227995; rev:1;)
alert tcp $HOME_NET any -> [88.229.34.236] 20000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227994/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227994; rev:1;)
alert tcp $HOME_NET any -> [124.70.196.94] 8883  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227993/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227993; rev:1;)
alert tcp $HOME_NET any -> [165.154.132.129] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227992/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227992; rev:1;)
alert tcp $HOME_NET any -> [165.154.132.129] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227991/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227991; rev:1;)
alert tcp $HOME_NET any -> [101.43.30.194] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227990/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227990; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"101.43.58.176"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227983/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227983; rev:1;)
alert tcp $HOME_NET any -> [108.30.227.173] 443  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227982/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227982; rev:1;)
alert tcp $HOME_NET any -> [95.217.236.92] 39545  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227980/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227980; rev:1;)
alert tcp $HOME_NET any -> [89.247.50.36] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227979/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227979; rev:1;)
alert tcp $HOME_NET any -> [18.153.210.153] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227978/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227978; rev:1;)
alert tcp $HOME_NET any -> [159.253.120.84] 80  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227977/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227977; rev:1;)
alert tcp $HOME_NET any -> [5.230.74.102] 80  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227976/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227976; rev:1;)
alert tcp $HOME_NET any -> [38.47.101.14] 8008  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227975/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227975; rev:1;)
alert tcp $HOME_NET any -> [35.80.38.180] 443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227974/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227974; rev:1;)
alert tcp $HOME_NET any -> [122.51.216.39] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227973/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227973; rev:1;)
alert tcp $HOME_NET any -> [154.85.56.248] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227972/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227972; rev:1;)
alert tcp $HOME_NET any -> [74.12.145.184] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227971/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227971; rev:1;)
alert tcp $HOME_NET any -> [83.110.196.159] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227970/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227970; rev:1;)
alert tcp $HOME_NET any -> [194.87.31.229] 6438  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227969/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227969; rev:1;)
alert tcp $HOME_NET any -> [65.108.20.160] 11396  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227968/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227968; rev:1;)
alert tcp $HOME_NET any -> [212.25.9.240] 1099  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227967/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227967; rev:1;)
alert tcp $HOME_NET any -> [136.244.108.223] 1411  (msg:"ThreatFox NetSupportManager RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227966/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227966; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227965/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227965; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 2082  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227964/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227964; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227963/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227963; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227962/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227962; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.petrus4.com"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227961/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227961; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.ritestowritemyword.org"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227960/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227960; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4002  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227959/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227959; rev:1;)
alert tcp $HOME_NET any -> [18.143.166.2] 81  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227958/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227958; rev:1;)
alert tcp $HOME_NET any -> [45.249.244.18] 89  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227957/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227957; rev:1;)
alert tcp $HOME_NET any -> [143.110.147.108] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227956/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227956; rev:1;)
alert tcp $HOME_NET any -> [18.197.64.51] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227955/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227955; rev:1;)
alert tcp $HOME_NET any -> [13.43.41.39] 5723  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227953/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227953; rev:1;)
alert tcp $HOME_NET any -> [18.197.64.51] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227954/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227954; rev:1;)
alert tcp $HOME_NET any -> [3.107.10.141] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227952/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227952; rev:1;)
alert tcp $HOME_NET any -> [139.59.44.192] 4444  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227951/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227951; rev:1;)
alert tcp $HOME_NET any -> [139.59.17.211] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227950/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227950; rev:1;)
alert tcp $HOME_NET any -> [69.162.150.73] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227949/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227949; rev:1;)
alert tcp $HOME_NET any -> [18.197.171.40] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227947/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227947; rev:1;)
alert tcp $HOME_NET any -> [18.197.171.40] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227948/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227948; rev:1;)
alert tcp $HOME_NET any -> [212.64.195.38] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227946/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227946; rev:1;)
alert tcp $HOME_NET any -> [18.102.176.3] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227945/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227945; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sessions.usaa.website"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227944/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227944; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lms.usaa.website"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227943/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227943; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sensors.usaa.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227942/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227942; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mobile2.usaa.website"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227940/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227940; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"secure07c.usaa.website"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227941/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227941; rev:1;)
alert tcp $HOME_NET any -> [147.139.1.27] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227939/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227939; rev:1;)
alert tcp $HOME_NET any -> [8.134.138.198] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227938/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227938; rev:1;)
alert tcp $HOME_NET any -> [216.238.111.60] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227937/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227937; rev:1;)
alert tcp $HOME_NET any -> [150.158.150.131] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227936/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227936; rev:1;)
alert tcp $HOME_NET any -> [116.211.228.236] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227935/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227935; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"payandhay.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227934/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227934; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.payandhay.online"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227933/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227933; rev:1;)
alert tcp $HOME_NET any -> [51.195.83.133] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227932/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227932; rev:1;)
alert tcp $HOME_NET any -> [51.195.83.133] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227931/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227931; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ip133.ip-51-195-83.eu"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227929/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227929; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"3ps1l0n.life"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227930/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227930; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"agniane.sbs"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227928/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227928; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"darkeye.online"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227927/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227927; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vps-729780f6.vps.ovh.ca"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227926/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227926; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rastro.pages.dev"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227925/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227925; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"z3us.online"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227924/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227924; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vectorstealer.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227923/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227923; rev:1;)
alert tcp $HOME_NET any -> [54.210.248.214] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227922/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227922; rev:1;)
alert tcp $HOME_NET any -> [45.141.215.173] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227921/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227921; rev:1;)
alert tcp $HOME_NET any -> [97.120.154.174] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227920/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227920; rev:1;)
alert tcp $HOME_NET any -> [65.20.68.219] 443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227919/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227919; rev:1;)
alert tcp $HOME_NET any -> [20.217.81.50] 8080  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227918/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227918; rev:1;)
alert tcp $HOME_NET any -> [185.16.38.41] 4449  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227917/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227917; rev:1;)
alert tcp $HOME_NET any -> [103.59.94.45] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227916/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227916; rev:1;)
alert tcp $HOME_NET any -> [13.235.254.216] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227914/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227914; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lightfull.shop"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227915/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227915; rev:1;)
alert tcp $HOME_NET any -> [37.120.137.230] 3333  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227913/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227913; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"reksiaeksinov.fvds.ru"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227912/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227912; rev:1;)
alert tcp $HOME_NET any -> [97.151.208.70] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227911/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227911; rev:1;)
alert tcp $HOME_NET any -> [206.123.132.170] 2000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227910/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227910; rev:1;)
alert tcp $HOME_NET any -> [190.213.184.38] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227909/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227909; rev:1;)
alert tcp $HOME_NET any -> [88.235.35.170] 20000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227907/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227907; rev:1;)
alert tcp $HOME_NET any -> [212.102.59.84] 8888  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227908/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227908; rev:1;)
alert tcp $HOME_NET any -> [39.100.128.2] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227906/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227906; rev:1;)
alert tcp $HOME_NET any -> [107.172.201.247] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227905/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227905; rev:1;)
alert tcp $HOME_NET any -> [162.33.178.80] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227904/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227904; rev:1;)
alert tcp $HOME_NET any -> [154.39.245.146] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227903/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227903; rev:1;)
alert tcp $HOME_NET any -> [165.154.183.177] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227902/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_04; classtype:trojan-activity; sid:91227902; rev:1;)
alert tcp $HOME_NET any -> [47.120.47.43] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227901/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227901; rev:1;)
alert tcp $HOME_NET any -> [101.43.58.176] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227900/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227900; rev:1;)
alert tcp $HOME_NET any -> [47.99.34.158] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227899/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227899; rev:1;)
alert tcp $HOME_NET any -> [114.116.30.63] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227898/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227898; rev:1;)
alert tcp $HOME_NET any -> [20.5.43.62] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227897/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227897; rev:1;)
alert tcp $HOME_NET any -> [44.221.115.240] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227896/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227896; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"114.115.210.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227895/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227895; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"154.3.2.253"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227894/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227894; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"39.105.4.90"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227893/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227893; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"43.139.74.167"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227892/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227892; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"206.119.171.125"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227891/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227891; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"23.26.147.185"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227890/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227890; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"47.93.216.2"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227889/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227889; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/activity"; depth:9; nocase; http.host; content:"23.95.197.194"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227888/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227888; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acces/login"; depth:12; nocase; http.host; content:"62.72.33.132"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227885/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227885; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acces/login"; depth:12; nocase; http.host; content:"62.72.33.127"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227886/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227886; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/acces/login"; depth:12; nocase; http.host; content:"5.230.72.46"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227887/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227887; rev:1;)
alert tcp $HOME_NET any -> [18.157.68.73] 19483  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227884/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227884; rev:1;)
alert tcp $HOME_NET any -> [3.126.37.18] 19483  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227883/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227883; rev:1;)
alert tcp $HOME_NET any -> [18.156.13.209] 19483  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227882/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227882; rev:1;)
alert tcp $HOME_NET any -> [3.127.138.57] 19483  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227881/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227881; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dashboard"; depth:10; nocase; http.host; content:"94.242.53.233"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227880/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227880; rev:1;)
alert tcp $HOME_NET any -> [103.151.228.65] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227879/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227879; rev:1;)
alert tcp $HOME_NET any -> [137.175.17.181] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227878/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227878; rev:1;)
alert tcp $HOME_NET any -> [194.147.140.205] 4040  (msg:"ThreatFox Remcos botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227877/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227877; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.79] 1337  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227875/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227875; rev:1;)
alert tcp $HOME_NET any -> [103.13.209.45] 4782  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227876/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227876; rev:1;)
alert tcp $HOME_NET any -> [141.98.10.85] 1024  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227869/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227869; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"igo0gle.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1227872/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227872; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"igo0gle.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1227871/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227871; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ftp.igo0gle.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1227873/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227873; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"ftp.igo0gle.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1227874/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227874; rev:1;)
alert tcp $HOME_NET any -> [110.42.214.238] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227870/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227870; rev:1;)
alert tcp $HOME_NET any -> [170.130.55.84] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227865/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227865; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"flsgfjrughtsvsv.com"; depth:19; nocase; reference:url, threatfox.abuse.ch/ioc/1227866/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227866; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/jquery-3.3.1.min.js"; depth:20; nocase; http.host; content:"170.130.55.84"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227867/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227867; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/metro91/admin/1/ppptp.jpg"; depth:26; nocase; http.host; content:"94.74.105.131"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227868/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227868; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.108.137.190"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227864/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227864; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"118.31.114.23"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227863/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227863; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"47.90.247.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227862/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227862; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"124.71.222.33"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227861/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227861; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"124.71.46.93"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227860/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227860; rev:1;)
alert tcp $HOME_NET any -> [45.150.65.159] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227859/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227859; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nsns1.container911.site"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227858/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227858; rev:1;)
alert tcp $HOME_NET any -> [47.99.34.158] 9090  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227857/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227857; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/__utm.gif"; depth:10; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227856/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227856; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.136.218.157"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227855/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227855; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api/x"; depth:6; nocase; http.host; content:"service-18c6z8nb-1303896379.sh.tencentapigw.cn"; depth:46; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227853/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227853; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"service-18c6z8nb-1303896379.sh.tencentapigw.cn"; depth:46; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227854/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227854; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/del/lockout/q56sz0mji3"; depth:23; nocase; http.host; content:"120.76.174.208"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227852/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227852; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/del/lockout/q56sz0mji3"; depth:23; nocase; http.host; content:"101.132.148.46"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227851/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227851; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/del/lockout/q56sz0mji3"; depth:23; nocase; http.host; content:"47.93.222.32"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227850/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227850; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227849/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227849; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"79.124.40.106"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227848/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227848; rev:1;)
alert tcp $HOME_NET any -> [206.189.206.61] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227847/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227847; rev:1;)
alert tcp $HOME_NET any -> [45.155.249.164] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227844/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227844; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dofor/v7.66/lkcfceuyz8j3"; depth:25; nocase; http.host; content:"45.155.249.164"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227843/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227843; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"110.42.213.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227842/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227842; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"tybytimemunutere.net"; depth:20; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227841/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227841; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"stanystarysturu.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227839/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227839; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"thethuthe3.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227840/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227840; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sinuptinulium.net"; depth:17; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227838/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227838; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"sindusyndy.net"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227837/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227837; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"rakutenmakutern.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227836/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227836; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"opengamerstypepsy.net"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227835/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227835; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"lumustruoues.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227834/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227834; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/index.php"; depth:10; nocase; http.host; content:"lovelyloversbouuyrs.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227833/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_04; classtype:trojan-activity; sid:91227833; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"baykusdnamcaya.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227723/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227723; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"birigeldomisosnet.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227724/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227724; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"borabirincigelez.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227725/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227725; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"borabirinicedfores.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227726/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227726; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"borarsaborabirinci.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227727/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227727; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"boryoboresbirinci.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227728/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227728; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gahyonmedsosges.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227729/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227729; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ikincipansizde.net"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227730/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227730; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lagelogelolsiki.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227731/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227731; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"laylolsosdesike.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227732/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227732; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lofeyomefofsiki.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227733/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227733; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logaloledsossiki.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227734/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227734; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"loledosiki.net"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227735/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227735; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"lolforfaysike.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227736/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227736; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"myidtelstra.net"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227737/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227737; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sedoesdomanecomanes.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227739/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227739; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sedaborabirinciel.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227738/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227738; rev:1;)
alert tcp $HOME_NET any -> [83.85.165.190] 1604  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227744/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227744; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sp1oorat.ddns.net"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227745/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227745; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"kineticwing.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227747/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227747; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"kineticwing.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227748/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227748; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/qzwewmrqqgqnaww.php"; depth:26; nocase; http.host; content:"kineticwing.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227749/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227749; rev:1;)
alert tcp $HOME_NET any -> [109.123.227.104] 2221  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227753/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227753; rev:1;)
alert tcp $HOME_NET any -> [192.248.174.52] 5631  (msg:"ThreatFox Pikabot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227752/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227752; rev:1;)
alert tcp $HOME_NET any -> [152.89.218.212] 443  (msg:"ThreatFox NetSupportManager RAT payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227756/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227756; rev:1;)
alert tcp $HOME_NET any -> [187.224.3.146] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227832/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227832; rev:1;)
alert tcp $HOME_NET any -> [149.109.140.235] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227831/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227831; rev:1;)
alert tcp $HOME_NET any -> [74.12.145.184] 2078  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227830/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227830; rev:1;)
alert tcp $HOME_NET any -> [190.28.114.195] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227829/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227829; rev:1;)
alert tcp $HOME_NET any -> [119.156.27.89] 8843  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227828/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_04; classtype:trojan-activity; sid:91227828; rev:1;)
alert tcp $HOME_NET any -> [54.233.207.223] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227827/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227827; rev:1;)
alert tcp $HOME_NET any -> [186.13.27.51] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227818/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227818; rev:1;)
alert tcp $HOME_NET any -> [79.107.158.59] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227817/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227817; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227816/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227816; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 2052  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227815/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227815; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 2096  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227813/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227813; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 2222  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227814/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227814; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227811/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227811; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 2080  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227812/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227812; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227810/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227810; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 1622  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227808/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227808; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.222] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227809/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227809; rev:1;)
alert tcp $HOME_NET any -> [65.108.17.222] 8080  (msg:"ThreatFox Octopus botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227807/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227807; rev:1;)
alert tcp $HOME_NET any -> [104.168.24.196] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227806/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227806; rev:1;)
alert tcp $HOME_NET any -> [193.200.149.111] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227805/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227805; rev:1;)
alert tcp $HOME_NET any -> [34.122.61.85] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227804/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227804; rev:1;)
alert tcp $HOME_NET any -> [49.12.233.183] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227803/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227803; rev:1;)
alert tcp $HOME_NET any -> [118.25.19.201] 9999  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227802/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227802; rev:1;)
alert tcp $HOME_NET any -> [85.31.234.246] 1723  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227801/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227801; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gettymefondeploy.online"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227800/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227800; rev:1;)
alert tcp $HOME_NET any -> [39.107.95.199] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227799/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227799; rev:1;)
alert tcp $HOME_NET any -> [146.190.112.135] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227798/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227798; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-34-201-97-6.compute-1.amazonaws.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227797/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227797; rev:1;)
alert tcp $HOME_NET any -> [45.42.45.10] 8080  (msg:"ThreatFox Bandit Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227796/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227796; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"stupefied-germain.45-141-215-173.plesk.page"; depth:43; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227795/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227795; rev:1;)
alert tcp $HOME_NET any -> [45.93.20.207] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227793/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227793; rev:1;)
alert tcp $HOME_NET any -> [85.192.63.57] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227794/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227794; rev:1;)
alert tcp $HOME_NET any -> [27.74.166.36] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227791/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227791; rev:1;)
alert tcp $HOME_NET any -> [27.74.166.36] 9999  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227792/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227792; rev:1;)
alert tcp $HOME_NET any -> [176.29.69.108] 8000  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227790/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227790; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"api.msservice.workers.dev"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227789/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227789; rev:1;)
alert tcp $HOME_NET any -> [64.156.192.19] 2222  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227787/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227787; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"helpdesktops.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227788/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227788; rev:1;)
alert tcp $HOME_NET any -> [146.190.236.181] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227786/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227786; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vmi1502954.contaboserver.net"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227785/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227785; rev:1;)
alert tcp $HOME_NET any -> [70.34.252.163] 8888  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227784/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227784; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"my-package-tracking.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227783/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227783; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"flintton.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227782/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227782; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rb-an-clk.online"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227781/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227781; rev:1;)
alert tcp $HOME_NET any -> [91.107.124.12] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227780/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227780; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vigilant-elbakyan.159-89-8-28.plesk.page"; depth:40; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227779/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227779; rev:1;)
alert tcp $HOME_NET any -> [136.243.151.21] 78  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227778/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227778; rev:1;)
alert tcp $HOME_NET any -> [213.195.119.8] 5001  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227777/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227777; rev:1;)
alert tcp $HOME_NET any -> [23.94.62.136] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227776/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227776; rev:1;)
alert tcp $HOME_NET any -> [20.52.118.210] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227775/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_04; classtype:trojan-activity; sid:91227775; rev:1;)
alert tcp $HOME_NET any -> [39.107.102.62] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227774/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227774; rev:1;)
alert tcp $HOME_NET any -> [45.207.47.21] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227772/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227772; rev:1;)
alert tcp $HOME_NET any -> [123.57.77.11] 8992  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227773/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227773; rev:1;)
alert tcp $HOME_NET any -> [121.40.233.196] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227771/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227771; rev:1;)
alert tcp $HOME_NET any -> [117.50.179.195] 4436  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227770/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227770; rev:1;)
alert tcp $HOME_NET any -> [20.231.208.182] 3080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227769/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227769; rev:1;)
alert tcp $HOME_NET any -> [64.176.82.16] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227768/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227768; rev:1;)
alert tcp $HOME_NET any -> [110.40.213.80] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227766/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227766; rev:1;)
alert tcp $HOME_NET any -> [8.134.219.118] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227767/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227767; rev:1;)
alert tcp $HOME_NET any -> [154.9.255.242] 48084  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227765/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227765; rev:1;)
alert tcp $HOME_NET any -> [103.146.179.104] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227763/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227763; rev:1;)
alert tcp $HOME_NET any -> [146.56.234.203] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227764/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227764; rev:1;)
alert tcp $HOME_NET any -> [43.128.54.51] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227762/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227762; rev:1;)
alert tcp $HOME_NET any -> [172.111.218.107] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227761/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227761; rev:1;)
alert tcp $HOME_NET any -> [114.115.210.125] 8880  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227760/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227760; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"dracumi.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227759/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227759; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ecs-116-205-161-207.compute.hwclouds-dns.com"; depth:44; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227757/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227757; rev:1;)
alert tcp $HOME_NET any -> [124.221.235.147] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227758/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_04; classtype:trojan-activity; sid:91227758; rev:1;)
alert tcp $HOME_NET any -> [103.13.209.45] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227754/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227754; rev:1;)
alert tcp $HOME_NET any -> [167.160.90.93] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227751/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_04; classtype:trojan-activity; sid:91227751; rev:1;)
alert tcp $HOME_NET any -> [45.88.186.145] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227750/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227750; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ga.js"; depth:6; nocase; http.host; content:"120.48.58.156"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227746/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227746; rev:1;)
alert tcp $HOME_NET any -> [193.168.141.241] 80  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227742/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_03; classtype:trojan-activity; sid:91227742; rev:1;)
alert tcp $HOME_NET any -> [193.233.202.4] 80  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227743/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_03; classtype:trojan-activity; sid:91227743; rev:1;)
alert tcp $HOME_NET any -> [91.229.239.230] 80  (msg:"ThreatFox IcedID botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227741/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_03; classtype:trojan-activity; sid:91227741; rev:1;)
alert tcp $HOME_NET any -> [47.253.43.163] 10001  (msg:"ThreatFox Xtreme RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227740/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227740; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/l1nc0in.php"; depth:12; nocase; http.host; content:"a0899944.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227722/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227722; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"194.36.190.238"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227711/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227711; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"216.158.225.153"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227712/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227712; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"185.84.140.32"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227709/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227709; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"185.156.172.64"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227710/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227710; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"101.99.95.144"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227707/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227707; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"159.100.9.207"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227708/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227708; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"91.197.1.37"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227704/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227704; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.242.53.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227705/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227705; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"94.242.53.101"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227706/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227706; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.73.70.71"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227702/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227702; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"91.92.248.26"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227703/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227703; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.73.69.251"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227700/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227700; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.73.70.10"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227701/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227701; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.73.69.95"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227699/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227699; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.141.37.139"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227696/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227696; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.155.250.54"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227697/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227697; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"77.73.69.80"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227698/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227698; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.8.159.34"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227694/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227694; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"45.11.182.116"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227695/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227695; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.230.68.152"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227692/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227692; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"31.13.195.10"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227693/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227693; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.230.68.85"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227691/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227691; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.230.40.118"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227689/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227689; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/login"; depth:6; nocase; http.host; content:"5.230.46.135"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227690/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227690; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/split/d/7473220op"; depth:18; nocase; http.host; content:"39.100.128.2"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227687/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227687; rev:1;)
alert tcp $HOME_NET any -> [39.100.128.2] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227688/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227688; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/basepollimage/3_/requestpacket2/tempdb/7pipe2/temporarypipe/providervideolinephprequestprocesslinuxtraffictemp.php"; depth:115; nocase; http.host; content:"185.106.94.86"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227721/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227721; rev:1;)
alert tcp $HOME_NET any -> [37.210.32.140] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227720/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227720; rev:1;)
alert tcp $HOME_NET any -> [86.98.8.79] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227719/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227719; rev:1;)
alert tcp $HOME_NET any -> [78.101.91.145] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227718/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227718; rev:1;)
alert tcp $HOME_NET any -> [184.70.132.254] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227717/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227717; rev:1;)
alert tcp $HOME_NET any -> [37.27.27.94] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227716/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227716; rev:1;)
alert tcp $HOME_NET any -> [179.96.164.30] 445  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227715/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227715; rev:1;)
alert tcp $HOME_NET any -> [194.190.152.81] 8888  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227714/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227714; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"94.103.90.193"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227713/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227713; rev:1;)
alert tcp $HOME_NET any -> [18.157.68.73] 15020  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227686/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227686; rev:1;)
alert tcp $HOME_NET any -> [18.192.93.86] 15020  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227685/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227685; rev:1;)
alert tcp $HOME_NET any -> [18.197.239.5] 15020  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227684/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227684; rev:1;)
alert tcp $HOME_NET any -> [116.202.180.148] 2024  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227682/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227682; rev:1;)
alert tcp $HOME_NET any -> [5.75.215.64] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227683/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227683; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.64"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227681/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227681; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.180.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227680/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227680; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"gayretoploforeztolezkoz.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227679/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227679; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"111.231.22.61"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227678/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227678; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tayhonkolimbinesos.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227675/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227675; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raygovalizrobinezcomez.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227671/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227671; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rayrovelemanze.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227672/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227672; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sevcikconcikdomilezdolerez.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227673/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227673; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sevdalimdolemezdidos.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227674/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227674; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"teygolfaygoldoleriz.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227676/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227676; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"zaryedtormentosco.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227677/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227677; rev:1;)
alert tcp $HOME_NET any -> [95.217.82.39] 19000  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227627/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227627; rev:1;)
alert tcp $HOME_NET any -> [185.209.161.162] 19000  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227628/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227628; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.3] 19000  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227629/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227629; rev:1;)
alert tcp $HOME_NET any -> [91.92.242.217] 19000  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227630/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227630; rev:1;)
alert tcp $HOME_NET any -> [91.92.253.159] 19000  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227631/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227631; rev:1;)
alert tcp $HOME_NET any -> [188.54.123.236] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227670/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227670; rev:1;)
alert tcp $HOME_NET any -> [160.179.104.109] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227669/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227669; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 2053  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227668/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227668; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 2003  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227667/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227667; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 2281  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227665/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227665; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 1723  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227666/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227666; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 2078  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227663/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227663; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 2079  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227664/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227664; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 2000  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227662/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227662; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 1883  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227661/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227661; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 2181  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227659/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227659; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 1701  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227660/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227660; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 2095  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227658/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227658; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 2087  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227657/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227657; rev:1;)
alert tcp $HOME_NET any -> [47.7.145.133] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227656/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_03; classtype:trojan-activity; sid:91227656; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.736631.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227655/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227655; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"1518644.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227654/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227654; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"bigscreenthrills.org"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227653/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227653; rev:1;)
alert tcp $HOME_NET any -> [104.168.24.196] 9000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227652/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227652; rev:1;)
alert tcp $HOME_NET any -> [104.193.111.38] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227651/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227651; rev:1;)
alert tcp $HOME_NET any -> [13.42.177.28] 5723  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227650/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227650; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4431  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227649/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227649; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4449  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227648/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227648; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227647/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227647; rev:1;)
alert tcp $HOME_NET any -> [18.135.30.45] 4433  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227646/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227646; rev:1;)
alert tcp $HOME_NET any -> [34.247.168.187] 5723  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227645/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227645; rev:1;)
alert tcp $HOME_NET any -> [64.227.130.150] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227644/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227644; rev:1;)
alert tcp $HOME_NET any -> [13.42.163.200] 5723  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227643/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227643; rev:1;)
alert tcp $HOME_NET any -> [3.35.8.177] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227642/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227642; rev:1;)
alert tcp $HOME_NET any -> [80.85.154.199] 4578  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227641/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227641; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"logs.customerportalverify.store"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227640/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227640; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"smetrics.customerportalverify.store"; depth:35; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227639/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227639; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ads.customerportalverify.store"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227638/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227638; rev:1;)
alert tcp $HOME_NET any -> [59.110.9.127] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227637/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227637; rev:1;)
alert tcp $HOME_NET any -> [121.196.193.21] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227636/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227636; rev:1;)
alert tcp $HOME_NET any -> [103.145.191.118] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227635/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227635; rev:1;)
alert tcp $HOME_NET any -> [38.181.34.201] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227634/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227634; rev:1;)
alert tcp $HOME_NET any -> [39.104.226.130] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227633/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227633; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"xmrpool.shop"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227632/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227632; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ec2-54-224-145-107.compute-1.amazonaws.com"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227626/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227626; rev:1;)
alert tcp $HOME_NET any -> [35.169.28.72] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227625/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227625; rev:1;)
alert tcp $HOME_NET any -> [77.105.146.152] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227624/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227624; rev:1;)
alert tcp $HOME_NET any -> [91.103.253.184] 80  (msg:"ThreatFox Meduza Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227623/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227623; rev:1;)
alert tcp $HOME_NET any -> [75.130.243.162] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227622/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227622; rev:1;)
alert tcp $HOME_NET any -> [99.103.131.181] 2222  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227621/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227621; rev:1;)
alert tcp $HOME_NET any -> [91.92.250.110] 80  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227620/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227620; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"walbuschgruppe.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227618/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227618; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.achiversacademy.shop"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227619/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227619; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"activelifes.shop"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227616/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227616; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"v2202311142188246753.nicesrv.de"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227617/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227617; rev:1;)
alert tcp $HOME_NET any -> [216.238.78.129] 8888  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227614/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227614; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"vistc.com"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227615/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227615; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"174.151.189.35.bc.googleusercontent.com"; depth:39; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227613/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227613; rev:1;)
alert tcp $HOME_NET any -> [47.93.42.113] 80  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227612/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227612; rev:1;)
alert tcp $HOME_NET any -> [62.234.61.157] 6000  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227611/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227611; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"static.123.87.21.65.clients.your-server.de"; depth:42; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227610/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227610; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"avtokuba.ru"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227609/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227609; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ladyrai.site"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227608/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227608; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceifador.benzetacil.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227607/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227607; rev:1;)
alert tcp $HOME_NET any -> [34.203.226.105] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227605/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227605; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"invadersec.com"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227606/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227606; rev:1;)
alert tcp $HOME_NET any -> [37.230.112.206] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227604/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227604; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"139-162-33-94.ip.linodeusercontent.com"; depth:38; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227603/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227603; rev:1;)
alert tcp $HOME_NET any -> [91.92.255.30] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227602/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227602; rev:1;)
alert tcp $HOME_NET any -> [80.87.197.162] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227600/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227600; rev:1;)
alert tcp $HOME_NET any -> [181.215.49.105] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227601/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227601; rev:1;)
alert tcp $HOME_NET any -> [181.215.49.104] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227599/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227599; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.159-89-8-28.cprapid.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227598/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227598; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"137-184-80-125.cprapid.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227597/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227597; rev:1;)
alert tcp $HOME_NET any -> [47.95.197.160] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227596/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227596; rev:1;)
alert tcp $HOME_NET any -> [37.1.214.209] 8088  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227595/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227595; rev:1;)
alert tcp $HOME_NET any -> [91.92.251.62] 6606  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227594/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227594; rev:1;)
alert tcp $HOME_NET any -> [91.92.254.36] 4747  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227592/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227592; rev:1;)
alert tcp $HOME_NET any -> [190.213.184.38] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227593/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227593; rev:1;)
alert tcp $HOME_NET any -> [135.125.27.218] 6000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227591/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227591; rev:1;)
alert tcp $HOME_NET any -> [14.234.25.153] 8080  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227590/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227590; rev:1;)
alert tcp $HOME_NET any -> [194.116.191.150] 88  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227589/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_03; classtype:trojan-activity; sid:91227589; rev:1;)
alert tcp $HOME_NET any -> [159.203.149.148] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227588/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_03; classtype:trojan-activity; sid:91227588; rev:1;)
alert tcp $HOME_NET any -> [194.190.152.81] 31337  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227587/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_03; classtype:trojan-activity; sid:91227587; rev:1;)
alert tcp $HOME_NET any -> [165.227.210.49] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227586/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_03; classtype:trojan-activity; sid:91227586; rev:1;)
alert tcp $HOME_NET any -> [45.8.158.71] 2082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227585/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227585; rev:1;)
alert tcp $HOME_NET any -> [77.91.100.228] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227584/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227584; rev:1;)
alert tcp $HOME_NET any -> [101.132.182.180] 5111  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227582/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227582; rev:1;)
alert tcp $HOME_NET any -> [38.47.106.38] 5555  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227583/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227583; rev:1;)
alert tcp $HOME_NET any -> [47.236.28.58] 81  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227581/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227581; rev:1;)
alert tcp $HOME_NET any -> [43.204.108.99] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227580/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227580; rev:1;)
alert tcp $HOME_NET any -> [122.51.41.5] 5677  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227579/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227579; rev:1;)
alert tcp $HOME_NET any -> [155.94.140.13] 61259  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227578/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227578; rev:1;)
alert tcp $HOME_NET any -> [8.130.116.89] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227576/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227576; rev:1;)
alert tcp $HOME_NET any -> [116.204.89.237] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227577/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227577; rev:1;)
alert tcp $HOME_NET any -> [43.129.187.60] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227575/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227575; rev:1;)
alert tcp $HOME_NET any -> [45.207.47.21] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227574/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227574; rev:1;)
alert tcp $HOME_NET any -> [45.121.48.43] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227572/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227572; rev:1;)
alert tcp $HOME_NET any -> [103.229.54.221] 4433  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227573/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227573; rev:1;)
alert tcp $HOME_NET any -> [101.200.120.13] 4444  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227571/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227571; rev:1;)
alert tcp $HOME_NET any -> [51.250.16.184] 8011  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227569/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227569; rev:1;)
alert tcp $HOME_NET any -> [47.115.220.95] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227570/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227570; rev:1;)
alert tcp $HOME_NET any -> [46.17.104.221] 54545  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227568/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227568; rev:1;)
alert tcp $HOME_NET any -> [94.74.105.131] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227567/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227567; rev:1;)
alert tcp $HOME_NET any -> [38.12.28.100] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227565/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227565; rev:1;)
alert tcp $HOME_NET any -> [38.12.28.100] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227566/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227566; rev:1;)
alert tcp $HOME_NET any -> [120.48.58.156] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227564/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227564; rev:1;)
alert tcp $HOME_NET any -> [8.134.172.115] 8081  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227563/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227563; rev:1;)
alert tcp $HOME_NET any -> [124.220.163.73] 65009  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227561/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227561; rev:1;)
alert tcp $HOME_NET any -> [39.106.226.198] 888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227562/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227562; rev:1;)
alert tcp $HOME_NET any -> [111.67.195.164] 40000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227560/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227560; rev:1;)
alert tcp $HOME_NET any -> [74.48.19.156] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227559/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227559; rev:1;)
alert tcp $HOME_NET any -> [121.40.233.196] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227557/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227557; rev:1;)
alert tcp $HOME_NET any -> [82.157.167.178] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227558/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227558; rev:1;)
alert tcp $HOME_NET any -> [147.78.47.15] 65235  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227556/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227556; rev:1;)
alert tcp $HOME_NET any -> [111.231.22.61] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227555/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227555; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.linxun.xyz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227554/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227554; rev:1;)
alert tcp $HOME_NET any -> [45.61.162.107] 9999  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227552/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227552; rev:1;)
alert tcp $HOME_NET any -> [110.40.213.71] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227553/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227553; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"tracker.web-cockpit.jp"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227525/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227525; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"passenger210.bar"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227526/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227526; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bus527.cfd"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227527/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227527; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"follow707.cloud"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227528/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227528; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"war740.engineer"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227529/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227529; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"block714.mobi"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227530/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227530; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"bind853.me"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227531/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227531; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"temple321.bar"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227532/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227532; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"earn454.live"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227533/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227533; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"heavy689.immo"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227534/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227534; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"door111.network"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227535/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227535; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"blind227.boutique"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227536/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227536; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"salt204.me"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227537/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227537; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"lynxer.monster"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227542/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227542; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"dig159.digital"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227538/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227538; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gymorning.cyou"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227539/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227539; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"hovr.monster"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227540/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227540; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"strimmr.buzz"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227541/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227541; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"7raven.uno"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227543/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227543; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"depth305.digital"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227545/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227545; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"2blu.cloud"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227544/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227544; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"slavery588.biz"; depth:14; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227546/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227546; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"reduction925.cc"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227547/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227547; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"supper728.gifts"; depth:15; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227548/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227548; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"mn-vps.art"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227549/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227549; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"literature539.space"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227550/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227550; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"gxmod.pics"; depth:10; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227551/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227551; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox credit card skimming (domain - confidence level: 100%)"; dns_query; content:"secures-tool.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227523/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:bad-unknown; sid:91227523; rev:1;)
alert tcp $HOME_NET any -> [88.214.27.53] 4443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227524/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227524; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ba.css"; depth:7; nocase; http.host; content:"dzxngxmlsim3.cloudfront.net"; depth:27; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227489/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227489; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"gonamph.com"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1227488/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227488; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"asalamakolemezdoes.net"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227490/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227490; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rahlokezdolepizdomer.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227491/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227491; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"rahmetdolezdolirmolipdom.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227492/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227492; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saygabolemezdomenezcom.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227493/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227493; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saygoodfoledopel.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227494/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227494; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taytoplopidolep.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227495/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227495; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"chaojimanyi.com"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1227486/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227486; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel"; depth:6; nocase; http.host; content:"chaojimanyi.com"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227487/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227487; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/_defaultwindows.php"; depth:20; nocase; http.host; content:"a0899050.xsph.ru"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227485/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227485; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"ceptolezcominezcoydez.com"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227449/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227449; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cevapveremezdolemereszoes2.net"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227450/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227450; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cevapveremezdolemezdolirezdoremifadso.net"; depth:41; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227451/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227451; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"domlezcomlezdomdenyomegdo.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227452/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227452; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haygodfolmoldol.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227453/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227453; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"haytoplokezdolezdominec.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227454/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227454; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"hepgeldomkelzdomezforez.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227455/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227455; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nededlokezdolerezsos3.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227456/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227456; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"raceptoplumdemezdey.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227457/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227457; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saydornolicezdome.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227458/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227458; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"sayfedkolyegelme.net"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227459/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227459; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saygakolbalabana.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227460/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227460; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saygaydolezlomiedco.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227461/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227461; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saygolezdolemeze.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227463/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227463; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahriyedsolemezdolerede2.com"; depth:28; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227465/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227465; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtalidoleredominezdolez.com"; depth:29; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227466/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227466; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"caygadholemerezdolez.com"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227448/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227448; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"capcanboylokemez.com"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227446/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227446; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cayferelokimizedolem.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227447/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227447; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"91.92.250.214"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1227445/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227445; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahridyolezdolemez.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227464/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227464; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"saygedyolezdomezdominez.net"; depth:27; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227462/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227462; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtalokezdolemrezced5.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227469/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227469; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtalidyolezdoliezdominez.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227467/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227467; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtalimcominezdoles.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227468/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227468; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtaravilazdolerez.com"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227470/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227470; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtatgoblindomlin.com"; depth:22; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227471/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227471; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahtaydomlokezdoleriz.net"; depth:25; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227472/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227472; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tahyolezdolemezdo.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227473/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227473; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tarafdalimezdolemezdolerez.com"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227474/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227474; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tarhanelokezdol.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227475/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227475; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tayfederlokizdolerizne.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227476/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227476; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tayfundolemezdo.com"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227477/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227477; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tayhadlokezdolereme.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227478/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227478; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tayrepcanogelmezo.net"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227479/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227479; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"taytoreztoleztomelez.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227480/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227480; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tufankolfodemolezdor.net"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227481/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227481; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"tuftoflokezdoriez.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227482/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227482; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yathohkolfaledtosun.net"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227483/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227483; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"yayfolezdolemenegidiyo.net"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227484/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227484; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ie9compatviewlist.xml"; depth:22; nocase; http.host; content:"arpa.viewdns.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227432/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227432; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ptj"; depth:4; nocase; http.host; content:"arpa.viewdns.net"; depth:16; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227433/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227433; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"arpa.viewdns.net"; depth:16; nocase; reference:url, threatfox.abuse.ch/ioc/1227434/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227434; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"172.111.218.107"; depth:15; nocase; reference:url, threatfox.abuse.ch/ioc/1227435/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227435; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.45.83.223"; depth:11; nocase; reference:url, threatfox.abuse.ch/ioc/1227439/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227439; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"5.252.177.247"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1227440/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227440; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.1.213.121"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1227441/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227441; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"37.252.1.225"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1227442/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227442; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"45.153.48.176"; depth:13; nocase; reference:url, threatfox.abuse.ch/ioc/1227443/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227443; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"66.11.117.40"; depth:12; nocase; reference:url, threatfox.abuse.ch/ioc/1227444/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227444; rev:1;)
alert tcp $HOME_NET any -> [154.3.2.253] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227438/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227438; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/en_us/all.js"; depth:13; nocase; http.host; content:"88.214.27.53"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227437/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227437; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"39.105.31.188"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227436/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227436; rev:1;)
alert tcp $HOME_NET any -> [109.248.144.199] 1333  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227431/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227431; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/j.ad"; depth:5; nocase; http.host; content:"110.42.213.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227430/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227430; rev:1;)
alert tcp $HOME_NET any -> [1.12.36.65] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227429/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227429; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/g.pixel"; depth:8; nocase; http.host; content:"43.153.206.194"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227428/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227428; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"47.236.19.63"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227427/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227427; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dpixel"; depth:7; nocase; http.host; content:"110.42.213.232"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227426/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227426; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"service-pgxnje5g-1307231181.gz.tencentapigw.com"; depth:47; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227425/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227425; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/dot.gif"; depth:8; nocase; http.host; content:"193.201.9.69"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227424/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227424; rev:1;)
alert tcp $HOME_NET any -> [107.182.190.222] 8443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227423/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227423; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/push"; depth:5; nocase; http.host; content:"47.116.17.169"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227422/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227422; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.113] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227421/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227421; rev:1;)
alert tcp $HOME_NET any -> [46.190.144.131] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227417/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227417; rev:1;)
alert tcp $HOME_NET any -> [185.250.210.93] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227418/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227418; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.42] 9087  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227419/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227419; rev:1;)
alert tcp $HOME_NET any -> [165.232.153.139] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227420/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227420; rev:1;)
alert tcp $HOME_NET any -> [123.20.56.214] 7777  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227416/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227416; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/56f47e918c5386bf.php"; depth:21; nocase; http.host; content:"77.105.132.216"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227415/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227415; rev:1;)
alert tcp $HOME_NET any -> [47.95.213.55] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227414/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227414; rev:1;)
alert tcp $HOME_NET any -> [187.135.122.175] 1962  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227413/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227413; rev:1;)
alert tcp $HOME_NET any -> [101.43.30.194] 89  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227412/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227412; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/eternalrequestgeobaseflowertrack.php"; depth:37; nocase; http.host; content:"882584cm.nyashtech.top"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227411/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227411; rev:1;)
alert tcp $HOME_NET any -> [38.180.60.28] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227410/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227410; rev:1;)
alert tcp $HOME_NET any -> [141.255.151.226] 80  (msg:"ThreatFox DCRat botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227409/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227409; rev:1;)
alert tcp $HOME_NET any -> [196.77.31.193] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227408/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227408; rev:1;)
alert tcp $HOME_NET any -> [142.154.17.8] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227407/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227407; rev:1;)
alert tcp $HOME_NET any -> [24.46.78.214] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227406/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227406; rev:1;)
alert tcp $HOME_NET any -> [41.96.91.45] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227405/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227405; rev:1;)
alert tcp $HOME_NET any -> [34.245.141.209] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227404/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227404; rev:1;)
alert tcp $HOME_NET any -> [172.232.36.73] 10443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227403/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227403; rev:1;)
alert tcp $HOME_NET any -> [159.223.92.16] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227402/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227402; rev:1;)
alert tcp $HOME_NET any -> [35.173.234.124] 8443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227401/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227401; rev:1;)
alert tcp $HOME_NET any -> [213.183.56.95] 8085  (msg:"ThreatFox BianLian botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227400/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227400; rev:1;)
alert tcp $HOME_NET any -> [20.38.38.53] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227399/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227399; rev:1;)
alert tcp $HOME_NET any -> [192.169.6.122] 443  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227398/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_03; classtype:trojan-activity; sid:91227398; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"aybedosgaledsos.net"; depth:19; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227393/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227393; rev:1;)
alert tcp $HOME_NET any -> [206.119.171.125] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227397/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227397; rev:1;)
alert tcp $HOME_NET any -> [43.136.122.174] 2222  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227396/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227396; rev:1;)
alert tcp $HOME_NET any -> [41.102.92.209] 1604  (msg:"ThreatFox DarkComet botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227395/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_03; classtype:trojan-activity; sid:91227395; rev:1;)
alert tcp $HOME_NET any -> [5.42.64.9] 37471  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227394/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_03; classtype:trojan-activity; sid:91227394; rev:1;)
alert tcp $HOME_NET any -> [34.95.43.129] 2376  (msg:"ThreatFox Sliver botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227392/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227392; rev:1;)
alert tcp $HOME_NET any -> [91.215.85.66] 15647  (msg:"ThreatFox SectopRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227391/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227391; rev:1;)
alert tcp $HOME_NET any -> [185.222.58.115] 55615  (msg:"ThreatFox RedLine Stealer botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227390/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227390; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/pixel.gif"; depth:10; nocase; http.host; content:"106.54.209.36"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227389/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227389; rev:1;)
alert tcp $HOME_NET any -> [195.85.250.247] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227388/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227388; rev:1;)
alert tcp $HOME_NET any -> [35.80.38.180] 8443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227387/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227387; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"proekt8.ru"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227386/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_02; classtype:trojan-activity; sid:91227386; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"mth.com.ua"; depth:10; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227385/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_02; classtype:trojan-activity; sid:91227385; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 75%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/tmp/index.php"; depth:14; nocase; http.host; content:"gxutc2c.com"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227384/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_02; classtype:trojan-activity; sid:91227384; rev:1;)
alert tcp $HOME_NET any -> [34.143.170.184] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227383/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227383; rev:1;)
alert tcp $HOME_NET any -> [95.219.196.30] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227382/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227382; rev:1;)
alert tcp $HOME_NET any -> [2.50.16.89] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227381/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227381; rev:1;)
alert tcp $HOME_NET any -> [87.223.94.2] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227380/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227380; rev:1;)
alert tcp $HOME_NET any -> [72.27.144.58] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227379/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227379; rev:1;)
alert tcp $HOME_NET any -> [78.100.225.8] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227378/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227378; rev:1;)
alert tcp $HOME_NET any -> [2.91.186.255] 995  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227377/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227377; rev:1;)
alert tcp $HOME_NET any -> [193.36.15.247] 445  (msg:"ThreatFox Responder botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227376/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227376; rev:1;)
alert tcp $HOME_NET any -> [74.119.194.110] 8888  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227375/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227375; rev:1;)
alert tcp $HOME_NET any -> [85.215.215.94] 443  (msg:"ThreatFox Havoc botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227374/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227374; rev:1;)
alert tcp $HOME_NET any -> [37.152.179.33] 2023  (msg:"ThreatFox Deimos botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227373/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227373; rev:1;)
alert tcp $HOME_NET any -> [38.47.180.5] 7443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227372/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227372; rev:1;)
alert tcp $HOME_NET any -> [93.123.85.19] 6281  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227371/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_02; classtype:trojan-activity; sid:91227371; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ready.apk"; depth:10; nocase; http.host; content:"91.92.244.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227267/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227267; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/a101.apk"; depth:9; nocase; http.host; content:"91.92.244.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227268/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227268; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/bahislion.apk"; depth:14; nocase; http.host; content:"91.92.244.19"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227269/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227269; rev:1;)
alert tcp $HOME_NET any -> [91.92.244.19] 80  (msg:"ThreatFox SpyNote payload delivery (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227270/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227270; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cdn-vs/get.php"; depth:15; nocase; http.host; content:"jennifergalvin.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227286/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227286; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cache/qzwewmrqqgqnaww.php"; depth:26; nocase; http.host; content:"jennifergalvin.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227287/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227287; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/getdata.php"; depth:12; nocase; http.host; content:"jesusanaya.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227288/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227288; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"technologgies.com"; depth:17; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227358/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227358; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"jenshol.com"; depth:11; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227359/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227359; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"simorten.com"; depth:12; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227360/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227360; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"investmentgblog.net"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227361/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227361; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"protectionek.com"; depth:16; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227362/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227362; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jennifergalvin.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227368/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227368; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox payload delivery (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"jesusanaya.com"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227369/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227369; rev:1;)
alert tcp $HOME_NET any -> [141.255.145.138] 54984  (msg:"ThreatFox Nanocore RAT botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227370/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227370; rev:1;)
alert tcp $HOME_NET any -> [154.40.43.130] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227367/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227367; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/profiles/76561199592921038"; depth:27; nocase; http.host; content:"steamcommunity.com"; depth:18; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227366/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227366; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/mcfuture"; depth:9; nocase; http.host; content:"t.me"; depth:4; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227365/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227365; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.3.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227364/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227364; rev:1;)
alert tcp $HOME_NET any -> [116.203.3.205] 2024  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227363/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227363; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/visit.js"; depth:9; nocase; http.host; content:"47.90.247.182"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227357/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227357; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/updates.rss"; depth:12; nocase; http.host; content:"147.78.47.183"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227356/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227356; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cm"; depth:3; nocase; http.host; content:"101.37.14.112"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227355/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227355; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"2.94.223.87.dynamic.jazztel.es"; depth:30; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227354/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227354; rev:1;)
alert tcp $HOME_NET any -> [105.102.20.203] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227353/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227353; rev:1;)
alert tcp $HOME_NET any -> [67.131.57.133] 23  (msg:"ThreatFox Bashlite botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227352/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_02; classtype:trojan-activity; sid:91227352; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.recruitment61.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227351/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227351; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conferencecenters.org"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227349/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227349; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.levellivingfield.org"; depth:24; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227350/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227350; rev:1;)
alert tcp $HOME_NET any -> [3.126.219.65] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227348/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227348; rev:1;)
alert tcp $HOME_NET any -> [3.126.219.65] 80  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227347/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227347; rev:1;)
alert tcp $HOME_NET any -> [20.67.252.59] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227346/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227346; rev:1;)
alert tcp $HOME_NET any -> [52.152.137.179] 8443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227345/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227345; rev:1;)
alert tcp $HOME_NET any -> [13.71.92.195] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227344/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227344; rev:1;)
alert tcp $HOME_NET any -> [191.104.13.54] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227343/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227343; rev:1;)
alert tcp $HOME_NET any -> [146.190.145.47] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227342/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227342; rev:1;)
alert tcp $HOME_NET any -> [52.47.125.228] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227341/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227341; rev:1;)
alert tcp $HOME_NET any -> [35.156.172.252] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227340/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227340; rev:1;)
alert tcp $HOME_NET any -> [195.201.128.148] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227339/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227339; rev:1;)
alert tcp $HOME_NET any -> [16.16.55.90] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227338/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227338; rev:1;)
alert tcp $HOME_NET any -> [157.245.108.186] 9090  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227337/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227337; rev:1;)
alert tcp $HOME_NET any -> [104.193.111.41] 3333  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227336/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227336; rev:1;)
alert tcp $HOME_NET any -> [116.62.4.161] 60000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227335/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227335; rev:1;)
alert tcp $HOME_NET any -> [14.225.8.224] 8080  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227333/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227333; rev:1;)
alert tcp $HOME_NET any -> [14.225.8.224] 8081  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227334/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227334; rev:1;)
alert tcp $HOME_NET any -> [192.227.146.253] 8080  (msg:"ThreatFox Kaiji botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227332/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227332; rev:1;)
alert tcp $HOME_NET any -> [3.235.217.21] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227331/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227331; rev:1;)
alert tcp $HOME_NET any -> [37.114.37.86] 5000  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227330/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227330; rev:1;)
alert tcp $HOME_NET any -> [139.84.172.20] 443  (msg:"ThreatFox PoshC2 botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227329/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227329; rev:1;)
alert tcp $HOME_NET any -> [185.216.117.91] 6666  (msg:"ThreatFox Venom RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227328/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227328; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.authenticateoffice.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227326/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227326; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"cdn.authenticateoffice.com"; depth:26; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227327/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227327; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.activelifes.shop"; depth:20; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227325/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227325; rev:1;)
alert tcp $HOME_NET any -> [118.69.101.91] 38353  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227324/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227324; rev:1;)
alert tcp $HOME_NET any -> [85.239.53.165] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227323/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227323; rev:1;)
alert tcp $HOME_NET any -> [35.189.151.174] 443  (msg:"ThreatFox Quasar RAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227322/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227322; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"conspiracynomad.fvds.ru"; depth:23; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227321/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227321; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"www.undiny.ru"; depth:13; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227320/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227320; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"s-paketverfolgung.com"; depth:21; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227319/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227319; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"undiny.ru"; depth:9; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227318/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227318; rev:1;)
alert tcp $HOME_NET any -> [149.28.73.166] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227317/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227317; rev:1;)
alert tcp $HOME_NET any -> [173.249.46.253] 80  (msg:"ThreatFox Hook botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227316/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227316; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"mail.137-184-80-125.cprapid.com"; depth:31; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227314/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227314; rev:1;)
alert tcp $HOME_NET any -> [159.89.8.28] 443  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227315/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227315; rev:1;)
alert tcp $HOME_NET any -> [47.95.197.160] 7707  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227313/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227313; rev:1;)
alert tcp $HOME_NET any -> [185.81.157.160] 777  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227312/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227312; rev:1;)
alert tcp $HOME_NET any -> [135.125.27.218] 7000  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227310/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227310; rev:1;)
alert tcp $HOME_NET any -> [23.225.40.139] 8808  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227311/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227311; rev:1;)
alert tcp $HOME_NET any -> [34.29.228.84] 1998  (msg:"ThreatFox AsyncRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227309/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227309; rev:1;)
alert tcp $HOME_NET any -> [192.3.1.204] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227308/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227308; rev:1;)
alert tcp $HOME_NET any -> [110.40.139.46] 8888  (msg:"ThreatFox Unknown malware botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227307/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227307; rev:1;)
alert tcp $HOME_NET any -> [45.67.34.151] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 90%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227306/; target:src_ip; metadata: confidence_level 90, first_seen 2024_01_02; classtype:trojan-activity; sid:91227306; rev:1;)
alert tcp $HOME_NET any -> [121.196.214.125] 8888  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227305/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227305; rev:1;)
alert tcp $HOME_NET any -> [43.155.146.23] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227304/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227304; rev:1;)
alert tcp $HOME_NET any -> [101.37.117.0] 10101  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227303/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227303; rev:1;)
alert tcp $HOME_NET any -> [107.175.206.29] 10000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227302/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227302; rev:1;)
alert tcp $HOME_NET any -> [148.135.4.219] 8000  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227301/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227301; rev:1;)
alert tcp $HOME_NET any -> [142.171.26.166] 8082  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227300/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227300; rev:1;)
alert tcp $HOME_NET any -> [49.235.118.128] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227299/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227299; rev:1;)
alert tcp $HOME_NET any -> [121.43.43.161] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227298/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227298; rev:1;)
alert tcp $HOME_NET any -> [107.173.198.230] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227296/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227296; rev:1;)
alert tcp $HOME_NET any -> [106.54.209.36] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227297/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227297; rev:1;)
alert tcp $HOME_NET any -> [123.57.85.206] 8080  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227295/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227295; rev:1;)
alert tcp $HOME_NET any -> [47.110.253.157] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227294/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227294; rev:1;)
alert tcp $HOME_NET any -> [39.105.51.11] 28100  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227292/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227292; rev:1;)
alert tcp $HOME_NET any -> [42.192.7.3] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227293/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227293; rev:1;)
alert tcp $HOME_NET any -> [172.111.218.146] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227291/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227291; rev:1;)
alert tcp $HOME_NET any -> [43.128.108.176] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227290/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227290; rev:1;)
alert tcp $HOME_NET any -> [47.113.227.194] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227289/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227289; rev:1;)
alert tcp $HOME_NET any -> [171.5.177.161] 3790  (msg:"ThreatFox Meterpreter botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227285/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227285; rev:1;)
alert tcp $HOME_NET any -> [47.90.247.182] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227284/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227284; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/cx"; depth:3; nocase; http.host; content:"1.15.189.30"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227283/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227283; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.202.180.148"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227282/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227282; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.3.205"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227281/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227281; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"65.109.242.109"; depth:14; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227280/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227280; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"116.203.123.207"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227279/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227279; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"142.132.232.235"; depth:15; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227278/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227278; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"5.75.215.64"; depth:11; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227277/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227277; rev:1;)
alert tcp $HOME_NET any -> [116.202.180.148] 3001  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227276/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227276; rev:1;)
alert tcp $HOME_NET any -> [65.109.242.109] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227274/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227274; rev:1;)
alert tcp $HOME_NET any -> [116.203.3.205] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227275/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227275; rev:1;)
alert tcp $HOME_NET any -> [142.132.232.235] 443  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227272/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227272; rev:1;)
alert tcp $HOME_NET any -> [116.203.123.207] 3001  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227273/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227273; rev:1;)
alert tcp $HOME_NET any -> [5.75.215.64] 3001  (msg:"ThreatFox Vidar botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227271/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227271; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/linux0/line3processor/async3process/7bigload/uploads/generatorvideosql/flowerjavascriptprotonexternal/js9javascriptwp/tempsecurelinux/auth/1tempmariadb/1traffic/6/windows2windows/eternalvideocpuprocessasyncpublictempcdntemporary.php"; depth:233; nocase; http.host; content:"212.60.21.225"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227266/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227266; rev:1;)
alert tcp $HOME_NET any -> [35.72.79.151] 53  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227265/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227265; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 100%)"; dns_query; content:"nris-d.mqpslop.com"; depth:18; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227264/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227264; rev:1;)
alert tcp $HOME_NET any -> [38.181.2.11] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227263/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227263; rev:1;)
alert tcp $HOME_NET any -> [91.224.92.130] 443  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227262/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227262; rev:1;)
alert tcp $HOME_NET any -> [54.94.248.37] 13352  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227261/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227261; rev:1;)
alert tcp $HOME_NET any -> [18.229.146.63] 13352  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227260/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227260; rev:1;)
alert tcp $HOME_NET any -> [101.37.14.112] 8989  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227259/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227259; rev:1;)
alert tcp $HOME_NET any -> [43.139.66.18] 80  (msg:"ThreatFox Cobalt Strike botnet C2 traffic (ip:port - confidence level: 80%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227258/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227258; rev:1;)
alert tcp $HOME_NET any -> [175.27.191.226] 53  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227212/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227212; rev:1;)
alert tcp $HOME_NET any -> [122.254.94.69] 8080  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227213/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227213; rev:1;)
alert tcp $HOME_NET any -> [45.74.6.175] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227214/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227214; rev:1;)
alert tcp $HOME_NET any -> [8.212.157.140] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227215/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227215; rev:1;)
alert tcp $HOME_NET any -> [185.189.241.254] 53  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227216/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227216; rev:1;)
alert tcp $HOME_NET any -> [8.212.157.140] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227217/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227217; rev:1;)
alert tcp $HOME_NET any -> [45.74.6.14] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227218/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227218; rev:1;)
alert tcp $HOME_NET any -> [45.74.6.175] 21  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227219/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227219; rev:1;)
alert tcp $HOME_NET any -> [107.148.73.109] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227220/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227220; rev:1;)
alert tcp $HOME_NET any -> [23.225.71.115] 8888  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227221/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227221; rev:1;)
alert tcp $HOME_NET any -> [8.130.26.42] 12345  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227223/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227223; rev:1;)
alert tcp $HOME_NET any -> [8.130.26.42] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227222/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227222; rev:1;)
alert tcp $HOME_NET any -> [141.98.212.38] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227224/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227224; rev:1;)
alert tcp $HOME_NET any -> [107.148.73.109] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227226/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227226; rev:1;)
alert tcp $HOME_NET any -> [23.225.71.115] 12345  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227225/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227225; rev:1;)
alert tcp $HOME_NET any -> [141.98.212.38] 8080  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227227/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227227; rev:1;)
alert tcp $HOME_NET any -> [143.92.60.54] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227228/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227228; rev:1;)
alert tcp $HOME_NET any -> [185.189.241.209] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227229/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227229; rev:1;)
alert tcp $HOME_NET any -> [52.128.229.101] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227230/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227230; rev:1;)
alert tcp $HOME_NET any -> [34.92.30.54] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227231/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227231; rev:1;)
alert tcp $HOME_NET any -> [20.6.82.79] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227232/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227232; rev:1;)
alert tcp $HOME_NET any -> [194.246.114.4] 21  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227233/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227233; rev:1;)
alert tcp $HOME_NET any -> [52.128.229.102] 12345  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227235/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227235; rev:1;)
alert tcp $HOME_NET any -> [35.77.99.82] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227234/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227234; rev:1;)
alert tcp $HOME_NET any -> [194.246.114.4] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227236/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227236; rev:1;)
alert tcp $HOME_NET any -> [156.59.168.116] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227237/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227237; rev:1;)
alert tcp $HOME_NET any -> [156.59.168.116] 1688  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227238/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227238; rev:1;)
alert tcp $HOME_NET any -> [43.135.1.200] 53  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227239/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227239; rev:1;)
alert tcp $HOME_NET any -> [34.96.231.241] 53  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227240/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227240; rev:1;)
alert tcp $HOME_NET any -> [52.128.229.99] 12345  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227241/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227241; rev:1;)
alert tcp $HOME_NET any -> [52.128.229.98] 12345  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227242/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227242; rev:1;)
alert tcp $HOME_NET any -> [34.81.45.231] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227243/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227243; rev:1;)
alert tcp $HOME_NET any -> [34.96.231.241] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227244/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227244; rev:1;)
alert tcp $HOME_NET any -> [52.128.229.102] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227245/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227245; rev:1;)
alert tcp $HOME_NET any -> [103.86.45.200] 53  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227246/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227246; rev:1;)
alert tcp $HOME_NET any -> [103.86.45.200] 2096  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227247/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227247; rev:1;)
alert tcp $HOME_NET any -> [156.255.3.7] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227248/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227248; rev:1;)
alert tcp $HOME_NET any -> [149.28.136.218] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227249/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227249; rev:1;)
alert tcp $HOME_NET any -> [107.148.45.172] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227250/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227250; rev:1;)
alert tcp $HOME_NET any -> [43.132.173.7] 12345  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227210/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227210; rev:1;)
alert tcp $HOME_NET any -> [110.173.53.162] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227211/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227211; rev:1;)
alert tcp $HOME_NET any -> [52.128.229.100] 12345  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227207/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227207; rev:1;)
alert tcp $HOME_NET any -> [194.246.114.4] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227209/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227209; rev:1;)
alert tcp $HOME_NET any -> [110.173.53.162] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227206/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227206; rev:1;)
alert tcp $HOME_NET any -> [45.117.102.174] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227208/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227208; rev:1;)
alert tcp $HOME_NET any -> [185.189.241.254] 443  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227204/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227204; rev:1;)
alert tcp $HOME_NET any -> [8.130.26.42] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227203/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227203; rev:1;)
alert tcp $HOME_NET any -> [185.189.241.209] 80  (msg:"ThreatFox ShadowPad botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227205/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227205; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ct93ynsipaklqbk2/"; depth:18; nocase; http.host; content:"kinonlisplazmaoplayor.net"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227138/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227138; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ct93ynsipaklqbk2/"; depth:18; nocase; http.host; content:"kinonlisplazmaoplayor.com"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227139/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227139; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ct93ynsipaklqbk2/"; depth:18; nocase; http.host; content:"kinonlisplazmaoplayor.xyz"; depth:25; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227140/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227140; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ct93ynsipaklqbk2/"; depth:18; nocase; http.host; content:"kinonlisplazmaoplayor.site"; depth:26; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227141/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227141; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"83.97.73.246"; depth:12; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227142/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227142; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies.net"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227143/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227143; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies.com"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227144/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227144; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies.xyz"; depth:22; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227145/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227145; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies9.com"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227146/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227146; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies9.xyz"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227148/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227148; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies9.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227147/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227147; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies10.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227149/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227149; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/yji0ztqxmwi2zjmw/"; depth:18; nocase; http.host; content:"hppynweyreadaddies10.xyz"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227150/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227150; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"reviveincapablewew.pw"; depth:21; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227151/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227151; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"mountainlegislaturel.pw"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227152/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227152; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"solomaddomededsosfed.net"; depth:24; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227195/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227195; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/"; depth:1; nocase; http.host; content:"haklolgelemezdodses.net"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227196/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227196; rev:1;)
alert tcp $HOME_NET any -> [141.98.10.19] 59666  (msg:"ThreatFox Mirai botnet C2 traffic (ip:port - confidence level: 75%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227199/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_02; classtype:trojan-activity; sid:91227199; rev:1;)
alert tcp $HOME_NET any -> [91.92.249.101] 443  (msg:"ThreatFox Rhadamanthys botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227164/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227164; rev:1;)
alert dns $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (domain - confidence level: 75%)"; dns_query; content:"botnet.bydgoszcz.pl"; depth:19; fast_pattern; isdataat:!1,relative; nocase; reference:url, threatfox.abuse.ch/ioc/1227200/; target:src_ip; metadata: confidence_level 75, first_seen 2024_01_02; classtype:trojan-activity; sid:91227200; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 80%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/ct93ynsipaklqbk2/"; depth:18; nocase; http.host; content:"62.233.50.113"; depth:13; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227137/; target:src_ip; metadata: confidence_level 80, first_seen 2024_01_02; classtype:trojan-activity; sid:91227137; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"/api"; depth:4; nocase; http.host; content:"insertrichdedicatewa.pw"; depth:23; isdataat:!1,relative; reference:url, threatfox.abuse.ch/ioc/1227136/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227136; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"thinkforce.com.br"; depth:17; nocase; reference:url, threatfox.abuse.ch/ioc/1227131/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227131; rev:1;)
alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"ThreatFox botnet C2 traffic (url - confidence level: 100%)"; flow:established,from_client; http.method; content:"GET"; http.uri; content:"209.145.55.141"; depth:14; nocase; reference:url, threatfox.abuse.ch/ioc/1227132/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227132; rev:1;)
alert tcp $HOME_NET any -> [138.207.139.80] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227257/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227257; rev:1;)
alert tcp $HOME_NET any -> [78.19.226.168] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227256/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227256; rev:1;)
alert tcp $HOME_NET any -> [79.131.126.152] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227255/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227255; rev:1;)
alert tcp $HOME_NET any -> [141.164.133.197] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227254/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227254; rev:1;)
alert tcp $HOME_NET any -> [109.152.118.186] 443  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227253/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227253; rev:1;)
alert tcp $HOME_NET any -> [146.198.234.107] 2222  (msg:"ThreatFox QakBot botnet C2 traffic (ip:port - confidence level: 50%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227252/; target:src_ip; metadata: confidence_level 50, first_seen 2024_01_02; classtype:trojan-activity; sid:91227252; rev:1;)
alert tcp $HOME_NET any -> [3.124.142.205] 13328  (msg:"ThreatFox NjRAT botnet C2 traffic (ip:port - confidence level: 100%)"; threshold: type limit, track by_src, seconds 60, count 1; reference:url, threatfox.abuse.ch/ioc/1227251/; target:src_ip; metadata: confidence_level 100, first_seen 2024_01_02; classtype:trojan-activity; sid:91227251; rev:1;)
# Number of entries: 45037